A data breach arises if there is unauthorised access to or unauthorised disclosure of personal information, and a reasonable person would conclude that such access or disclosure would be likely to result in serious harm to any of the individuals to whom the information relates.
This article explores the potential impacts for New Zealand businesses, and also discusses global trends in data protection laws and the likelihood that the New Zealand legislature will follow suit.
Changes to Australian law
All agencies that are currently subject to the Australian Privacy Act (generally speaking, government agencies and businesses with an annual turnover of A$3 million or more) will be required to notify the Australian Privacy Commissioner, and also individuals affected, in the event of a data breach.
New Zealand businesses who are already subject to the Australian Privacy Act (those with an “Australian link” because they are incorporated or formed in Australia, or because they carry on business in Australia or collect or hold personal information in Australia) will have to comply.
What does this mean for other New Zealand businesses?
New Zealand privacy law does not currently require agencies to notify data breaches.
However, New Zealand privacy law is currently under review, and a proposed new Privacy Bill is in the process of being drafted. New Zealand’s Privacy Commissioner has confirmed that he expects that the Bill will introduce a mandatory requirement for agencies to notify data breaches, similar to the new Australian regime. New Zealand businesses should, therefore, keep a close eye on how the regime across the Tasman is implemented and how Australian businesses respond to the new requirements.
Why is New Zealand privacy law under review?
The review of New Zealand privacy law has been necessitated not only by the pace of change in digital technology and the commercial use of personal information by online businesses, but also by the requirement to bring New Zealand’s laws in line with the laws of other jurisdictions where the right to privacy, and in particular, the right to have one’s personal data protected, has been the subject of higher scrutiny and regulation.
Global trends in data protection
The gold standard of data protection law is considered to be the European Union’s General Data Protection Regulation, known as the GDPR, which will come into force throughout the European Union on 25 May 2018. The GDPR is an upgrade to the European Union’s Data Protection Directive, which was introduced in 1995, and which is generally considered to be the most thorough and sophisticated data protection regime worldwide.
The GDPR represents a step-change in data protection law, in that, in addition to introducing further protection for individual personal data and additional obligations for businesses collecting and using that data, the regulatory fines that may be imposed for breaching data protection law are to be scaled up significantly. The GDPR mandates the imposition of fines in respect of the most egregious breaches of the GDPR of amounts up to the higher of €20 million and 4% of the infringing organization’s global turnover: a sure sign of the seriousness with which organizations are expected to treat the protection of personal data.
Other jurisdictions are likely to amend their laws to more closely align them with the GDPR. Indeed, Australia’s introduction of a mandatory data breach notification requirement reflects an equivalent requirement that will be introduced by the GDPR.
At the same time, a number of jurisdictions (including the UK, Singapore and, in recent times, Australia) are looking to regulate customer access to and control of their own data: particularly in the context of promoting “Open Banking”, although this will likely extend to other industries. The success of an open access framework for consumer data rights in these jurisdictions – and, eventually, in New Zealand – will depend in part on the groundwork put in by regulators and businesses to establish a culture of compliance with the privacy principles that will necessarily underpin that framework.
It is particularly important for New Zealand privacy laws to be brought up-to-date, since New Zealand (unlike Australia) is considered to be a “white list” country to which personal data may be more readily exported from the European Union. This is due to a formal finding from the
European Commission that New Zealand has adequate personal data protection laws. However, that finding is subject to ongoing review: following the introduction of the GDPR, the adequacy of New Zealand’s privacy and data protection law will once again come under examination from the European Commission.
In light of these global trends, New Zealand’s Privacy Commissioner has recommended a number of amendments to be included in the Privacy Bill. We expect that the Privacy Bill will provide for (among other matters):
What should New Zealand businesses be doing?
As yet, there is no definitive time frame for the finalizing and introduction of the Privacy Bill into the New Zealand legislative process. However, it is clear the direction in which privacy and data protection laws are heading in New Zealand and elsewhere in the world. In addition, consumers are becoming more aware of the importance of the protection of their own personal information and their digital identities, and acting with their feet in the event that they no longer trust organizations with that information.
With that in mind, now is the time for New Zealand businesses to reassess the importance of privacy and data protection in their businesses. In particular, they should consider:
New Zealand businesses who are subject to the Australian Privacy Act or to the GDPR must act now to ensure they are in a position to comply when those new laws come into force in the first half of this year. For other New Zealand businesses, these laws are “the shape of things to come” in New Zealand: while there may not be any immediate requirements to fulfil, now is the time for them to proactively get their houses in order.
If you’d like to discuss what your organisation can or should be doing with respect to privacy and the protection of personal information, please contact Hayley Miller, Hayden Wilson or Campbell Featherstone.