The good news? Those developing new technologies, including FinTech products involving robo-advice and blockchain, have an opportunity to incorporate privacy considerations into their offerings from day one, minimising legal risks and providing significant flexibility for future innovation. Strong privacy protections can also provide a competitive advantage due to increasing consumer concern about breaches.
In this third Financial Law Insight in our FinTech Series, we look at the interaction of privacy laws with FinTech, including:
FinTech is constantly changing the way that financial products and services are offered and delivered to consumers.
A fundamental input for many FinTech offerings is data – much of it relating to the consumers of the product or service. Examples include the data needed to provide automated advice on an investment choice, authorise a transaction, or calculate an insurance premium.
In the excitement of creating innovative new products and services, the information privacy obligations may be forgotten. However, consumers are now asking questions like ‘What do they do with my personal information’, and ‘How easily can someone else get hold of it?’ Those implementing products and services with effective privacy designs could well derive a competitive advantage in this data-driven space.
Consideration should also be given to the types of consents that need to be obtained from consumers to ensure that the data collected can be processed, stored, used, and potentially sold in compliance with the law.
In this FinTech Series Financial Law Insight, we outline the privacy environment in New Zealand generally, particular issues to consider in relation to the FinTech space, and the potential options and opportunities open to new products and services.
The Privacy Act – the essentials
As the name would suggest, the Privacy Act 1993 (‘Act’) is the key piece of legislation that regulates privacy in New Zealand. It applies to any ‘agency’ (meaning any person, organisation or business, whether in the public sector or the private sector), and to ‘personal information’. ‘Personal information’ is defined very broadly, as meaning information about an identifiable individual.
The current state of the Act
At the heart of privacy in New Zealand are the Act’s 12 information privacy principles (‘IPPs’), which impose obligations relating to how agencies may collect (IPPs 1, 2, 3, 4), store (IPPs 5, 6, 7), use (IPPs 8, 9, 10), and disclose (IPP 11) personal information.
In brief, the key IPPs require agencies to:
Many of the IPPs have built-in exceptions, although the onus is on the agency relying on the exception to prove the exception applies.
The importance of privacy was highlighted in July this year by the Law and Order Select Committee in its report on the Anti-Money Laundering and Countering Financing of Terrorism Amendment Bill (‘Bill’), which has recently been enacted as the Anti-Money Laundering and Countering Financing of Terrorism Amendment Act 2017 (‘AML Amendment Act’).
The version of the Bill sent to the Committee proposed a significant expansion of information-gathering and sharing powers. However, nearly one third of the Committee’s report on the Bill was dedicated to criticising the proposed expansion on privacy grounds. The Committee stated that the proposed information sharing powers were unduly broad, some new powers were ‘inappropriate’, and the overall effect of the proposed information sharing provisions risked undermining the privacy protections in other statutes.
Almost all of the Committee’s privacy-related recommendations on the Bill were incorporated and the information-sharing powers significantly scaled back in the AML Amendment Act. This stance on privacy is one of the most strongly articulated official positions to date outside the Office of the Privacy Commissioner, and could be an indication of things to come.
Future changes to the Act
The Act, at nearly 25 years old, is becoming more and more out of step with overseas privacy laws – a growing issue in this world of cross-border information transfers and data storage. Although amendments to the Act have not yet been tabled in Parliament, proposed changes to the Act include:
Although New Zealand privacy law is currently deemed acceptable by European Union (‘EU’) data protection authorities, changes next year will enhance the privacy rights of EU citizens. Against this background New Zealand providers have the opportunity to build in upgraded privacy protections to their products now, rather than adding these on later once New Zealand law catches up to best practice overseas.
How these apply to FinTech offerings
The Act applies to FinTech products and services in much the same way as it does to more traditional financial products and services.
Some issues to keep in mind, in particular, are:
Use of information
Recently, the customer due diligence obligations applying to financial institutions, including those in the FinTech space, have increased significantly.
These include obligations to verify a customer’s identity for anti-money laundering purposes, and to collect tax residency information for the purposes of New Zealand’s obligations under tax information collection agreements with the United States and OECD.
As a result, financial institutions are required to collect, store, use, and disclose personal information for the purposes of discharging these legal obligations. While other legislation overrides the Act, care needs to be taken to ensure that each instance of collection, storage, use, or disclosure of personal information falls squarely within the relevant law or exception.
For example, in a recent case, the Privacy Commissioner expressed his view that a major trading bank did not properly apply these exceptions when it provided customer information to the New Zealand Police.
The effects of personal identifiers
Obligations under the Act apply only to personal information – meaning that information that does not relate to an identifiable individual (such as information relating to a large group of people or generic information), is not caught by the Act.
However, the existence of a single identifying piece of information about a person could transform all linked ‘non-personal’ information about that person into personal information – extending privacy obligations to the full set of relevant data.
For example, a robo-advice tool may collect generic data that does not identify an individual, for the purposes of providing ‘class’ financial advice (meaning it is not personalised). Provided the data does not relate to an identifiable individual, the Act will not apply. However, as soon as any personal details about an identifiable individual are provided – such as an email address to which a summary of the advice can be sent – obligations under the Act may apply to the full set of data collected.
The options and opportunities for new technologies
The IPPs apply to all personal information collected – the more personal information held, the more extensive the obligations could be.
However, taking a considered approach to the way that information will be collected and the reasons for doing so at the outset will reduce complications further down the track, and provide maximum flexibility for future innovation.
Data minimisation is one way to right-size your privacy practices and obligations. This approach includes:
The real value of data minimisation lies in the reduction of the scope of compliance requirements, and in turn in potential legal and reputational costs from any privacy breach, whether malicious or otherwise.
Privacy by design
Privacy by design involves embedding privacy considerations into a product or service from the outset. The approach follows seven foundation principles, including being proactive and preventative not reactive and remedial, and embedding privacy into the design, rather than tacking it on at the end. Following these principles allows the product provider to demonstrate accountability about the way in which personal information is used, enhancing consumer confidence and trust, potentially building competitive advantage, and can be more cost-efficient than retrofitting privacy protections at a late stage.
Thinking about the privacy disclosures you make
The Act generally restricts an agency’s ability to use and disclose personal information except for particular purposes disclosed under IPP 3, with consent from the individual concerned being a key exception to those restrictions.
Carefully considering the disclosures you make from the outset (i.e. at the time you collect personal information) can significantly reduce the risks of an inadvertent breach of privacy obligations, and can provide maximum flexibility for using data in innovative ways, and selling data, as new technologies develop.
In the excitement of creating a new product or service, it can be easy to overlook privacy obligations.
But with technical development in an early stage for many FinTech providers, seizing the opportunity now to incorporate privacy considerations into your offering from day one can pay dividends in the future.
Start a conversation
If you would like a specific briefing on complying with privacy obligations, how you can build privacy considerations into your FinTech offering, or the regulation of financial technologies generally, please contact Catriona Grover on +64 4 498 0816, David Ireland on +64 4 498 0840, Peter Fernando on +64 4 498 0832, Hayley Miller on +64 9 915 3366, or Tom McLaughlin on +64 4 498 0886, or email the Financial Markets team at firstname.lastname@example.org.