Privacy law reform is making progress – on 6 September, the New Zealand Parliament Justice Select Committee heard more oral submissions on the Privacy Bill. The Bill was introduced on 20 March 2018, and repeals and replaces the Privacy Act 1993.
Like the Act, the Bill regulates the collection, use, and disclosure of information about individuals. The key purpose of the Act’s reform is to promote people’s confidence that their personal information is secure and will be treated in accordance with their reasonable expectations in the digital age.
The key changes introduced by the Bill are:
the mandatory reporting of privacy breaches,
the power of the Privacy Commissioner to issue compliance notices,
the strengthening of cross-border data flow protections,
the introduction of new criminal offences,
the power of the Privacy Commissioner to make binding decisions on information access requests, and
the strengthening of the Privacy Commissioner’s information-gathering power.
The proposed changes purport to better align New Zealand’s privacy law with international developments, such as the 2013 OECD Privacy Guidelines and the European General Data Protection Regulation (GDPR).
A more GDPR-compliant Bill
Interestingly, while the Bill is intended to better align New Zealand’s privacy law with the GDPR, a main tenor of the submissions to date was that further amendments were required to achieve this purpose.
Technology-oriented submitters suggested this is important because:
The ability to trade on an internationally recognised high standard of legislative protection would represent a significant competitive advantage for New Zealand companies (particularly those in the IT sector);
With borders becoming more fluid, the Bill presents a good opportunity to support the idea of consistency in data protection regulation by aligning New Zealand privacy laws with the GDPR to the maximum extent possible;
New Zealanders deserve privacy protections that align with international best practice; and
The Bill should aim to retain adequacy (see Note 1) because the technology sector benefits from EU adequacy.
The Select Committee showed interest in what was required of New Zealand to adapt rather than adopt, GDPR provisions. In line with comments made by members in previous oral submissions sessions, there appears to be a reluctance by the Justice Select Committee to simply uplift the provisions of the GDPR into New Zealand legislation, and a corresponding desire to produce an innovative and original data protection bill tailored to New Zealand.
This raises the question: if the GDPR is generally perceived as the international ‘gold standard’ of data protection practice, is it necessary to reinvent the wheel? In light of the trend towards including GDPR compliance clauses in international contracts, regardless of whether all contracting parties actually come within the Regulation’s scope, New Zealand businesses may think not.
Role of the Human Rights Review Tribunal
The Human Rights Review Tribunal submitted that the Bill will increase the already unmanageable workload of the Tribunal by adding access orders and compliance notices. The Tribunal predicts that, as people become more aware of the process and remedies, there will be an uptake of cases such that:
There needs to be a bright-line test as to when a person may commence proceedings in the Tribunal;
The Bill should increase the circumstances where the chairperson can make independent decisions which are primarily administrative;
The Tribunal should be given the power to refuse to accept proceedings filed by a person who knew about the alleged breach for twelve months before making a complaint; and
The Tribunal should be given the express power to conduct closed hearings.
These submissions stress the importance of ensuring the proper resourcing for, and the capacity of, the Tribunal before the Privacy Bill is implemented.
Mandatory reporting of privacy breaches
Submissions on the Bill’s mandatory reporting scheme for privacy breaches were significant. The proposed scheme has drawn criticism from past submitters, who argued the definition of ‘notifiable privacy breach’ under the Bill introduces an impracticably low threshold. It was also submitted that risks associated with a low notification threshold include:
The over-reporting of privacy breaches by agencies;
Notification fatigue (see Note 2) amongst members of the public; and
Resourcing issues for agencies and the Office of the Privacy Commissioner.
The submissions to date focus on:
The need for breach notification to align with overseas best-practice, so that it is easier for agencies to comply and easier to hold them to complying;
The preference to adopt the objective ‘serious harm’ threshold for making assessments on whether to notify individuals of breaches; and
The desirability for the Bill to be more closely aligned with the Australian framework for notifiable data breaches, to minimise the costs of compliance and potential confusion.
Concluding comments
The Justice Committee is due to submit its report on 22 November 2018. The Bill will be read a second and third time in the House before it becomes binding legislation in New Zealand. The dates of the second and third readings are yet to be determined.
For more information on privacy law or other related legislation, get in touch with Bell Gully’s privacy and data protection team or your usual Bell Gully adviser.
Note 1: ‘Adequacy’ in this context means that New Zealand’s privacy laws have been the subject of an adequacy decision of the European Commission (i.e. the national privacy scheme has been deemed substantially GDPR-compliant). This means personal data can be transferred freely between the EU and New Zealand. At any time, the European Parliament and the Council may request the European Commission to maintain, amend or withdraw an adequacy decision.
Note 2: A frequent criticism of mandatory notification schemes is that requiring agencies to notify every privacy breach will result in too many notifications and lead to “notification fatigue” among members of the public. In other words, if individuals are notified of every minor data breach, individuals may ignore notifications about more serious incidents (for example, if consumers come to regard numerous “less serious” privacy breach notification emails as a form of spam.