Guarding your data
Big fines proposed
The Privacy Commissioner is set to get a lot more powerful, but he hasn’t been granted his $1 million wish just yet.
Justice Minister Andrew Little introduced the Privacy Bill to replace the 25-year-old Privacy Act this week. Commissioner John Edwards has been asking for law reform for four years, his entire time in office.
The Law Commission recommended it be renewed in a 2011 review.
Little’s tabling of the Bill was opportune. This week, news broke that a firm had misused information it took from 50 million Facebook accounts to fuel US president Donald Trump’s election campaign.
Facebook founder Mark Zuckerburg apologised for breaching customers’ trust and admitted the social media company made mistakes.
Under Little’s proposals, companies that willfully misuse people’s personal information could be fined for not telling users their data was breached, or the commissioner could hand companies a compliance notice, telling them to tighten security measures.
The bill proposes multiple changes, all of which would harden New Zealand’s privacy law.
Most notable was the introduction of a mandate for companies and Government agencies to report ‘‘harmful’’ data breaches to the commissioner and the people whose information was compromised.
Organisations are known to sweep data breaches under the rug. New Zealanders’ information was compromised in a 2016 hack of Uber’s systems which was only made public late last year.
The company’s chief executive reportedly kept it hidden and paid hush money to hackers.
Uber would not say how many New Zealand accounts were hacked but made assurances no credit card information was leaked.
At the time, Edwards said the hidden Uber hack highlighted the ‘‘importance and urgency of mandatory breach reporting laws’’.
LinkedIn was hacked in 2016 also. The company would not say if any of its then 1 million New Zealand users were affected.
In 2012, state insurer Accident Compensation Corporation (ACC) leaked 250 claimants’ sensitive information via email.
Edwards wanted to be able to slap companies with a $1 million fine for the deliberate misuse of people’s information, but Little’s Bill did not include that measure.
At the moment, companies can be penalised up to $10,000, and individuals $2000, for data breaches. Edwards said that was not enough.
‘‘Without real and meaningful consequences … cowboys will ignore their implications.’’
BusinessNZ chief executive Kirk Hope said a $1m fine was ‘‘out of whack’’. The reputational cost a company would incur if it misused customers’ information was enough of an incentive to do the right thing, he said.
‘‘That will far outweigh any fine that a privacy commissioner can impose on a business. What are you trying to solve with a penalty?’’
Edwards said he was ‘‘quietly confident’ that if the Bill passed its first reading to select committee stage, public submissions would support a $1m penalty and it would be added to the Bill.
The word ‘‘harmful’’ would be toyed with by a committee too, he said. The threshold of what determined harm needed clarifying.
Some countries calculated harm by the amount of information leaked. Edwards said he did not want New Zealand’s threshold to be a number.
‘‘I don’t take to that approach because there could be other elements; the nature of that information, the potential for the harm on the individual.’’
Human error would not be penalised, he said.
Hope said a breach would need to be ‘‘relatively substantial’’ for a company to need to publicise it. ‘‘Substantial’’ depended on the nature of the business, he said.
Regardless of the details, Edwards and Hope both agreed an update of privacy law was needed.
Edwards said data was the new oil and there were unlimited ways people and organisations could misuse it.
‘‘Personal information is the engine room of the new economy and it has to be protected. So much of the economy, business and Government runs now on information.’’
‘‘Personal information is the engine room of the new economy and it has to be protected.’’
Privacy Commissioner John Edwards