Privacy is an evolving area of law as regulators try to keep up with fast-developing technologies, the rapid accumulation of private data and increasingly sophisticated cyber-criminals. It is important to stay on top of these developments. The risk for organisations for getting it wrong can be very high – both when the organisation is a victim and when the organisation fails to maintain expected standards of confidentiality and data integrity.
It’s finally here, the new Privacy Act
The Privacy Act 2020 will come into force on 1 December 2020, repealing and replacing Privacy Act 1993. Now is the time to prepare for the legislative changes, in particular, the introduction of:
- the mandatory privacy breach reporting regime. Privacy breaches causing, or likely to cause, serious harm will now need to be reported to both the Office of the Privacy Commissioner and to the affected individuals (unless an exception applies), and
- restrictions on transferring personal information overseas. Organisations will be able to send personal information outside New Zealand only where:
- the foreign recipient is acting solely as the organisation’s agent (for example, as a cloud storage provider), or
- the information will continue to be protected by security safeguards comparable to those required by New Zealand law, or
- the individuals concerned have given their consent after being told that their personal information may not be subject to the same protections as under New Zealand law.
The new Act strengthens enforcement by giving the Privacy Commissioner the tools to take a more proactive role including by issuing compliance notices and access directions, and by creating a range of new offences, punishable with fines of up to $10,000.
We recommend all businesses collecting or holding personal data:
- update their policies to build a reporting requirement into data breach processes, and
- review their information flows, including to suppliers who access customer or employee information, to understand whether any information is being sent outside New Zealand.
Please contact any of our team for further information on Privacy Act 2020 compliance.
COVID-19 privacy implications
As COVID-19 continues to affect all aspects of life around the world, governments and businesses are developing different technology solutions to try and help navigate new ways of working and interacting. Two particular developments give rise to privacy concerns:
Verifying "working from home"
With more workers working from home, sales of staff surveillance technologies in New Zealand have risen sharply (by more than 300% at the start of June). These technologies can track the websites workers visit, their log on and log off times and their mouse and keyboard movements. Some can monitor workers’ activities by taking screenshots through the day. The Council of Trade Unions says the use of “low trust surveillance” is a “recipe for resentment”.
Employers who use surveillance need to be open and transparent with their workers. To comply with the Privacy Act, employers must update their policies if the way they collect or use personal information changes, and notify workers prior to implementing any surveillance technology. Employers also need to be mindful of only collecting information that is necessary to fulfil the particular purposes it has notified their workers they will be collecting information for.
While all businesses now must display the NZ COVID Tracer App QR code (see the Alert Level 2 and 3 Order and the Alert Level Requirements Order), businesses are still required to have other record keeping systems and processes in place to keep contact tracing records. We echo the Ministry of Health’s warning that any customer information collected through contact tracing requirements, including through any technology used before the NZ COVID Tracer App was mandatory, can only be used for COVID-19 contact tracing purposes, and in accordance with any terms provided to the customer at the time.
A consumer data right for New Zealand?
The Ministry of Business, Innovation and Employment (MBIE) is asking for feedback on whether and how a consumer data right (CDR) should be introduced in New Zealand. A CDR allows consumers to share information held about them with trusted third parties. These third parties might be product or service providers, such as a bank or utility company, a fintech or other entity which layers services on top of a core product or service provider, or a third party app which makes it easier for consumers to compare products and services by using personalised data inputs.
The idea is that consumer data is shared in a consistent machine-readable format so that it can be used by the receiving party for the consumer’s benefit. Policy reasons to adopt a CDR include that it can provide consumers with greater control over their data and greater data portability. But there are also clear privacy considerations which will need to be mitigated in the design of the CDR.
The two broad options on offer are:
- an Australian style CDR on a sector by sector basis, or
- a European style General Data Protection Regulation (GDPR).
