insight

Data Points

09 December 2024

Privacy and data protection is an evolving area of law as regulators try to keep up with fast-developing technologies, the rapid accumulation of data and increasingly sophisticated cyber-criminals.

It is important to stay on top of these developments. The risk for organisations getting it wrong can be very high – both when the organisation is a victim and when the organisation fails to maintain expected standards of confidentiality and data integrity. In this edition of Data Points we summarise the latest New Zealand and international privacy and data protection news.

CONTENTS

New Zealand

Australia

International

New Zealand

Legislation updates

Privacy Amendment Bill

The Justice Committee has recommended to the House the Privacy Amendment Bill be passed subject to some refinements. 

The Bill introduces a new information privacy principle requiring agencies notify individuals when the agency collects that individual’s personal information indirectly (that is, from a third party source). The proposed amendments exempt the following agencies from this obligation:

  • agencies that indirectly collect personal information for the purposes of archiving in the public interest, and 
  • the Police when undertaking their employment vetting processes.

The Bill, as reported from the Justice Committee

Consumer data right update

The Consumer and Product Data Bill is now before the Economic Development, Science and Innovation Committee which is due to report back on 23 January 2025. The Bill seeks to enhance competition and consumer choice by requiring providers to share consumer information at the consumer’s request. 

The framework will be applicable across the whole economy but is being introduced on a sectoral basis, beginning with the banking and electricity sectors. The consultation on the banking regulations has closed and consultations opened in September on the electricity sector.

The introduction of a consumer data right raises privacy issues that will need to be factored in before the right is operational because consumer trust (including in relation to privacy protection) will be key to the success of the regime. See Chapman Tripp’s commentary here.

Statutes Amendment Bill

The Statutes Amendment Bill – an omnibus piece of legislation introducing non-controversial changes to a range of statutes – proposes amendments to sections 22, 27, 44, 49, 53, 74, 91, 94, 120 and 121 of the Privacy Act. 

Many of these changes are only clarifications of the Act and include:

  • clarifying that access to personal information may be declined where the data is held in a way that it cannot be readily retrieved
  • amending Information Privacy Principle 12, which relates to transfers of information to overseas jurisdictions, to make it clear that information may only be sent to “prescribed countries” subject to any limitations or qualifications imposed by the regulations prescribing that jurisdiction as a safe destination for Privacy Act purposes
  • clarifying that anyone who holds information on or on behalf of the responsible agency is an agent of that agency for the purposes of the notifiable breach regime (and so only the principal agency has an obligation to notify)
  • extending the Privacy Commissioner’s discretion not to investigate a complaint to include where the Commissioner considers an investigation would be inappropriate.

Submissions closed on 4 December.

The Bill

The enemy within

The Office of the Privacy Commissioner (OPC) has reminded employers that “browsing” or the unauthorised access and misuse of personal information by employees is one of the most common privacy breaches in New Zealand. The OPC recommends employers ensure they educate all staff on privacy requirements, and to implement polices and processes to help mitigate this risk.

OPC article

OPC guidance


The OPC has put out Poupou Matatapu: Doing privacy well for consultation. It sets out the Commissioner’s expectations of what good privacy practice looks like and provides practical advice on how this might be achieved. Poupou means pillars or posts and matatapu means privacy.

Other recently issued guidance includes:

Foodstuffs trial

The OPC expects to publish its report on the Foodstuffs North Island facial recognition (FR) trial before the end of this year. Meanwhile the Police’s newly minted six-page policy on the use of FR technology is playing to mixed reviews with critics noting that it doesn’t offer the same levels of protection as provided by the EU. 

OPC statement: RNZ report

Directors’ Institute guidance on AI

The Directors’ Institute has produced a toolkit for its members on governing privacy in the age of AI. It draws on the panel discussion of the subject at the Institute’s recent leadership conference in Christchurch.

Institute statement

Update on proposed Biometrics Privacy Code 

The OPC received 250 submissions in its consultation on the Biometrics Privacy Code, 180 from members of the public, the majority of whom expressed disquiet at the use of biometrics in New Zealand. Private sector agencies were worried mostly about compliance costs.

As a result of the feedback, the OPC is reconsidering elements of the Code in its exposure draft, including:

  • the timeframe for agencies to come into compliance with the Code requirements
  • whether the components in the proportionality assessment will work well in practice
  • how notice requirements will work and the benefit they will offer, and
  • whether more exceptions may be necessary to make sure that any rules are targeted to high-risk uses of biometrics, rather than to low-risk beneficial uses.

