CIO upfront: Privacy Bill update
- 08 April, 2019 06:30
The Justice Select Committee recently recommended a number of changes to the Privacy Bill. But are further changes possible given the change in public sentiment towards Big Tech and the ongoing debate about harsher penalties in line with global privacy law reform?
A higher threshold for notification of privacy breaches, clarification of the application of New Zealand privacy law to offshore giants like Facebook and Google and clearer rules on the use of offshore cloud service providers.
Those are some of the recommendations made by the Justice Select Committee (Committee) in its report on the Privacy Bill (Bill) on 14 March.
While most will welcome a higher threshold of “serious harm” for privacy breach notification, there has been no movement on penalties for non-compliance. The maximum available penalty is a fine of $10,000 on conviction for an offence, in stark contrast to the civil fines of up to €20 million or 4 per cent of global annual turnover under GDPR.
Nor have other changes to align New Zealand’s privacy laws with what is widely considered the “gold standard” for global privacy law - Europe’s General Data Protection Regulation (GDPR) - been recommended. So we still lack rights to data portability and deletion (often referred to as the “right to be forgotten”) and rules governing profiling and automated decision-making, despite previous recommendations from the Privacy Commissioner that they be included in the Bill.
Just last week Australia indicated it will increase maximum penalties for serious or repeated privacy law breaches from AU $2.1 million to whichever is the greater of AU $10 million, 10 per cent of the organisation’s annual Australian turnover, or three times the value of any benefit obtained through misuse of personal information. New measures to ensure that social media companies protect users’ personal information were also signalled following the Christchurch terrorist attack, as well as $25 million in additional funding for the Australian privacy regulator.
In comparison, there is very little financial disincentive in New Zealand for poor privacy practices.
The Privacy Commissioner (Commissioner) previously recommended fines of up to $1 million for organisations who seriously breach their privacy obligations, expressing concern over the lack of real and meaningful consequences for non-compliance.
He was also recently widely quoted as telling Facebook executives that “Your silence is an insult to our grief" when they failed to respond in the wake of the Christchurch attack.
"The pattern we have seen from Facebook both domestically and internationally highlights the need for the company to be subjected to greater regulatory oversight both in New Zealand and in other jurisdictions in which its data is housed and processed.”
Even Facebook and Google are now calling for new privacy regulations. Mark Zuckerberg himself - not exactly known for his pro-privacy positions – has stated, “I believe it would be good for the internet if more countries adopted regulation such as GDPR as a common framework… New privacy regulation in the United States and around the world should build on the protections GDPR provides.” Google has made similar statements.
If even Big Tech companies are now calling for tougher privacy laws in line with GDPR, surely New Zealanders deserve more than what's in the current draft Bill?
First introduced into the House on 20 March 2018 by Justice Minister Andrew Little, the Privacy Bill aims to better align New Zealand privacy law with international developments such as the GDPR and Australian privacy law changes.
In an official statement, the Privacy Commissioner acknowledged that while “the Bill contains measures to ensure the law addresses some of the most pressing aspects of the modern digital economy”, it “doesn’t include all the things we were seeking”. Something of an understatement perhaps.
Key features of the Select Committee report
1. NZ privacy law applies to Facebook and Google too
The Committee recommended changes to the Bill to clarify its application to offshore companies like Google and Facebook. This recommendation was made before the Christchurch terror attack but provides a particularly welcome clarification considering recent events.
Any organisation that carries on business in New Zealand will be subject to the Privacy Act 1993 (the Act), whether or not it has a physical place of business in New Zealand, any monetary payment is made for the supply of its goods or services, or it intends to make a profit from its business here.
Big Tech companies have previously run afoul of the Commissioner and others by arguing that they do not have to comply with New Zealand laws, including in relation to privacy. In May 2018, Facebook refused to co-operate with an investigation by the Commissioner after he held that Facebook had breached the Privacy Act. Google declined to comply with New Zealand court-mandated suppression orders in May 2018, claiming that while Google New Zealand is bound by New Zealand laws, Google LLC (which runs its search engine) is not because it is domiciled in the US. The recommended changes will make it explicit that those companies can no longer claim that New Zealand privacy laws do not apply to them.
2. Higher threshold for privacy breach notification
The report’s recommendations to introduce a new threshold of “serious harm” will help align New Zealand’s approach to privacy breach notification with that of Australia.
The original wording of the Bill only required notification of a privacy breach to the Commissioner and affected individuals where it caused or was likely to cause “harm”. The Committee agreed with the many submissions arguing that threshold was too low, risking over notification of minor breaches and “notification fatigue”. It has recommended a new threshold of “serious harm”.
