Privacy Bill vs GDPR

With this being Privacy Week in New Zealand, there being a New Zealand Privacy Bill in train, and being only a couple of weeks away from 25 May 2918 on which the General Data Protection Regulation (GDPR) comes into force in the European Union, here are some high level thoughts on what we might want to discuss when looking at our Bill.

My personal view (which may well be different from that of some of my clients) is that we may as well bite the bullet and bring ourselves into closer alignment with the GDPR. I say that for three main reasons:

  1. The European Commission formally decided some years ago that New Zealand has "an adequate level of protection" and therefore that no special measures are required of EU businesses before they transfer personal data from the EU to New Zealand. Adequacy recognition will now be a real advantage under GDPR. Without it, there is a whole chapter of GDPR that has various quite complicated processes that must be adhered to before personal data can be transferred out of the EU. Because of this, we are already seeing countries such as Japan working hard to obtain adequacy recognition. The UK is already moving to match its law with that of the EU post Brexit. To obtain such recognition however, the Commission will want the country in question to match the protections delivered by the GDPR. As a result, and more generally to align global laws, GDPR like rules will gradually be implemented by more and more countries. They will become the default global standard in my view.
  2. New Zealand's adequacy recognition will remain in place when GDPR goes live. However, it will be reviewed by the Commission within the next few years. At that stage we can expect the Commission to require New Zealand to make changes to bring our Act into closer alignment with the GDPR, or lose adequacy recognition. That would be a significant disadvantage for New Zealand businesses who have EU customers or who process EU citizens' personal data in New Zealand.
  3. Privacy and technology have moved on since the NZ Law Commission's work on which the current Bill is based. The GDPR reflects a new recognition of the importance of privacy and individual control of personal data. New Zealand can be proud of its work in 1993 to implement a principles based privacy regime. We do not want to fall behind now.

With submissions due on the Privacy Bill by 24 May 2018, at a high level, here are some of the provisions of the GDPR we might look to discuss:

  • More explicit consent to collection and processing of personal data - at present, consent can be buried in terms of use that no-one except privacy nerds like me reads. That won't be sufficient under GDPR, particularly for sensitive personal data revealing things race, ethnicity, political or religious beliefs, sexual orientation, or biometrics etc, or for children's personal data.
  • Privacy by design and information governance - anyone who processes (i.e. collects or uses, to paraphrase the definition of "processing") personal data will have to be able to demonstrate that they carefully considered and documented privacy issues when they designed their systems, and continuously document how personal data is used and protected. System changes that deal with data where breach could have serious consequences will have to be discussed first with the regulator (similar to that required of Telcos in New Zealand under TICSA for major security changes) . There is a real focus here on being specific about the purpose for which personal data is processed and confining processing to that which is absolutely necessary for the purpose. The days of collecting information, just because it might be useful for some unknown "big data" play in the future, are gone under GDPR (and the risks of doing so in terms of data breach are too great anyway).
  • The right of erasure ("right to be forgotten") - The right to have your personal data deleted by anyone who holds it (with some exceptions). You could argue that we already have something akin to this, and the recent case where Google was forced to delete historical information in the UK would support this view. In New Zealand however, a recent case went the opposite way (albeit that privacy was not really argued). Given the global nature of data storage and transmission, close alignment here would be very useful.
  • Data portability - the right to have your data made available in a common format so that you can transfer it to another provider.
  • Breach notification - my reading of the New Zealand Bill is that we are going to be stricter than the EU here so that a lower level of data breach would have to be reported to individuals affected. On the other hand, no guidance is given on how quickly breaches must be reported to the regulator, whereas the GDPR has a 72 hour turnaround. There will be different views on this, but for businesses operating globally, having different data breach reporting processes and standards is confusing and unhelpful.
  • Individual right of action - under the GDPR an individual (or, presumably, individuals in a class action) can take their own court action in respect of a breach. That is in addition to their right to complain to the supervisory authority in their jurisdiction (equivalent to the Privacy Commissioner here). For serious breaches, that may be a useful additional lever.
  • Fines - Combine the individual right of action with the substantial fines available under the GDPR and privacy becomes a serious issue that will be high on any board's risk register, alongside health and safety.

There are many more technical differences between the GDPR and our new Privacy Bill. However, the above are some of the main ones that I think we need to look at if we are going to align ourselves more closely with what, in my view, will become the default international standard.

COMMENTS (0) Post a Comment

← BACK TO NEWS