The relevant documents are available on the OPC website here

OPC continues support for global data scraping campaign

The OPC, in combination with other privacy authorities, has ramped up its expectations of organisations engaged in mass data scraping of personal information within social media platforms. This builds on a joint statement issued last year, as increased use of AI exacerbates the privacy risks. 

The latest statement is available here

Privacy risks of congestion charges

An academic paper by Professor Tana Pistorius of the University of Auckland School of Business and Isa Seow, a research fellow at the School of Computer Science has raised serious privacy issues around congestion parking, which is currently in scope for Auckland City. They argue the need for a privacy impact assessment before anything is put in place to ensure that any data collected is limited to what’s strictly necessary for the intended purpose.

Article

Breaches

IRD in hot water

The IRD has apologised to around 268,000 people whose un-hashed personal information was shared with Meta for the purposes of targeted advertising.

The privacy breach was discovered as part of an internal review of the IRD’s data sharing practices. The internal review was undertaken following revelations in September that the IRD has a standard practice of providing “hashed” taxpayer data to social media platforms so that they can better target IRD ads to their desired audience.

RNZ article

Ultimate Care outed for failing to notify

The OPC took the step of naming Ultimate Care Group Limited to provide an example for others of the need to report notifiable privacy breaches promptly.

It took the company two years to tell the OPC that it had lost part of a patient’s medical records despite several opportunities to do so and a specific request from the relevant District Health Board.

OPC statement

Australia

Australian Privacy Act reform

The Privacy and Other Legislation Amendment Bill, tabled in September, will implement 23 of the 116 reform recommendations from the Australian Attorney-General’s 2022 report. The Bill is not the Australian Government’s full response to the review, just a first step, and is less ambitious in scope than some commentators were expecting.

Provisions include:

  •  creating a new notification obligation for businesses that use personal information in automated decision-making where the decisions would reasonably be expected to significantly affect the rights and interests of the individual
  •  expanded enforcement powers for the regulator
  •  making serious invasions of privacy a criminal offence, and
  •  introducing a Children's Online Privacy Code.

The Bill and a summary of its contents is available here

High breach rate

The number of breaches notified to the OIAC in the first six months of this year was the highest since the second half of 2020.

OIAC statement

Office of the Australian Information Commissioner clips Bunnings

The OAIC has clipped Bunnings for using facial recognition technology via CCTV to capture the faces of everyone entering their 63 stores in Victoria and New South Wales, “not just high-risk individuals”.

The Office found that the surveillance was disproportionate, that the information had been collected without consent and that Bunnings had failed to take reasonable steps to notify the persons concerned individuals that their personal information was being collected.

OIAC statement

AI and privacy

The Office of the Australian Information Commissioner (OAIC) has released guidance on how to use AI within the constraints of privacy law. Also of potential interest, although not privacy-related, is the Voluntary AI Safety Standard introduced in September by the Australian Department of Industry, Science and Resources.

International

Countdown started for EU AI Act

The groundbreaking EU AI Act entered into force on 1 August 2024 and will come into general effect on 2 August 2026 for companies developing or deploying AI technologies.

But there is significant work still to be done at the regulatory level, including the development of Codes of Practice and guidelines, and some provisions will be triggered earlier – e.g., the ban on prohibited systems which will apply from 2 February 2025.

A detailed timeline is available here

UK’s Data Use and Access Bill

The newly-elected UK Labour Government has published the Data (Use and Access) Bill, rejuvenating and bringing out of hibernation the Data Protection and Digital Information Bill introduced by the previous Conservative Government to fill a post-Brexit legislative hole.

Anti-money laundering rules trump GDPR

The Hague District Court has upheld the Bunq B.V. decision finding that a financial entity’s interests protected by anti-money laundering rules may prevail over the EU General Data Protection Regulation (GDPR).

A commentary on the judgment is available here

Hong Kong AI privacy framework

Hong Kong has adopted the Artificial Intelligence: Model Personal Data Protection Framework, a 60-page document and the first of its kind in the Asia-Pacific region.

“Vast surveillance operations”

The US Federal Trade Commission (FTC) has blasted social media and streaming services as “vast surveillance operations”, saying they are collecting and sharing more personal information than most users realise with lax privacy controls and safeguards.

Article

Breaches

Muscle-flexing from the Netherlands

  • Uber has been fined €290m by the Dutch Data Protection Authority for transferring personal driver data to the US without adequate safeguards. Article
  • Clearview AI, an American facial recognition company specialising in the provision of software to law enforcement authorities, has been fined €30,500,000 by the Dutch Supervisory Authority for a range of GDPR breaches.

Related insights

See all insights