Failure to notify a notifiable privacy breach will be an offence under the Privacy Act 1993 (the Act), making an “agency” (that is, any person or private or public-sector entity subject to the Privacy Act – which is pretty much everyone subject to limited exceptions) liable for a maximum penalty on conviction of $10,000.
3. Clarity on use of cloud service providers
The Committee recommends various changes relevant to the use by New Zealand agencies of third parties like cloud service providers (CSPs) for the storage and processing of personal information.
You remain liable for personal information stored in the cloud
Under recommended clarifications, an agency remains accountable for all personal information stored or held on its behalf by a CSP (or similar service provider), regardless of the CSP’s location.
But that will only be the case if the CSP does nothing more than store or process the personal information. If it uses or discloses that information for its own purposes, then under recommended changes it will also be accountable to affected individuals.
We recommend checking your agreements with your CSPs and other relevant service providers as to whether they can use or disclose personal information you are storing with them for their own purposes. These days most of the big CSPs include wording along the lines of “We will not access or use your data except as necessary to maintain or provide our services or comply with the law”. But it’s important to check so you are clear on where responsibility for the personal information falls.
Harder to disclose personal information to foreign entities
If your CSP is offshore and is using the personal information it holds for you for its own purposes, then disclosure to such a “foreign person or entity” will only be permitted in the following circumstances.
The offshore CSP carries on business here and you believe on reasonable grounds that it is subject to the Act.
You believe on reasonable grounds the offshore CISP is subject to privacy laws that provide comparable safeguards to those in the Act.
You believe on reasonable grounds that the offshore CSP is in a “prescribed binding scheme”, is subject to the privacy laws of a “prescribed country” as specified in regulations or otherwise is required to protect the information in a way that provides comparable safeguards to those in the Bill. That last aspect could be achieved by way of a contract between the parties.
You must notify individuals about a privacy breach
If an agency outsources its data storage or processing to a CSP or similar service provider, the Committee recommends that agency should remain responsible for informing individuals of a notifiable privacy breach - regardless of who actually caused the breach.
That is because the primary agency will have the relationship with the individuals affected by a privacy breach. The Committee has said affected individuals should not be disadvantaged by an agency like Kiwi Co’s decision to use service providers.
As a result, the Committee considers “it is appropriate” for the primary agency to have an agreement with its service provider specifically addressing the handling of personal information. This is analogous to GDPR requirements for data processing agreements between data controllers and data processors. Prudent agencies will want to make they include contractual obligations on service providers to notify them as soon as possible after a breach occurs so they can take the necessary steps to contain and manage the breach and the notification process.
Other changes of note
Commissioner’s powers: The Commissioner’s key powers remain limited to issuing Compliance Orders and determinations when a person has requested access to personal information and been refused and providing guidance to agencies. S/he also has a general discretion to not investigate a complaint.
► Data minimisation (of sorts): The Committee recommends inserting a further rule that agencies cannot require an individual’s “identifying information” if it is not necessary for the lawful purpose for which it is collected. The Committee has said that it wishes to discourage agencies collecting personal identifiers by default without considering whether it is necessary to do so. While this does not in fact add much to the existing wording of the Act, it arguably signals the importance of data minimisation, a key GDPR principle that essentially means “don’t collect more than you need”.
► Human Rights Review Tribunal powers: The Committee recommends giving the Tribunal an express power to hold closed hearings in certain circumstances and the Chair of the Tribunal the ability to make decisions without having to convene a three-person tribunal. This may help tackle the backlog of work currently faced by the Tribunal and free up capacity.
► Unique identifiers: Agencies must take all reasonable steps to minimise the risks of misuse of a unique identifier before disclosing it to another agency. This is aimed at unique identifiers like customer numbers and is designed to reduce identity theft.
► Media exemptions: The Privacy Act does not generally apply to news media, to enable them to perform their role of supporting the free flow of information to the public. The Committee has recommended broadening the “news activity” exemption to include Radio NZ and TVNZ, as well as less traditional publications like blogs and books, provided they are subject to the oversight of an appropriate regulator.
What happens now?
The Privacy Bill is now scheduled to take effect from 1 March 2020, later than the July 2019 date originally proposed. It will now progress to its second and third readings, with further changes still possible. While there have been no firm indications to date that MPs have any appetite to push for significant changes to the Bill, it’s possible the ongoing debate on the role of social media platforms in the wake of the Christchurch attacks, plus recently announced Australian privacy law changes, could encourage further analysis and debate. Watch this space.
Frith Tweedie is digital law leader, and Grace Abbott is senior solicitor at EY Law Limited
The views expressed in this article are the views of the author, not Ernst & Young. This article provides general information, does not constitute advice and should not be relied on as such. Professional advice should be sought prior to any action being taken in reliance on any of the information.