Submissions close on 5 October 2020. See our international section below for an update on the Australian CDR
Over 20 government agencies – including Inland Revenue, the Department of Internal Affairs (DIA) and the Ministries for Justice, Education and the Environment – have signed up to the Algorithm Charter for Aotearoa, introduced by the Government in July.
The Charter is a world first and sets out commitments for transparency in how public agency decisions are informed by algorithms, including embedding a Te Ao Māori perspective and ensuring privacy, ethics and human rights are protected.
It follows a recommendation in 2018 from the Government Chief Data Steward and Chief Digital Officer.
56% of New Zealanders want more privacy regulation
A survey conducted for the Office of the Privacy Commissioner by UMR has found that 56% of New Zealanders want more privacy regulation. This is down 11 percentage points on the 2018 response to the same question.
The surveys are conducted every second year, allowing privacy trends to be identified.
Lessons from Trade Me
He said the lessons learned from the case were applicable to all businesses and that there could be reputational harm from failing to meet customer privacy expectations.
In 2019 Trade Me decided that an ability given to members in 2015 to opt-out of targeted advertising on Trade Me channels should only apply to third party advertisements. Accordingly, it emailed those members who had exercised the opt-out advising them that in future their personal information would be used to advertise Trade Me services to them.
The Commissioner’s issue was not with the opt-out, which he described as “positive and privacy protective” but with the confusing way it had been communicated, which had created a backlash - including complaints to both Trade Me and his Office.
He found that Trade Me hadn’t fully met its obligations under the Privacy Act 1993 to take all reasonable steps to ensure its members understood the purpose for which their information was being collected and how their preferences to opt-out of Trade Me marketing would be effected.
Taylor v Corrections – advice from Privacy Commissioner
The Privacy Commissioner has blogged on the implications of the decision in Taylor v Corrections for agencies when deciding whether third party information, particularly about staff, can be treated as information about the requestor in relation to access requests under the Privacy Act.
Among the tests he suggests they apply are whether the information is essentially administrative and whether redaction would render the communication unintelligible.
As the guidance is targeted primarily to the public sector, he also advises that, where the agency is inclined to withhold the personal data of third parties, it should consider the request under the Official Information Act rather than under the Privacy Act.
For context about the case, refer to our May edition of Data Points.
Privacy breaches enforced under the NZX Participant Rules
The recent imposition of an $80,000 fine on ASB Securities Limited for vulnerabilities in its online share trading platform resulting in unauthorised access to 576 client accounts is a reminder that, for listed companies, privacy breaches also fall within the regulatory jurisdiction of the New Zealand Markets Disciplinary Tribunal.
The settlement was agreed between ASB and NZX and approved by the Tribunal. The breaches were to the NZX Participant Rules and the penalty band available to the Tribunal was from $0 to $500,000.
Aggravating factors were that the exposure occurred over an extended period (2004 to 2018) and, in the Tribunal’s view, reflected a “lack of effective processes, systems and procedures in relation to auditing or compliance testing and supervision”.
Mitigating factors were that the breach was unintentional and had been reported immediately by ASB, that the issues had been remediated, that ASB had cooperated with the inquiry, and that there was no evidence of financial loss to the affected clients.
COVID-19 patient information leak
The State Services Commission has asked the Privacy Commissioner to investigate the Ministry of Health's distribution of COVID-19 patients’ personal details to establish whether any action should be taken under the Privacy Act 1993.
Commissioner John Edwards hopes to release his findings and recommendations in September.
The investigation follows an inquiry by former Solicitor-General Michael Heron QC which found that the leak of the information by former National MP Hamish Walker and former National Party President Michelle Boag was “deliberate and politically motivated” and was not “justified or reasonable”.
Commerce Commission response to 2019 security incident
The Commerce Commission has released a report detailing how it responded to last year's theft of confidential information connected to the Commission’s work from one of the Commission’s external service providers.
