25 Aug 2019
New Zealand is approaching Privacy Bill enforcement with a name and shame approach, rather than implementing significant financial sanctions, to encourage businesses to be proactive rather than risk their reputation. So, in the lead up to 2020, there are several key points for boards and business owners to consider.
Since GDPR came into force in the first half of 2018, there has been an increasing regulatory response to privacy issues as governments seek to protect personal information and clarify how organisations must handle and manage personal information. These changes are being driven in response to the blatant disregard and misuse of personal data by businesses (Cambridge Analytica/ Facebook, Aggregate IQ/Facebook), and to improve transparency in respect to how organisations manage personal data (Marriot data breach, or closer to home, the Kathmandu data breach).
Thanks to our friends at Minter Ellison Rudd Watts, I got a concise overview of the current state of the upcoming New Zealand Privacy Bill (our new privacy law that will replace the Privacy Act 1993), some insights into privacy across the globe, and also an update on what’s happening with the new Australian anti-encryption laws.
I’d like to share some of the key takeaways and some eye openers for boards, executives and business owners. I have provided some comments and insights along the way, and I hope these will be very helpful for everyone.
The legislation is expected by end of 2019, and will come in to force around March 2020. This is the first update in 25 years. Time to start planning to review and improve your privacy compliance everyone.
The Privacy Bill will apply to organisations “carrying on” business in New Zealand, whether personal information remains inside or is taken outside of NZ. “Carrying on business” does not require a physical presence in New Zealand and applies regardless of where the personal information is collected. Many countries are following EU’s lead with GDPR and making their privacy laws extra-territorial, so businesses will need to be aware of privacy regulations for any jurisdiction they “carry on” business in.
The Privacy Bill only provides for financial sanctions of up to $10,000, which is a slap on the wrist with a wet bus ticket. Instead, a name and shame approach will be used as a softer tactic to encourage organisations to comply to protect their reputation. It is unclear what sort of impact this would have either within New Zealand or internationally to improve privacy compliance, but this doesn’t have the teeth we are looking for. There is also a “undue hardship” exception to naming and shaming, so any enforcement attempt is contestable. It looks like we are falling well short of the mark. Contrast this with Australia, who recently announced the introduction of penalties of up to $10 Million in fines, or 10% of the domestic turnover, for data privacy breaches. The Australian government looks far more serious about protecting personal information.
The Privacy Bill introduces Mandatory Data Breach Notification, which brings us into line with most of our international trading partners. Our current Privacy Act 1993 focusses on “Contain and Evaluate”, whereas the Privacy Bill builds on this to add “Notify and Prevent” requirements. Organisations will have to report data breaches of personal information as soon as practical, regardless of how the breach happened (maybe you got hacked, maybe it was unintentional), and depending on the level of “serious harm” of the breach. “Serious harm” does not have a specific definition, and will require organisations to determine if serious harm has been caused. In this scenario, it is strongly recommended to document the decision making, and have a 3rd party validate the assessment, as if the breach is retrospectively discovered and assessed as “serious harm”, naming and shaming will enter into play (along with the slap of the wet bus ticket). Also there is expectation of preventing further breaches. At a governance level, organisations should be taking a proactive business-wide approach to preventing data breaches in the first place.
Just a quick note on the progression of GDPR (General Data Protection Regulation). The EU is continuing to champion privacy rights as tough new privacy laws are coming into force, and the Privacy Bill may well fall short of our adequacy status with the EU (as well as other jurisdictions toughening their privacy regulations). The recommendation is for organisations carrying on business overseas, or holding personal information of people from other jurisdictions, to consider a “gold-plated” privacy policy that meets the GDPR requirements as a catch-all for privacy regulations around the world. From a governance perspective, managing risk through a single privacy compliance policy makes a lot of sense, but will require a stronger commitment from organisations to implement appropriate data management lifecycle processes, and maintain confidentiality of personal information through encryption of data in-transit, records in databases, and other data at rest.
The Australian Telecommunications Assistance and Access Bill 2018 (the “anti-encryption” bill) is a controversial piece of legislation that enables the Australian government to demand access to devices, data and encrypted messages for any data stored in Australia, including cloud providers such as Microsoft Azure and Amazon Web Services (AWS). There are three levels of access request defined in the Act, of increasing levels of intrusiveness that the Australian government can utilise. However, there are some major concerns with the Act, as expressed by many organisations. The Act states that powers can only be used for suspected “serious offences” of any offence that could result in 3 years+ of imprisonment. This provides for wide-ranging potential of abuse for requests of data. In addition, the Act state that the customer of a hosting provider (aka the data owner) must NOT be notified of any request for data (this is an imprisonable offence). Processes within the Australian system are in play to review aspects of the Bill, however the status quo legislation remains in force. On top of this, the Bill creates multi-jurisdictional uncertainty as there is a clear conflict in respect to GDPR compliance. We are now the meat in the proverbial sandwich. I strongly recommend that anyone with data stored in a hosting provider located in Australia, such as Azure or AWS implement full disk encryption on any storage, with encryption keys held outside of Australia. Encryption of data to a record level in databases is of course the target we should be striving for.
So in conclusion, privacy regulations are being ramped up globally. New Zealand is approaching Privacy Bill enforcement with a name and shame approach, rather than implementing significant financial sanctions, to encourage businesses to be proactive rather than risk their reputation. So, in the lead up to 2020, there are several key points for boards and business owners to consider.
If you think that planning ahead to see how this practical implementation
Jeff Herbert
Director – Cyber Risk