Rebecca Sellers & Ken Wallace*
If you’re a New Zealand company with customers in Europe, you must pay attention to this!
Europe’s stringent new data privacy regime, the General Data Protection Regulation (GDPR), received final approval from the European Parliament last month. This will replace the inconsistent laws of many EU countries, and non-compliant organisations risk fines of up to €20 million, or 4% of their total worldwide annual turnover. EU member states may impose additional penalties.
New Zealand companies can be subject to the same penalties as EU companies. They are affected because of the GDPR’s territorial scope. The new regime will impact every entity holding or using European personal data, both inside and outside Europe.
The regulation is a stark reminder of the rigorous penalties globally, including prison time, for data breaches. If your business holds personal data or targets consumers overseas, you are at risk.
New Zealand business is embracing the opportunities the digital economy brings. But if we want to play globally, we must play by the global rules. In this case, businesses must make changes to comply with the GDPR.
What’s in the fine print?
The GDPR applies to companies outside the EU if they process data about people within the EU in connection with “offering goods or services” or “monitoring” user behaviour within the EU.
The GDPR defines specific breach notification guidelines. Data breaches must be reported within 72 hours unless there is reasoned justification for not doing so.
Such reports must discuss the likely consequences of the data breach, and how the breach can be addressed and mitigated. The GDPR codifies a right to be forgotten, allowing individuals to request that their personal data is deleted. There will be more rigorous rules around collecting personal data, requiring that it occur only where individuals have made a statement or clear affirmative action that they agree.
New Zealand currently has favoured status with any European Union country. It is one of the few countries with a legal regime deemed by the European Commission to provide for an “adequate” level of personal data protection. This makes it easier for New Zealand companies to hold the data of EU citizens. With such privilege however, comes responsibility. Unless companies here make changes in line with Europe’s new, demanding regime, they too could become exposed to liability.
To comply with the GDPR, your business must consider many changes. For example, businesses must assign clear responsibility to a Data Protection Officer and develop formal privacy accountabilities for operations and reporting. They must also demonstrate capability to deliver “privacy by design”. This means building privacy up-front into the design specifications and architecture of new systems and processes.
Europe is not alone in moving to mandatory breach reporting. Many of the countries where New Zealand companies do business have proposed mandatory breach notification schemes that are likely to be enacted.
These include Australia, Canada and the US Federal Government. In the US, most states already have a mandatory breach reporting regime. California has the stringent threshold of requiring notification following any breach of unencrypted information; Australia and Canada both have the more lenient threshold that there must be reasonable grounds to believe a serious data breach has occurred.
New Zealand’s current regime is not yet as exacting. The Privacy Act 1993 governs data protection in New Zealand, including how agencies collect, use, disclose, store, retain and give access to personal information. For example, agencies must hold personal information securely and disclose it to other entities only in constrained situations. There is no mandatory requirement to report an interference with privacy.
Our lighter (and old) regime could risk our privileged position with the EU. This would significantly impact New Zealand businesses that hold data on EU citizens or target EU citizens as part of their export market.
Our New Zealand regime is ready for reform. Such reform will likely include a two-tier mandatory breach notification. The first tier would require New Zealand companies to notify all material data breaches to the Privacy Commissioner and the second tier would see agencies required to notify the Privacy Commissioner and affected individuals for more serious breaches in which there is a real risk of harm.
Non-notification of breaches would be a criminal offence with a maximum fine of $10,000.
Data protection globally is an important risk to manage. On August 8, 2014, a Shanghai court found a British couple guilty of illegally collecting personal information. They were sentenced to jail terms of at least two years each, as well as fines. China has since increased its penalties with breaches of privacy able to attract prison sentences of three to seven years. Penalties are similarly harsh in a number of other jurisdictions New Zealand does business with. Businesses need to consider the risk of harsh penalties to both individuals and organisations and act accordingly.
Given the severe laws around the world to which New Zealanders can be subject, the proposed new breach notification scheme and the trend towards more demanding data protection requirements and big penalties globally, now is the time for New Zealand businesses to understand their exposure and ensure they have processes in place to protect themselves. The two year grace period provided by the GDPR provides organisations with the perfect window of opportunity to start playing by the global rules.
* Rebecca Sellers is Financial Services Leader at EY Law, and Ken Wallace is a partner and technology risk leader at EY.