Privacy chief warns of new offences
‘The corporate world collectively shat itself when the new OSH [occupational safety and health] law came in,” Privacy Commissioner John Edwards told an IAB NZ seminar yesterday.
Edwards wants businesses and boards to treat the new Privacy Act — which passed on Tuesday and comes into force December 1 — with the same seriousness.
The Privacy Commissioner again bemoaned that the new legislation did not give him his requested power to levy big fines, like counterparts in the US and the UK who recently hit Facebook and British Airways with US$5 billion ($7.7b) and £183 million ($350m) penalties respectively.
Nor does the new law include his suggestion for data portability, or the ability for a consumer to take their data with them when they switch service providers — just one of a number of recent reforms in EU and Australia that haven’t made it to our new legislation.
But the new act sill gives the commissioner some teeth.
The new legislation has the same basic principles as the old: Any organisation that collects data about an identifiable individual must not collect more information than it needs, store it securely and only use it for the purpose for which it was collected.
But there are a number of key changes to the way those principles are enforced, including mandatory data breach disclosure. If you lose data, mistakenly email it en masse to the wrong person or it gets stolen by hackers, you’ll have to inform Edwards’ office, and any affected customers.
Failure to report a harmful data breach could result in a fine of up to $10,000.
A common question from the IAB audience of media execs, ad execs and lawyers: what will constitute a breach worth reporting?
“If your kindergarten accidentally sends a message to all that reveals your child is gluten-intolerant, I don’t want to hear about it,” Edwards says.
A new “NotifyUs” interactive, “semi-intelligent” widget will be added to the Privacy Commissioner’s website shortly to help organisations gauge when a breach passes the notification threshold.
Edwards cautioned the answers would never be black and white, however. The Privacy Act was prescriptive, like tax legislation. Because it was enforcing a set of general principles, there would always be judgment calls on what cases his office should pursue.
The Privacy Commissioner also gains the ability to issue compliance notices if you’re, say, running a competition but overstepping the mark with the amount of personal data you collect or failing to store it securely. Failure to comply could see a referral to the Human Rights Commission, and ultimately a fine of up to $10,000.
And Edwards noted that while it was previously frowned on to destroy an employee’s personnel file after they requested to view it, such behaviour will now attract a fine of up to $10,000.
It will also become a criminal offence to imitate someone to access their data, again with a fine of up to $10,000.
Obstructing the Privacy Commissioner will also become an offence, with the same fine.
Big Tech in the frame
Another big change is extraterritoriality. Edwards has had a number of high-profile standoffs with Facebook, which has refused to cooperate with orders from his office at times, saying it falls under US privacy law. Our new Privacy Act makes it explicit that any business that collects data from New Zealanders — even if it has a physical or legal presence here — will fall under our Privacy Act, as well as laws in their own country.
Asked if Facebook and Google would have to comply with requests to hand over user data after December 1, when the new Act comes into force, Edwards said that was “inarguably true”.
Edwards said the Commerce Commission’s (ongoing) prosecution against Switzerland-based online ticket seller Viagogo under the Fair Trading Act showed that the principle of extra-territoriality was workable (after initial resistance, Viagogo accepted NZ jurisdiction).
With his wider powers from December 1, Edwards told the IAB audience that there was potential for his office to work in tandem with the Commerce Commission in various enforcement areas.
The extra-territoriality element goes both ways. If a New Zealand organisation sends data to an overseas party, it needs to make sure that party is in a location with equivalent
privacy protections to NZ. If those protections don’t exist in law at the destination, then they must be added via a private contract.
Budget bump
After Australia tightened its privacy law, there was a surge in reports. Budget 2020 gave the Privacy Commissioner’s office here a $2.36m bump in annual funding to accommodate the anticipated increase in work (its 2019 allocation was around $5m).
School-up via the Privacy Commissioner’s website
Edwards told the audience to get ready for the new Privacy Act now.
A business should have a plan for informing customers in the event of a data breach, and regularly test systems.
It should also school-up on the new legislation. Edwards recommends key staff in your organisation take the e-courses on the new law, which are available through the Privacy Commissioner website.