Privacy Law Reform and EU’s General Data Protection Regulation
Thursday, June 14, 2018
MinterEllisonRuddWatts Partner Tom Maasland, Senior Solicitor Suzy McMillan, and Solicitor Aidan Allen, discuss the Government’s necessary and timely Privacy Bill and how it will likely interact with the European Union’s new General Data Protection Regulation (GDPR).
Reform to our 25 year-old privacy laws has arrived
The Privacy Bill (Bill), now at Select Committee stage, proposes necessary and timely reforms to the New Zealand Privacy Act 1993.
Timely, because New Zealand’s current law is now 25 years old. Necessary, because there has been recent reform of data protection laws at an international level and New Zealand risks falling behind global standards in an era with increased scrutiny on data protection and privacy rights.
Just as we have seen many European organisations actively moving to refresh their processes and systems in anticipation of the General Data Protection Regulation (GDPR), the Bill provides New Zealand organisations with a prime opportunity to review internal privacy practices and ensure these are up to scratch.
The Bill has two aims:
- restoring individuals’ confidence that agencies will keep their personal information secure; and
- providing the New Zealand Privacy Commissioner with greater powers to address failures by agencies to handle personal information appropriately.
The changes proposed by the Bill seek to enforce these aims in two ways. First, to impose greater compliance obligations on agencies. Second, to increase fines against agencies in the case of non-compliance.
A few of the key proposed changes are:
- Mandatory breach reporting: Consistent with international developments, the Bill provides for mandatory data breach reporting. The Bill proposes that agencies must notify the Privacy Commissioner and affected individuals if there has been unauthorised or accidental access to, or disclosure of, personal information, that caused harm, or if there is a risk that it could cause harm, to an individual. What is “harmful” is framed broadly, and some argue that the wording as currently proposed creates a tension between satisfying the objectives of breach reporting and placing an unreasonable compliance burden on agencies. It will be interesting to see whether in reporting back the Select Committee adopts a ‘reasonableness’ standard to further clarify the circumstances in which an agency is required to report a data breach (as reflected in Australia).
- Increased fines: The Bill proposes that fines for non-compliance will increase from $2,000 to up to $10,000. These arguably fall short of being a significant deterrent to non-compliance, especially when compared to the significant scale of penalties imposed under the GDPR and Australian legislation.
- Cross-border data transfers: The Bill proposes that disclosure of personal information to an overseas person will only be permissible if the individual consents to the disclosure, if the overseas person has comparable privacy laws to New Zealand, or the agency believes the overseas person is required to protect the individual’s information in a way that is comparable to New Zealand’s privacy laws (similar to adopting model contractual clauses under the GDPR). This will be particularly relevant to lawyers and their clients alike, as it will require a deeper insight into how third party service providers (such as cloud storage providers) deal with personal information that they hold on our behalf and potentially more comprehensive contractual terms governing the provision of such services.
What is the impact of GDPR in New Zealand?
While there has been quite a bit of industry interest in the application of GDPR to New Zealand-based businesses it’s important to acknowledge that many of the principles set out in the GDPR are similar to New Zealand’s existing laws (and/or proposed laws under the Bill).
However, while the fundamental principles of the Bill are similar to those imposed by the GDPR, there are a few key rights and obligations introduced by the GDPR that are not reflected in the current Bill. Specifically the principles of ‘data portability’, the ‘right of erasure’, mandatory privacy impact assessments, and the explicit requirements around what constitutes ‘consent’. Whether the absence of these concepts in the Bill would be enough to jeopardise New Zealand’s “adequacy” status in the long term remains to be seen, but is something the Select Committee will no doubt consider as part of their deliberations.
The Privacy Commissioner has indicated that New Zealand’s “adequacy” status from the European Commission is not under immediate review in light of the introduction of the GDPR. This is welcome news to many New Zealand businesses who rely on this for ease of cross-border data flows.
For those New Zealand businesses who may fall within the scope of the GDPR, it is still somewhat unclear how the EU regulators propose to enforce their laws against a New Zealand organisation with no legal presence in the EU. While we don’t envisage that EU regulators will be knocking on the door of New Zealand-based businesses as a first priority, it will be interesting to see how this purported extra-territorial regulation plays out.
The message is clear: privacy reform is coming and New Zealand organisations will need to place emphasis on privacy and data protection compliance. In a world where flow of data and the security of personal information are key to most businesses, the reputational risk of non-compliance is likely to be just as severe as any breach of the law.
Tom Maasland is a Partner in top tier law firm MinterEllisonRuddWatts. He has an extensive Technology, Media and Telecommunications (TMT) practice – and the team has been recognised by international legal directory, Asia Pacific Legal500, as Tier 1 for TMT in New Zealand.
Tom advises on the full gambit of technology law issues – from advising clients on major technology transformation programs and large scale technology procurement, through outsourcing and managed services and “as a service” arrangements, to the more run of the mill software licensing and support agreements. He advises on privacy and data protection, as well as emerging technology areas such as cyber security, artificial intelligence, blockchain and smart contract related advice. Contact Tom at firstname.lastname@example.org
Suzy McMillan is a senior solicitor in the MinterEllisonRuddWatts Corporate & Technology team. She provides a wide range of advice on all commercial and technology legal matters with a particular focus on technology agreements, privacy and consumer law.
Aidan Allen is a solicitor in the MinterEllisonRuddWatts Corporate & Technology team. He assists clients from a wide range of different industries in respect of their contracting, technology and intellectual property needs.
sign up to our updates
To keep informed of our upcoming seminars that are right for you
"Practical industry examples with great enthusiasm"
Delagate - Building and Construction Law Conference – Wellington, March 2017
,Read more testimonials