Privacy in spotlight as European rules take force
Two milestones are about to be reached regulating the use of personal information - submissions on New Zealand's new Privacy Bill are closing and Europe's new data regulations come into force today [Friday May 25], Tim Murphy reports.
New protections on the use of personal information taking effect in Europe from tonight (NZT) have implications for New Zealand businesses offering goods and services to people across the EU, or monitoring their online behaviour.
The General Data Protection Regulation (GDPR) agreed by the EU two years ago and now in operation directly binds its member governments and has an expanded territorial scope which includes companies in this country and elsewhere.
As the European measures come into force, submissions on the new Privacy Bill introduced in March by the Labour-led coalition are closing and the Justice select committee will soon begin deliberating on its suite of changes which update the 25 year-old Privacy Act.
The twin milestones are described by Laura Littlewood, a technology partner at law firm Bell Gully, as "a momentous week for privacy law". The two packages are distinct, but there are links that make the consideration of the Privacy Bill important in light of the GDPR.
New Zealand has been accorded 'adequacy' by the Europeans under the GDPR for our existing Privacy Act and practices. It will be important, says Littlewood, that any revised legislation maintains that adequacy status, which is strongly valued by clients. "Not just for the very practical reason of the free flow of data but a message that New Zealand does have strong legal requirements in place."
New Zealand was one of only a small number of jurisdictions given adequacy. Australia, which has also updated its privacy law recently, is not among them, a fact "definitely seen by New Zealand businesses as a competitive advantage."
She says the GDPR has been "touted as the most important change in data privacy regulation in our generation" with two core ambitions:
* to create one coherent data protection framework across the EU, and
* to strengthen and protect the privacy rights of EU citizens even when their data is processed outside the EU
That means the "long arm" of the GDPR will now reach many New Zealand businesses.
While our Privacy Act was principle-based and technology neutral, the GDPR was highly prescriptive, setting out in detail what is and is not acceptable.
The European and New Zealand laws are "parallel regimes that New Zealand businesses will have to comply with."
Littlewood says the Europeans will review our Privacy Bill and the Privacy Commissioner will report on it to its authorities.
Her view is the Privacy Bill as introduced does not dilute this country's protections but strengthens consumer rights.
New Zealand businesses are "willing compliers" with privacy protection regulation.
A total of 145 submissions were received by the Justice select committee by the deadline Thursday, with 14 further submitters given extensions until next week.
Littlewood says the most significant change is the introduction of a mandatory breach notification regime.
This would mean organisations must notify the office of the Privacy Commissioner, and affected individuals, if there is a breach of data security that poses a risk of harm to those whose information is affected.
"Under the Bill as proposed there is quite a low threshold for when the breach notification would be required," she says.
It is likely this would be one aspect raised in submissions on the Bill, as it is possible under such a system that over-reporting of issues could lead to "notification fatigue" and come to be seen as a form of spam.
There had been a strong international trend towards mandatory breach notifications and the debate had moved to the form of such systems and the thresholds for the types of breaches that must be notified.
"For some it is the number of individuals affected. For others there is a threshold of the seriousness of the harm, for example the types of facts, that is relevant for that assessment," Littlewood says.
"We would like to see an acknowledgment that where a breach has been contained and adequate steps have been taken to mitigate it, then a notification is not required."
Putting that concept into law could involve a two-step approach - a test in the statute and further guidance from the Privacy Commissioner via case studies showing best practices for businesses.
Littlewood says: "I think there are strong policy reasons for having a more considered privacy breach notification regime and I would expect this will be given careful scrutiny at the select committee stage."
A Law Commission review of the Privacy Act in 2011 recommended a higher breach notification threshold than that now in the Privacy Bill.
While the New Zealand legislation is principle-based and technology neutral, and has worked well, it would be important any new law is sufficiently flexible to ensure there was no erosion of business models involving the delivery of services via software or the cloud.
It would also be a priority that any changes adopted at the select committee are considered in terms of maintaining New Zealand's adequacy status under the GDPR.
Littlewood says companies need to understand their obligations under the GDPR, if affected. Meeting its requirements "will satisfy most obligations under the Privacy Act."
In a note to clients, Bell Gully says: "The mere accessibility of your website or email address or other contact details to EU residents alone will not trigger the GDPR.
"Additional factors are required, that make it apparent you intend to offer goods and services to consumers in the EU - such as the use of a language or currency generally used inone or more Member States, with the possibility of ordering goods and services in that other language or currency."
Bell Gully is a foundation supporter of newsroom.co.nz