2018: The year privacy became mainstream
6 December 2018
Earlier this week Renee Stiles and Alex Chapman of Buddle Findlay's TMT team attended the Privacy Commissioner's International Privacy Forum in Wellington. The forum featured a number of international privacy commissioners and regulators, including the UK Information Commissioner (Elizabeth Denham), and highlighted a number of key issues relevant to New Zealand's privacy landscape.
There is a movement towards convergence of data protection and privacy laws globally. This reflects that privacy and data protection is becoming mainstream (largely as a result of the Cambridge Analytica breach and several other high profile privacy breaches during the course of 2018) and that there is an increased understanding amongst governments about the importance of strong data processing regimes and ensuring that individuals have access to their personal information. The UK Information Commissioner described this as a "race to the top" amongst countries in terms of the development of privacy and data protection laws.
It will be interesting to see whether this convergence and heightened focus is reflected in the New Zealand Privacy Bill when the Select Committee releases its report on it in March 2019.
Extra-territorial reach of the GDPR
As we've discussed before, the extra-territorial provisions in the EU's General Data Protection Regulation (the GDPR) remain a key concern for New Zealand businesses. In this context, the UK Information Commissioner noted that the European Data Protection Board's draft guidelines on the extra-territorial provisions of the GDPR may be helpful.
In light of the extra-territorial reach of the GDPR, businesses are rightly nervous about the potential penalties that may apply in relation to breaches of the GDPR: a breach of the GDPR can result in penalties of up to 20m Euros, or of 4% of an undertaking's total annual worldwide turnover, whichever is higher.
The UK Information Commissioner stressed that proportionality is embedded into the GDPR and that New Zealand companies 'trying their best' and engaging with EU regulators are unlikely to be subject to penalties under the GDPR regime. Instead, it is likely that regulators will rely on their extensive investigative and advisory powers to ensure that the GDPR is being complied with appropriately. In terms of enforcing penalties, the UK Information Commissioner acknowledged that there may be some practical limitations but that it would seek to rely on assistance from other jurisdictions to ensure that the GDPR was enforced as necessary.
A recurring theme amongst the privacy regulators that spoke at the Forum was a substantial increase in both the ability of members of the public to exercise rights in order to control the use and collection of their personal data and public engagement in privacy issues generally - with many referring to 2018 as the year privacy and data security have gone 'mainstream'.
This has led the need for additional resource for privacy regulators, particularly following the introduction of mandatory data breach notifications in the EU and Australia. We note that similar obligations have been proposed in the New Zealand Privacy Bill, although it remains to be seen whether the introduction of such obligations will also see the New Zealand Privacy Commissioner's requests for further funding being realised.