The report is instructive as it describes the Commission’s response, both immediately after discovery of the incident, and in the months that followed. The Commission also sets out, at a high level, the details of the wider security improvement programme it has initiated, including the voluntary adoption of the Government’s Protective Security Requirements.
NZX under cyberseige?
At the time of this release, NZX has had to temporarily close trading on several days consecutively due to distributed denial of service (DDoS) attacks from overseas. The sustained cyber campaign has called into question the adequacy of NZX’s DDoS protection.
Lion ransomware attack
Lion is among a group of large business that have fallen victim to a ransomware attack. In June the trans-Tasman brewer’s IT systems were infected by extortionist group REvil who then issued Lion with a US$800,000 ransomware demand.
Lion was forced to take its systems offline – which impacted both its manufacturing and supply operations – and to notify stakeholders whose information may have been stolen in the attack.
Universities caught too
Otago and Auckland universities have been caught in an international cyberattack on US technology firm Blackbaud – the world’s largest provider of not-for-profit data base management software.
DIA in DRM
The Department of Internal Affairs was in disaster recovery mode after the home addresses of more than 800 marriage celebrants were published on the website data.govt.nz. It has removed the information, emailed everyone affected to apologise and reviewed its procedures.
Law firm robbery useful reminder of need to back-up files
A New Zealand law firm lost vital files when its computers were stolen in a burglary as it had no off-site back-ups, having relied entirely on the security of the building to protect its data.
The experience is a useful reminder of the need to have solid back-up arrangements in place. Government agency CERT NZ has provided detailed guidance on this matter.
Consumer data right rolled out in Australia
The Australian CDR regime, introduced in 2019, provides a cross-sector data portability right in “designated” sectors – so far, banking and energy. Open banking was the first cab off the rank on 1 July 2020, when the Big Four Australian banks launched initial consumer data sets.
The Office of the Australian Information Commissioner (OAIC) says that the CDR supports market competition and innovation by providing a secure and convenient way for consumers to transfer data to an accredited provider of their choice, allowing consumers to access new services or find better deals.
TikTok under a cloud
The New Zealand Parliament cybersecurity team has advised MPs and Parliamentary staffers to delete the Chinese-owned social media app TikTok. The e-mail, leaked to the media, cited “significant privacy and security risks”.
The US Government is considering banning TikTok from the US market for similar reasons. TikTok is also facing a class action in the US over how it treats data collected from its child users. The case will be heard in Illinois under that state’s Biometric Information Privacy Act, which requires technology companies to obtain written consent before collecting data on a person’s identity.
Bloomberg reports that TikTok’s data collection policies are consistent with those used by the US tech giants. The concern is with what TikTok does with the information it collects. Its current terms of service stipulate that it may share information with its parent, subsidiary or other affiliates. Previous versions, however, said it would also exchange information with law enforcement and public agencies if required to do so.
International privacy concerns for Clearview AI
Clearview AI is a research tool to assist law enforcement agencies to locate criminals. Users upload a picture of the perpetrator, and the software searches public sources (such as Facebook) to locate other images in order to ascertain the person’s location. The tool has triggered privacy concerns around the world.
In New Zealand, the Police were criticised for trialling Clearview AI in January this year without informing either the Privacy Commissioner or the incoming Police Commissioner.
The European Data Protection Board has said use of Clearview AI in the EU would “likely not be consistent with the EU data protection regime”. The UK and Australian Information Commissioners have opened a joint investigation into how Clearview AI handles personal information.
Concerns have also been raised by commentators as to the potential for false matches, particularly in relation to ethnic minorities, and for harm if the software is used outside of law enforcement.
China to set individual right to privacy
China is about to legislate for individual rights to privacy and to have personal information protected. The move is seen as an attempt to protect and legitimise the country’s fast-growing internet sector, and to safeguard against the movement overseas of valuable Chinese data.
