Warning for NZ companies active in Australia of their need to comply with the Australian Privacy Act

By Eric Frykberg

New Zealand companies trading with Australia are being urged to take care to avoid potentially catastrophic punishments for breaches of privacy.

The Federal Government last December raised the maximum corporate penalty for privacy breaches to $A50 million ($NZ54.16).  Alternatively, the penalty could be three times the value of the benefit gained from a compromised deal, or 30% of a corporation’s adjusted turnover in the relevant   period where the exact cost of a breach cannot be determined by a court.  

This is a huge increase from the previous level and dwarfs the $10,000 maximum penalty that is applicable in most New Zealand cases.

The Australian move followed intense public anger at a cyber attack that exposed personal details of 9.8 million customers of the telco Optus.

The next month, a ransomware attack on the medical insurer Medibank ended with customer data being published on the dark web, some of it personal medical Information.

Then, in March, the finance company Latitude, which operates in Australia and New Zealand, announced a big breach of the privacy of its customers.

At the time of the December law change, the Australian Minister of Cyber Security, Clare O’Neil pledged forceful action against hackers who stole private information from the public. 

“Our message today is that those thugs should watch out,” she told media.

“We are going to hack the hackers.”

The hacker and the hacked in the spotlight

But in fact, the hacked as well as the hacker can face the wrath of the Canberra watchdog, the Office of the Australian Information Commissioner (OAIC).

Soon after the Optus breach, the commissioner, Angelene Falk, announced an investigation to determine whether Optus’s cyber security was good enough.

Then, in February, the OAIC unveiled 116 proposals to further tighten privacy law, which would reduce the burden on individuals to work out if their privacy had been breached and would shift the onus to companies and other large organisations.  

In an explanatory note, the OAIC has stressed that its reach can extend offshore, in part because a lot of cyber material is inherently trans-national.

This view conforms with New Zealand attitudes. New Zealand’s Deputy Privacy Commissioner Liz MacPherson said the Australian authorities changed the law precisely to avoid enforcement complications stemming from extra-territoriality.

“(The change) will help ensure businesses that carry on a business in Australia, while domiciled overseas, are required to comply with Australia’s privacy law,” MacPherson said.

“The Australian Privacy Act will extend to an act or practice outside Australia if the overseas organisation has an ‘Australian link’.  A New Zealand organisation will have an ‘Australian link’ if it ‘carries on business’ in Australia or an external Territory.”

MacPherson explained that a New Zealand company could be deemed to be ‘carrying on business’ if it had an Australian branch, or Australian agents, or if it had a website offering services in Australia, or even if it simply had Australia listed in a drop-down menu.

NZ companies 'need to comply'

A similar warning came from the law firm, Simpson Grierson. In a message to clients, it warned of the impact of the Australian Government’s extension of its extraterritorial powers.

Simpson Grierson said companies carrying on business in Australia would need to comply with the laws even if they did not hold or collect personal information directly from a source In Australia. It added that New Zealand companies could become subject to compliance assessments or requests for information by the OAIC.

“It would be prudent for New Zealand companies to review and assess their privacy policies and practices to ensure they are compliant with the Australian Privacy Act’s requirements,” the Simpson Grierson advice concluded.

That advice was issued in the wake of last December’s changes in Australia. In an update, company lawyers said they had not heard of any companies getting into trouble with Australian law in the intervening months. But they repeated their call for New Zealand companies to be vigilant  and noted the proposed changes of February, which would increase the exposure of small businesses and would broaden the definition of personal information.  

Meanwhile MacPherson has offered a crumb of comfort to New Zealand companies, saying this country also has strict privacy requirements and companies which could prove their compliance here would have some protection against the reach of Australian law.

A similar comment came from Business New Zealand, saying other places besides Australia had strict privacy laws, especially the European Union with its General Data Protection Regulation (GDPR), which New Zealand exporters had to meet.   

“If you are complying with GDPR, because you are exporting into the European Union, you are probably hitting the gold standard, and you are probably well placed to meet the Australian requirements,” said a senior official, Catherine Beard.  

Penalties could be increased

Meanwhile, the New Zealand Privacy Commissioner has made clear he is open to suggestions that penalties here could be increased, though no action will be sought before the next election.

The current maximum $10,000 penalty is sometimes surpassed by a negotiated settlement between two contending parties that can reach $30,000 but still falls far short of Australian levels.

A former occupant of the New Zealand commissioner’s post, John Edwards, once proposed a $1 million penalty but the idea went nowhere.   

However the possibility of a rise in the penalty has been further debated in the aftermath of the Latitude breach.  

Whatever the penalty ends up at in New Zealand, the current privacy commissioner, Michael Webster, said it would apply to negligence by hacked companies as well as to the perpetrators of a hack.

*Also see our Of Interest podcast episode Why it's time for NZ to take cybercrime & cybersecurity much more seriously.