Privacy Act reform finally lands – data loss or hacks must be reported from 1st December

New Zealand finally has new upgraded privacy and data protection laws, in the shape of the Privacy Act 2020. 

This arrives at a time when local and overseas firms are experiencing more cybercrime attacks every day and the risks of losing private data, to hacking or malicious sources or simply internal errors, has never been greater.

The new Act entirely replaces the Privacy Act 1993 but it does retain reliance on “information protection principles”, rather than taking a highly prescriptive approach.  Those existing principles are largely kept in place, with one new principle being added to the list.

The most significant change for most businesses will be the mandatory obligation to publicly address data breaches or loss of personal information about customers and others. This will be required from 1 December 2020 when most of the new law comes into force.

Previously, some companies may have had a culture where the first instinct was to keep quiet about hacking or data leaks until forced by the media or customers to deal with it. In future, affected customers/parties will need to be notified, and a report made to the Officer of the Privacy Commissioner.

This gives the business community, already reeling from Covid-19 a rapidly closing few months window to make the necessary changes to internal privacy policies and data collection/protection terms.

Background

The Privacy Act 2020 was passed as part of a final push by Parliament to clear some old legislative reforms over the line before the MPs wind up for the general election to take place in September.  Nobody could accuse this of being rushed law-making. The draft Bill was introduced into Parliament over two years ago in early 2018, but in fact was based on recommendations made by the New Zealand Law Commission in a review of privacy law back in 2011.

So, it is safe to say that these changes are well overdue. Indeed, the Privacy Commissioner (Mr John Edwards) has quipped that we at last have a privacy law fit for 2011 conditions, and he intends to keep pushing for further improvements in the law in the months ahead. The Minister of Justice (Andrew Little) has indicated that the government may (if re-elected) grant the Commissioner’s wish and consider further updates soon, so additional reforms may be examined in 2021.

Compared to the European GDPR regime, which many multi-national companies will be familiar with and dialling their compliance processes toward, the new Privacy Act falls short. But while some of that “already out of date” criticism is valid, any way you look at it the new Act remains a marked improvement on the pre-internet era 1993 statute.

The major changes under the Act

The new Act keeps a familiar principles-based approach, while updating the law to reflect the needs of the digital age. Section 22 of the Act reproduces with some changes the previous 12 information privacy principles from the 1993 Act and adds one more, regarding the disclosure of personal information outside of New Zealand.

Applying broad principles allows “agencies” who hold information flexibility in how they choose to comply with the principles, but brings with it risk of later criticism/action if they apply them poorly.

The main reforms in the Act include:

  • mandatory reporting of privacy breaches;
  • binding compliance notices can be issued by the Commissioner;
  • more protection for cross-border data transfers overseas;
  • Commissioner’s decisions on access requests are binding (rather than having to enforce through the Human Rights Review Tribunal);
  • new criminal offences; and
  • larger penalties, enforcement powers and increase from fines (from the current paltry $2,000, up to $10,000)
Data breaches must be notified, to persons affected, and to the Commissioner

The most onerous change, and the one having a direct practical effect on all agencies, is the new requirement to notify the Privacy Commissioner as soon as practicable after becoming aware that a “notifiable privacy breach” has occurred.

Further, all affected individuals must be notified when an agency becomes aware of the breach or, if that is impracticable, it must instead give public notice of the breach, with some exceptions.

A privacy breach concerning personal information held by an agency is defined in section 112 to mean:

  • unauthorised or accidental access to, or disclosure, alteration, loss, or destruction of, the personal information; or
  • an action that prevents the agency from accessing the information on either a temporary or permanent basis.

It includes breaches due to a person inside or outside of the agency. So whether committed by a disgruntled or politically motivated employee or a third party hacker, either way, it is a privacy breach.

Then, a notifiable privacy breach means a privacy breach that it is reasonable to believe has caused serious harm to an affected individual or individuals or is likely to do so.  A series of factors are listed in the Act that agencies must assess and consider to help decide if any particular breach is likely to cause serious harm and therefore be notifiable.  It may pay, in the early stages before case examples emerge as guidance, to err on the cautious side of the likely “serious harm” test

In practical terms, agencies will need to act quickly as soon as they become aware of any privacy breach, first to weigh up those factors and decide whether it is a notifiable breach, and if so, immediately report it to the Commissioner’s office.  In other legal contexts, the language of “as soon as practicable” is often interpreted quite strictly. A failure to report in time, without reasonable excuse, may result in a fine of up to NZ$10,000.

