‘Rising regulatory tide’: Privacy Commissioner John Edwards on new legal risks to business
With Kevin Jenkins / 22 June 2020
This article was first published in The New Zealand Herald on 7 June 2020.
Kevin Jenkins talks to Privacy Commissioner John Edwards about global trends in data protection and what the regulatory innovations in New Zealand’s new Privacy Act, due in force later this year, will mean for businesses in this country.
THE REGULATORY TIDE IS RISING
When asked about the key global trends he was seeing, Privacy Commissioner John Edwards didn’t hesitate.
He immediately pointed to recent cases of stern action from data protection regulators as indications of a “rising regulatory tide”.
For example, the UK Information Commissioner (ICO) announced last year that it intends to fine British Airways £180 million (NZ$350 million), after the airline’s “poor security arrangements” had allowed hackers to steal personal data from half a million passengers.
This is the first fine the ICO has handed out under the European General Data Protection Regulation (GDPR), which came into effect in 2018. The fine amounted to 1.5 per cent of the airline’s total global revenue for 2018 — but the GDPR allows for even heavier penalties, up to 4 per cent.
Around the same time last year, the US Federal Trade Commission settled with Facebook on a fine of US$5 billion (NZ$7.68 billion) for its mishandling of users’ data — around 20 times more than any other privacy or data security penalty handed out internationally.
Meanwhile over the Tasman, the Australian Competition and Consumer Commission is taking Google to court over its location tracking, seeking heavy penalties. The breaches will be covered by the new, tougher Australian consumer law penalties in force from 2018, which are around 10 times higher than the old maximums.
NEW PRIVACY LAWS DUE IN 2020
Covering the Australian case, the Sydney Morning Herald headlined that the ACCC “is tracking Google tracking us”.
In this new regulatory climate businesses should start to realise that their handling and use of data is getting a lot of attention from data protection authorities. Edwards explained that the new Privacy Bill currently before our Parliament, due to come into force in 2020, fits with this international trend.
Edwards said, internationally, “there’s a consciousness of the great value of data, but also a consciousness of the impact on society and consumer rights of misusing individuals’ data and failing to protect it.” Our new revamped Privacy Act 2020 addresses that broad concern.
A lot of the new Act will be the same. It will carry over the 12 key privacy principles from the 1993 Act, which cover the full lifecycle of collecting, storing, using and disclosing data, as well as the individual’s right to see and seek corrections to data that’s held about them.
For example, the privacy principles require organisations not to use unreasonably intrusive methods when they’re collecting information, and to tell people why they’re collecting it. They require data holders to take care with it once they’ve got it, including protecting against unauthorised disclosure. These have been bedrock features of our privacy law since the 1990s — they’re now being supplemented with some significant new restrictions, with important implications for New Zealand and overseas businesses.
He summarised some of the innovations in the new legislation.
It will give our Privacy Commissioner stronger compliance and enforcement powers, including the power to issue compliance notices, enforceable by the Human Rights Review Tribunal.
The new laws will also cover the movement of individuals’ information to other countries. For example, any organisation intending to disclose an individual’s data to an overseas entity will now need to get the person’s explicit consent, or carry out due diligence to ensure the information will be suitably protected once overseas.
OWNING UP WHEN SOMETHING GOES WRONG
But perhaps the most important of the new rules, according to Edwards, relate to “mandatory breach notifications”.
If something goes wrong with the information you’re holding — for example, you get hacked — and this causes someone serious harm or probably will do so, then you’ll need to tell the Privacy Commissioner’s office about it. If you don’t, that’s a criminal offence, punishable by a maximum fine of $10,000.
“There won’t be a sanction just because you get something wrong in your handling of the information, but there will be a sanction if you don’t notify my Office that something’s gone wrong,” Edwards said.
An example of how this kind of notification requirement could come into play was the New Year’s Eve ransomware attack on Travelex, the London-based foreign currency exchange business, which had to go back to pens and paper and other analogue processes for two weeks. The company had an obligation under the GDPR to notify the UK Information Commissioner if a data breach posed a risk of harm — and faced a fine potentially on a similar scale to the British Airways case if they didn’t comply.
That obligation would no doubt have been weighing heavily on Travelex’s mind as they tried to assess the impact of the attack. They told the public that no customer data had been compromised. The UK ICO were certainly thinking of this: they reported they had not received any notification from Travelex, but reminded organisations of their obligation to “notify the ICO within 72 hours of becoming aware of a personal data breach unless it does not pose a risk to people’s rights and freedoms.”
The ICO emphasised that: “If an organisation decides that a breach doesn’t need to be reported, they should keep their own record of it and be able to explain why it wasn’t reported if necessary.”
Although here in Aotearoa we won’t be seeing fines as large as under the European GDPR, attention from our Privacy Commissioner will certainly be forthcoming. Perhaps worse than any conviction and fine, New Zealand businesses that are sloppy on this front are likely to suffer reputational damage when their failure to comply hits front pages.
The extraterritorial application of New Zealand’s law was a late clarification to the Privacy Bill as it was going through Parliament, and it cuts both ways.
First, in the same way that New Zealand businesses are subject to the new GDPR if they’re operating in Europe, overseas businesses will now be explicitly covered by New Zealand privacy law if they are carrying on business in New Zealand, even if they don’t have a bricks-and-mortar presence here.