UK code to protect privacy of children online
The Age Appropriate Design Code, in force from 2 September 2020, is the first of its kind and is designed to help protect the privacy of children while they use internet apps, games or connected toys.
The Code consists of 15 flexible standards and explains how the GDPR applies to children. Among the code’s provisions are that settings should be “high privacy” by default, and that only the minimum amount of personal data should be collected and retained.
The Code applies to any services offered over the internet and may be accessed by children. It applies to online services based in the UK, with an establishment in the UK or services outside the UK which offer services to users in the UK or monitor the behaviour of users in the UK if the service is likely to be accessed by children. There is a 12 month transition period, after which the UK Information Commissioner’s Office (ICO) and the Courts must take the Code into account when assessing compliance with the UK Data Protection Act and the GDPR.
US-EU data flows disrupted as Privacy Shield found wanting
The European Court of Justice has invalidated the Privacy Shield framework that has allowed the flow of personal information from the EU to thousands of participating organisations in the United States.
In Data Protection Commission v Facebook Ireland, Schrems (Schrems II) the Court found that the EU Commission’s adequacy determination for the Privacy Shield was invalid for two reasons:
- US surveillance laws are not limited to what is strictly necessary and proportional as required by EU law (personal data held in the US can be accessed by security agencies for national security reasons, in violation of the rights and protections guaranteed to EU citizens by the GDPR), and
- EU data subjects lack judicial remedies in the US (meaning that the right to redress vouchsafed under the EU Charter cannot be met).
Schrems II has generated a significant amount of uncertainty globally concerning the validity of international data transfers under the GDPR. But personal information can still be transferred out of the EU to jurisdictions with an adequacy decision (such as New Zealand), or if the data importer and exporter have agreed that the transfer will be subject to the EU’s standard contractual clauses.
Australia: ACCC takes another swipe at Google
The Australian Competition and Consumer Commission (ACCC) is prosecuting Google LLC in the Federal Court for an alleged failure to properly inform consumers of, or secure their consent to, changes in how it collects and uses personal information.
Since 2016, Google has been combining personal data from its user accounts with information about the user’s activities on non-Google websites and has used the insights obtained to improve the performance of its targeted advertising business.
These proceedings are separate to the prosecution ACCC started against Google at the end of 2019 relating to the collection of location data.
Netherlands: Class action against Oracle and Salesforce
The Privacy Collective, a consumer advocacy group, has filed a claim in the Netherlands against US companies Oracle and Salesforce alleging that they have been collecting users’ personal data using cookies, and selling it to third parties via real time auctions, without the subject’s consent or knowledge.
The class action represents millions of individual claimants and could deliver up to €10b in fines. Expectations are that a similar legal challenge will be lodged in the UK. Both Oracle and Salesforce deny the claims.
UK: Facial recognition not always unlawful
The English Court of Appeal has ruled that the use of facial technology by enforcement authorities can be lawful within the UK Human Rights Act provided:
- the exercising authority has clear policies on who could be on the watch list and a reasonable basis for believing that a person on that list was in the crowd, and
- reasonable steps had been taken to ensure that the software did not contain a gender or ethnic bias.
The case in question concerned the use by South Wales Police of the NeoFace programme, which was found to be unlawful as neither of the validating criteria identified by the Court had been met.
The finding will be relevant in the New Zealand context as the Department of Internal Affairs has agreed to the use of NeoFace here from the start of 2021.
The UK ICO has fined:
- Decision Technologies Limited (DTL) £90,000 for sending over 15 million direct marketing emails to subscribers between July 2017 and May 2018 without first obtaining “freely given, specific and informed consent”. DTL had relied on a broad, indirect authority provided to a third party, and
- Black Lion Marketing £171,000 for making 240,576 unsolicited direct marketing calls to its subscribers between July 2018 and April 2019 without consent, and using fictitious company names to conceal its identity.
Data Points is a four monthly publication tracking developments in the privacy sphere in New Zealand and internationally.