Welcome to the K3 hub

The Privacy Bill that’s about to update New Zealand's data protection regime has been a long time coming. It’s about time more people and businesses pay attention to the looming changes, says K3 Legal’s Patrick Shanahan-Pinker.

“In 1993 when the original Act was written, there was nothing really like the modern internet. How data was collected then is totally different to today.”

Changing rules and shifting balances

The new Privacy Bill introduces several major changes, providing greater clarity and protections for both consumers and the general public.

“Individuals should have greater power and better understanding of their rights under the law,” says Shanahan-Pinker.

The first major change these is mandatory reporting of “notifiable privacy breaches” under Part 6 of the Bill.

“The big change is that business or agencies that fall within the legislation have to report privacy breaches to affected persons as soon as possible after the breach occurs,” says Shanahan-Pinker. “Under the previous Act, companies didn’t really need to report. Now they can incur a fine of up to $10,000.”

However, the definition of a “notifiable” breach is the contentious issue. Part 6 of the Bill notes that a breach is notifiable if it causes any type of harm. Numerous commentators are in agreement that is threshold may be too low, says Shanahan-Pinker.

Another significant change concerns the country’s privacy commissioner, who will be given the power to issue compliance notices. Companies that fail to adhere to these notices would face criminal liability and a fine of up to $10,000.

“It’s really the power for the commissioner to go along and say, ‘We think your actions breach the Privacy Act or privacy principles’,” says Shanahan-Pinker. “Companies will have to take those steps or comply with these conditions the commissioner deems appropriate in order to remedy the breach.”

The Bill also institutes cross-border data flow protections, requiring data transferred internationally to be protected as strongly as it would be in New Zealand.

“When a New Zealand company has data and that data flows overseas – say, to a server in America – they have to be sure that the data is protected under our Act when it’s transferred to international jurisdictions,” says Shanahan-Pinker.  “A good example would be companies using services like Dropbox to share and store information.”

Consumers are also given the power to lodge an access request. If the Bill becomes law, this provision enables consumers to go to companies and ask them to confirm what data these companies keep about them.

“They can make access requests to these companies. If the company doesn't comply within strict timeframes, individuals can go to the privacy commissioner and the commissioner can then make companies comply with those data requests,” he says. “If they still don't comply, this can result in criminal liability and a fine.” 

Better consumer protection

In fact, the focus of the bill is largely on the individual, says Shanahan-Pinker. It’s largely oriented at protecting the individual and privacy, which is why it’s so crucial for people to pay attention to the changes if the Bill is passed.

“I don’t think the average consumer is actually aware of how much privacy data businesses keep on them,” he says. “A lot of people have privacy data out there in the hands of companies, so if a business gets hacked or otherwise breached, a lot of people could potentially receive notifications.”

Businesses also need to take heed because compliance will become tougher, Shanahan-Pinker warns. More administration will be required, with compliance notices and request access notices likely becoming the norm.  

“They need to get an understanding of their responsibilities under the new Act and know how to have processes in place to deal with them,” says Shanahan-Pinker. “If they don't, there will be serious consequences.”

Shaping the future of NZ’s privacy landscape

The Privacy Bill is currently before the select committee in Parliament. The public submissions have already drawn comparisons with similar Bills in Australia and in the European Union, notes Shanahan-Pinker. 

“In the submissions, there were a number of technology companies advocating to follow the path of Australia,” he says. “That law has a higher standard for mandatory reporting of privacy breaches, so companies don’t have to report so often.”

However, it will also be interesting to see whether the New Zealand law will adopt facets of Europe’s new General Data Protection Regulation, Shanahan-Pinker says. If it does, one can expect even more protections for the individual’s privacy – possibly something similar to Europe’s infamous “right to be forgotten.”