Edwards said that’s a very significant development for overseas digital businesses that are built nationally and then scaled out internationally. He drew a comparison with the way our Commerce Commission has called to account the ticket reseller Viagogo under New Zealand’s Fair Trading Act for alleged misleading representations about price and availability of tickets — even though Viagogo, based in Switzerland, has no employees or place of business here.
So, what if the situation is flipped and we’re talking about a digital platform based in New Zealand looking to start trading in Asia for example?
The answer is that under the new Privacy Act New Zealand businesses will have to satisfy themselves, before they send any individual’s data overseas, that the data will be suitably protected.
“So any New Zealand-based platform like Xero or TradeMe that’s accessible internationally and involves data moving across borders increasingly needs to be confident that the personal information will be protected, particularly when partnering with other enterprises,” Edwards explains.
So will that mean New Zealand businesses have to do due diligence over and over again, country by country, as they send data overseas?
“Not if we have some system of ‘white-listing’ or certification schemes — and a number of those are being developed internationally. For example, the other country may have data protection regulations that my office here in New Zealand has assessed as providing similar protection to our own privacy laws.”
BARN DOORS AND BOLTING HORSES
There is perhaps an argument to be made that it was already too late for individuals, or us as a society, to maintain protection for our personal information. Is it fair to say the the horse already bolted?
“I don’t think it has — and I don’t think I’m being over-optimistic about this,” Edwards counters.
He said that New Zealand data protection law, even under the existing 1993 privacy law, has some significant protections, ones that could potentially be used more extensively by consumers to hold businesses to account — for example, for businesses’ questionable use of things like social media data to make decisions about people’s access to services, such as health insurance.
“Years ago, in the early days of social media, a Canadian health insurance company cancelled a women’s insurance because a Facebook page showed her out at a party looking happy, when her insurance payments depended on her being in a depressive state that made her incapable of work. It was just one snapshot — and of course the woman was just doing what her doctors had been telling her to do, to get out and socialise.”
Edwards explained that under New Zealand’s current privacy principles an organisation that uses information it holds about an individual has to first ensure the information is accurate, up to date, complete, relevant and not misleading. He said that the Canadian company’s decision would therefore have been indefensible in New Zealand: “The woman would have been able to say that this company made a decision based on inadequate information taken out of context, and the decision had affected her detrimentally. So she would get a remedy under our Privacy Act for that.”
Edwards placed that important obligation to check the accuracy of information in the context of the development of AI and algorithmic decision-making.
“Just because some vendor comes along and offers you some apparently fabulous AI tool, you’ve still got to question the inputs, look at where and how the data was trained, and make sure you’ll be able to explain to people how they’ve been targeted or what the basis for a decision was. So use the tools if they help your business — but ensure you’ve got some failsafe check that prevents you getting into trouble and being liable for some flaw in the algorithm.”
HANDLING THE COMPLIANCE BURDEN
So it’s clear that the compliance requirements on New Zealand businesses will be increasing. But how are small operators supposed to handle the compliance burden?
“I think I have a responsibility as a regulator to ensure that the burden is reduced for small businesses and organisations — superettes or cricket clubs or whatever,” says Edwards.
“My office can deliver the information and guidance they need to comply. All they need to do is have some curiosity and the desire to do the right thing and we’ll provide them with the tools.”
Edwards pointed to a range of tools on the OPC website — for example, guidance on how to develop a basic privacy statement, or guidance for mum and dad landlords on how to ensure they’re not collecting too much information from the tenants of their investment property. The website has FAQs on day-to-day issues, e-learning training modules, and other toolkits
He said that organisations should look at the tools on the OPC’s website before shelling out large amounts of money for compliance services provided by private suppliers.
They also have resources for larger organisations that still may not have a lot of money to spend on privacy compliance — for example the Privacy Impact Assessment toolkit on their website. This is more comprehensive than most small businesses would need, but gives a good framework for larger organisations to make decisions and set up processes.
So the Privacy Commission is not just a guy with a big stick — it’s also an advisory service?
“Yes, that’s right — most of our resources are allocated to helping people meet their obligations. And most people do want to meet them. We just try to make it as easy as possible.”
Edwards said that of course his office also needs to allocate resources at the other end of the scale too:
“Some industries, because of the nature and size of their data holdings, are capable of causing great harm if left unchecked, and we need to keep an eye on them and make sure they’re complying with the law.”
He gave the example of credit reporting firms.
“We have these enormous aggregations of credit data in New Zealand — which of course present a big benefit for the wider economy, as they provide good information for credit decisions. But equally, my office has to make sure those reporters aren’t misusing the data and are complying with the rules I oversee to avoid negative impacts on individuals and society.”
Disclosure: Jenkins has been assisting the Office of the Privacy Commissioner prepare for the new legislation.
About the author
Kevin has undertaken a wide range of assignments in the science and innovation, economic development, and tertiary education sectors — for example, work on the establishment of Callaghan Innovation (New Zealand’s advanced technology institute). He has worked a lot in the justice sector, including leading a major programme targeted at leveling off the increase in the prison muster, and another at ensuring that the cost of the sector is stabilised.
Kevin is a regular contributor to the New Zealand Herald.