One of the key changes to European data protection law to be introduced by the GDPR will be the extra-territorial scope of its application. Organisations throughout the world who engage with individuals and businesses in the EU may find themselves subject to laws imposed by the European Parliament in Strasbourg, and enforced by data authorities throughout the EU: in places as far-flung as Warsaw, Bratislava, and Dublin.
The long arm of European data protection law will reach as far as the Antipodes, and New Zealand businesses will need to be ready.
The GDPR represents a step-change in data protection law, in that, in addition to introducing further protection for individual personal data and additional obligations for businesses collecting and using that data, the regulatory fines that may be imposed for breaching data protection law are to be scaled up significantly. The GDPR mandates the imposition of fines in respect of the most egregious breaches of the GDPR of amounts up to the higher of €20 million and 4% of the infringing organization’s global turnover: a sure sign of the seriousness with which organizations are expected to treat the protection of personal data.
How may the GDPR apply to New Zealand businesses?
New Zealand businesses operating in our little corner of the globe might think that they are immune to such a law change. And many businesses will be. For the time being, they will not need to worry too much about law changes on the other side of the world (although for more on proposals that will likely result in a more robust privacy regime in New Zealand, see here).
However, in the increasingly global economy in which New Zealand businesses operate, many businesses deal in data from around the world, or target consumers on a global basis. Regardless of whether they are based in Takapuna or Taihape, they will be subject to the GDPR, and will need to comply.
In this regard, the GDPR applies to the “processing” of personal data of data subjects (in other words, individuals) who are in the EU, by a “controller” or “processor” who is not situated in the EU, where the processing activities are related to:
• the offering of goods or services to data subjects in the EU; or
• the monitoring of their behaviour as far as their behaviour takes place within the EU.
The GDPR imposes obligations on both controllers (those who determine the purposes and means of processing personal data) and processors (those who process personal data on behalf of a controller). Process has a wide definition: it covers any operation or set of operations that can be performed on personal data – including its collection and use; but also extending to something as simple as its storage or hosting.
Are you a controller under the GDPR?
In many cases, it will be obvious to a New Zealand business that it falls within the scope of the GDPR: for example, if it explicitly offers goods or services to data subjects in the EU and collects personal data in the course of doing so.
But how about the less clear-cut examples? The recitals to the GDPR suggest that offering a consumer the ability to pay in a currency used in the EU could suffice; even the use of a language used in the EU (but not elsewhere) could bring the offeror within the GDPR’s jurisdiction. An extreme example could be a small motel in regional New Zealand that just happens to include a bit of German on its website to attract bookings from Germany: not the most obvious target for regulation under European law, but caught nonetheless.
Other more high-tech businesses are likely to be caught too: for example, to the extent that data analytics is carried out outside the EU on non-anonymised data with a European source; or a software solution for an EU-based customer is hosted outside the EU.
The “monitoring” of the behaviour of website users is particularly likely to trap businesses unaware – even the use of fairly basic cookies on a website not targeting EU users – but attracting visitors from the EU nonetheless - could technically bring the publisher of the site within the realm of the GDPR, although the exact scope of what constitutes “monitoring” under the GDPR is not yet tested. This grey area in particular is of interest to many non-EU businesses.
If a New Zealand business is or is to be a processor, it is likely that the EU-based controller who has appointed them will have identified that the GDPR will apply, and will have implemented or sought to implement appropriate contractual protections. Even then, New Zealand-based processors should be aware that their obligations will go beyond those set out in the contract. Before accepting an appointment to “process” personal data on behalf of an EU-based controller, New Zealand businesses should complete appropriate legal and technical diligence to ensure they understand not only their contractual obligations, but also the regulatory obligations imposed on them by the GDPR.
The GDPR is yet to become law, and the way in which it will be enforced remains to be seen. We consider it unlikely that EU data protection authorities will have the resources or inclination to pursue SMEs in New Zealand who only collect personal data incidentally in the course of their operations such as the grey area described above of “monitoring” (but it cannot be ruled out). In addition, where a business does not have a physical presence in the EU, it will likely be costly and complicated for GDPR proceedings to be brought against that business, with significant jurisdictional hurdles to overcome.
Nevertheless, we recommend that New Zealand businesses take some time to understand whether the GDPR applies to them. The reputational damage that can be wrought from a failure to comply with data protection law – regardless of the regulatory sanctions that might be imposed – can wreak havoc on a business.
An ability to comply with the GDPR is a clear statement from a business that it takes privacy matters seriously: an indication to consumers that the business is one which they can trust with their personal information. New Zealand law is likely to follow – at least in part – the GDPR regime, and the sooner that New Zealand businesses prepare for the introduction of more robust privacy requirements, the better-placed they will be to respond and adapt.
If you’d like to discuss what your organisation can or should be doing with respect to the introduction of the GDPR, please contact Hayley Miller, Hayden Wilson or Campbell Featherstone.