It is hard to believe that New Zealand’s Privacy Act became law in 1993 and its foundation principles have not changed since then. Advances in technology over the past 27 years have made access to, collection, storage and the transfer of vast amounts of information as simple as the touch of a button. It is no surprise therefore that the existing legislation has struggled to adequately protect privacy rights in this rapidly changing landscape.
On 26 June a new Privacy Act passed its third reading in parliament and it will come into effect on 1 December 2020. During the debate Justice Minister Andrew Little said the bill was intended to “update our privacy laws so they remain fit for purpose in the digital age.”
Further, in a press release announcing the passing of the Act Minister Little said:
The protections in the Privacy Bill are vitally important. The key purpose of the reforms is to promote and protect people’s privacy and give them confidence that their personal information is properly safeguarded.
The risks of large-scale privacy breaches have been well publicised. In 2016 the personal information of over 50-million Facebook users was improperly obtained and used by data-mining company Cambridge Analytica to influence the US presidental elections.
In 2016, hackers stole the personal data of 57 million Uber users, passengers and drivers around the world, including in New Zealand. The information that was taken included names, email addresses and phone numbers.
The massive breach of privacy was kept hidden by Uber for over a year before they finally came clean.
More recently in June this year, Lion, the company behind some of New Zealand’s classic beers such as Speights and Steinlager, was subject of a cyber-attack in which hackers stole large amounts of data and held it for ransom.
Although it does not appear that any financial or personal information was involved, Lion alerted the Privacy Commissioner despite having no obligation to do so.
The new legislation is intended to ensure our privacy laws are better able to prevent and deal with situations like these. Some of the changes include greater constraints on information being transferred overseas and imposing an obligation on agencies to notify not only the Privacy Commissioner, but also any affected individuals, where there has been a breach of privacy that is likely to cause serious harm.
The new Act explicitly states that our privacy laws apply to all businesses operating in New Zealand, regardless of whether they have a physical or legal presence here, and imposes a requirement on agencies to ensure that before disclosing any personal information overseas, the overseas entity has similar levels of privacy protection as we do.
Both of these changes are intended to prevent personal information being sent overseas in circumstances where that information may not be have the same legal protection as it would in New Zealand.
Importantly the Act provides the Privacy Commissioner with much stronger enforcement and compliance powers. Any person who obstructs, hinders or resists the Commissioner in the exercise of their powers under the new legislation, can be liable for a fine of up to $10,000.
The new Act also creates a new offence where a person destroys any document containing personal information knowing that a request has been made in respect of it.
The overhaul of our privacy laws has been a long time in the coming - there have been calls to update our privacy legislation for over a decade. In 2011 the Law Commission released a report urging the government to replace the existing legislation. The new Act is largely based on the recommendations of that report.
Privacy Commissioner John Edwards has also been lobbying for reform of our privacy laws since he stepped into the role in 2014. While the Commissioner has welcomed the new legislation, it does not go as far as he would have liked.
The Commissioner pushed for more significant enforcement sanctions to deal with serious breaches of privacy, recommending fines of up to $1 million, to bring our penalties more closely in line with those of Australia and the European Union.
The new laws should better reflect the interconnected, fast-paced and digital age we are in. However debate is already occurring about whether the new Act is flexible enough to adapt to whatever unknown challenges we may face in future.
Minister Little has foreshadowed that given the rate of technological change and the continued evolution of privacy standards, there is likely to be a need for ongoing review of privacy laws. Let’s hope the next reforms do not take 27 years to come.