Last week saw the Office of the Privacy Commissioner run another successful Privacy Week. While there were a number of interesting sessions held during the course of the week, our key takeaway was that organisations doing business in New Zealand should expect future changes to the Privacy Act 2020 (Privacy Act). We see three key drivers for change:
1. Public concern
Research undertaken by the Privacy Commissioner's Office indicates that three out of five New Zealanders are concerned about their personal information being shared without their permission. This is consistent with research undertaken by Internet NZ which identifies that 65 percent of New Zealanders are extremely or very concerned about threats to their privacy. While our view is that the Privacy Act already has provisions to address a number of the concerns that New Zealanders have, there seems to be a sentiment that New Zealand businesses are not taking on board the 'privacy is precious' message. Recent large scale damaging cyber attacks on both sides of the Tasman have also made the risk of identity theft, stolen credentials, and other consequences of a privacy breach seem much more real for New Zealanders.
2. International trends
The Privacy Act was substantively reformed in 2020. However, as the reform process took 10 years to complete, arguably it simply did not keep up with international trends in privacy law or adequately reflect increasing public concern and focus. For example, by the time our Privacy Act came into force, it had arguably fallen behind in relation to financial penalties, rights to erasure (ie the 'right to be forgotten') and data portability. While data portability is now being addressed as a separate consumer data right by the Ministry of Business, Innovation and Employment, there are still gaps in the privacy rights that New Zealanders have when compared with the rights offered in other jurisdictions.
Of particular note, the penalties under the Privacy Act are modest when compared to other jurisdictions (as discussed in our update earlier this year). For example, the Privacy Act has a maximum NZ$10,000 fine for certain breaches (eg a failure to notify the Privacy Commissioner of a privacy breach). In contrast, Australia has a maximum penalty of the greater of AU$50m, three times the value of any benefit obtained through the misuse of information, or 30 percent of company's adjusted turnover in the relevant period.
The Privacy Commissioner has signalled that he wants to address some of these gaps, including by introducing a right to erasure and civil penalties. He has also indicated an interest in reform in relation to children's privacy (although what that will look like remains unclear).
3. Adequacy
As we've written about before, it is still unclear whether the Privacy Act is enough to keep New Zealand's status as a country with adequate data protection safeguards for the purposes of the EU General Data Protection Regulation. If New Zealand lost its adequacy status, then the free flows of data that we currently enjoy with the EU and the UK will end, meaning much more administrative ‘red tape’ for businesses that transact with the EU and UK.
While the full scope of potential changes and timeline for change is unclear, the Privacy Commissioner has flagged that children's' privacy, rights to deletion, and fines and penalties are three key areas of immediate interest. While substantial reform of the Privacy Act may be some time off, it is worth keeping a watching brief on developments and updated policy guidance from the Privacy Commissioner's Office.
If you have any questions about privacy and data protection, or would like to discuss any of these topics, please get in touch with one of our team.