Likely impact of obligation to report or publicise the breach

This new obligation may drive a sea-change in how cybercrime is being approached in this country. Firms will have stronger regulatory risk incentives to ramp up their cyber and data protection processes, and also have greatly reduced prospect of avoiding media and public scrutiny upon their data breaches in future.

There may be considerable renewed interest in cybercrime protection insurance cover – the policy terms, exclusions, and how insured parties come to be risk-rated and priced by the insurance sector (according to relative good or bad levels of data protection practice).

Looking at Australia, where a similar notifiable data breach scheme has been in place since February 2018, we can see the kind of impact this obligation has had. In its first year, there were 964 notifications, 34% of which were attributable to human error, 5% to system faults and 60% to malicious or criminal attacks. The scheme has certainly opened public and corporate eyes to the number and types of data breaches taking place, particularly those caused by malicious/criminal attacks.

The Australian government’s recent 2020 statement that its agencies have been coming under cyber-attack from foreign actors is itself a wake-up call to the need for better cyber-protection investment.

Mr Edwards has already shown himself to be the most energetic Commissioner in New Zealand for many years, and it is likely we will see stronger enforcement using all of the new tools at his disposal from December 2020 onwards.

Important implications for overseas-based businesses

In broad terms, it is likely that companies that are already in full compliance with the GDPR need not worry too much about having to make substantial changes to their privacy polices on account of New Zealand’s reformed law.  What will be required is likely to be some localisation and specific tailoring to New Zealand conditions and wording in the new Act.

For businesses not yet up to speed with GDPR compliance, or Australia’s notifiable data breach scheme, a more substantive rewrite of their terms and processes may be necessary.

– Territorial scope of the Act

New Zealand’s Privacy Act applies to any actions taken by an overseas agency in the course of carrying on business in New Zealand. It would apply to all personal information collected or held in the course of conducting New Zealand business and apply regardless of where the information was collected or transferred or stored, and where the person to whom the information relates may be located.

An agency may be treated as carrying on business in New Zealand whether or not it was a commercial operation, has a physical place of business here, charges any monetary payment for goods or services, or makes a profit from its business here.

– Moving data overseas

There is greater protection for individuals under the Act when their data may be moved overseas. Agencies will only be able to disclose personal information to an overseas person if they can satisfy one of the following criteria:

  • the individual concerned authorised the disclosure, after being expressly informed by the agency that the foreign person or entity may not be required to protect the information in a way that provides comparable safeguards to those in the Act;
  • the foreign person or entity is carrying on business in New Zealand, and the agency believes, on reasonable grounds, that the foreigner is subject to the Act;
  • the agency believes on reasonable grounds that the foreign person or entity is subject to privacy laws that, overall, provide comparable safeguards to the New Zealand Act;
  • the agency believes on reasonable grounds that the foreign person or entity participates in a prescribed binding scheme; or is subject to privacy laws of a prescribed country;
  • the agency otherwise believes on reasonable grounds that the foreign person or entity must protect the information in a way that, overall, provides comparable safeguards to the New Zealand Act.

Cloud services or data warehouses are not necessarily covered by the principles relating to overseas disclosure. Instead, the transferring agency would be treated as still holding the information and would be liable for any privacy breaches by its cloud service provider. Accordingly, the transfer of data between the agency and the cloud service provider will also not be considered a disclosure for the purposes of the information privacy principles.

Since liability for secure and compliance data handling still rests with the agencies, they will need to have a close look at how their data is stored and the terms agreed with their outsourced provider (which may often not be amenable to much negotiation).

Thanks to Courtney Rutledge, junior barrister at Akarana Chambers, for help in preparing this article. As always, however, these are my personal opinions/expert commentary, not legal advice, and not indicative of views of any of my clients or instructing parties.

For specific advice on how the Privacy Act reforms may affect your business please get in contact with Gary.

 

Privacy Act reform finally lands – data loss or hacks must be reported from 1st December