Questions are being raised over whether proposed changes to New Zealand’s privacy legislation, which predates the proliferation of the internet, have enough teeth.
Justice Minister Andrew Little on March 20 introduced a bill to Parliament that repeals and replaces the 1993 Privacy Act.
The Privacy Bill proposes harmful privacy breaches be reported to the Privacy Commissioner. If a company or organisation is found to have failed to do so, they could be fined up to $10,000.
The Bill stops short of empowering the Privacy Commissioner to apply to the High Court for a civil penalty to be imposed in cases of serious breaches. For example a company being negligent in the way it stores customers’ data online.
Privacy Commissioner John Edwards has called for penalties of up to $1 million to be imposed in the case of a body corporate, and $100,000 in the case of an individual, for serious breaches.
He notes that while not reporting a breach carries a penalty, actually committing a breach doesn’t, under the Bill.
“The scheme says you can make a complaint and then the onus is on you to work your way through the system and get compensated for that in the Human Rights Tribunal two years later.”
“What we’re saying, is that we think that in cases of significant failures to comply with the Act, we should be able to ask the court to apply a financial penalty, in the same way the Commerce Commission, Work Safe, or any number of other regulators can.”
European Union organisations in breach of a General Data Protection Regulation, to take effect on May 25, can be fined up to 4% of annual global turnover or €20 million (whichever is greater).
Organisations that make more minor breaches, like not notifying the supervising authority of a breach, can be fined up to 2% of turnover or €10 million.
Edwards doesn’t have a firm view on whether the proposed $10,000 fine for failing to notify the Commission here will deter agents from keeping a breach quiet.
However EY digital law leader, Frith Tweedie, says in a LinkedIn post: “While fines in other jurisdictions are still capable of applying to New Zealand business (and will do so increasingly in our globalised economy), our proposed new penalties risk privacy not being prioritised by New Zealand business.
“At worst, unscrupulous businesses may choose to risk a $10,000 fine, rather than face the reputational risks that will come with mandatory data breach notification.”
Edwards maintains there are incentives for companies to act “appropriately” and report breaches to the Commission.
“The example from a lot of cases we have seen overseas is that actually restoring confidence in your brand is the best thing you can do for your business. If you hold off, if you don’t tell them, and it leaks out later, that’s going to have a bigger impact on your bottom line.”
Edwards also makes the point that under the new law he expects the Commission will continue to be required to keep any information that comes to its attention secret, except when in his opinion he believes the information needs to be disclosed for the purposes of giving effect to the Act.
This is what Edwards did when he recently talked publicly about Facebook breaching the Privacy Act.
“It’s about promoting compliance, but not necessarily in ways that are outing agencies that are doing the right thing by notifying us.”
Asked about whether the Bill goes far enough in explaining exactly what sort of breach is severe enough to constitute reporting, Edwards says: “Some countries do have a hard, simple, numerical limit - IE if it involves over 500 people, you have to notify.
“I’m not very supportive of that. I think that we’ve got to have some clarity by way of guidance…
“I do think we’ve got to do some thinking about how we provide guidance for agencies. What I want to avoid is over-reporting. I don’t want to have something that is so onerous that people just say, whatever happens, tell the Privacy Commissioner.”
Specific guidance to the banking sector?
Edwards doesn’t necessarily believe special consideration should be made in the law for certain sectors whose management of a data breach is more sensitive - IE the banking sector, in that public knowledge of a major breach could cause people to try to withdraw their money and thus compromise the country’s financial stability.
He says: “When you have a law that’s based on general principle, which our law is, and you start carving out specific circumstances, it can actually add complexity. Maybe what we would look at doing is providing specific guidance to the banking sector…
“I don’t think [the risk of disclosure causing harm] should be a basis for not notifying the Privacy Commissioner of a breach. It may be a basis for exercising extra caution in how it’s publicised.”
Bank lobby group the New Zealand Bankers’ Association declined interest.co.nz’s invitation to comment on the Privacy Bill as it hasn’t yet formed a view.