Privacy is an evolving area of law as regulators try to keep up with fast-developing technologies, the rapid accumulation of private data and increasingly sophisticated cyber-criminals.

It is important to stay on top of these developments. The risk for organisations for getting it wrong can be very high – both when the organisation is a victim and when the organisation fails to maintain expected standards of confidentiality and data integrity.

In our latest edition of Data Points, we provide an update on the Digital Identity Services Trust Framework Bill and on the Data and Statistics Bill, the latest guidance from the Office of the Privacy Commissioner (OPC), and the OPC’s annual report for 2021 – the first under the new Privacy Act.

We also touch on developments around privacy law in Australia, the EU Digital Services Act – described as ”a paradigm shift in tech regulation” by Ben Scott, former tech policy adviser to Hillary Clinton, and the results of two recent global surveys showing the rising risk of cyberattack risk and the need to protect against it are still only dimly understood.

Legislation and regulation

New Zealand

Digital Identity Services Trust Framework Bill

The Digital Identity Services Trust Framework Bill, now before Parliament for its second reading, aims to build consistency, confidence and efficiency in the provision of digital identity services.

It will do this through a mix of primary legislation, a set of Trust Framework (TF) rules, and regulations.

Specific measures include:

an opt-in accreditation scheme that establishes minimum requirements digital identity service providers must meet to handle personal and organisational information and allows those providers to upgrade their systems to comply with TF rules at their own pace. This will likely attract government departments, existing identity service providers, and other private sector organisations that verify identities
a TF Board to be responsible for undertaking education, publishing guidance and monitoring the effectiveness of the TF. The Board will also have the responsibility of recommending and consulting on draft TF rules, and
the creation of a TF Authority that will decide applications for accreditation, maintain a register of accredited providers, conduct investigations (following complaints or on its own initiative), and grant remedies for breaches.

The Bill does not override any obligations under the Privacy Act.

Read the Bill as reported back.

Directors no longer required to publish home addresses

The Institute of Directors greeted the Government’s announcement last month that directors would no longer be required to have their home addresses on the Companies Register as a “privacy win”.

The Institute had always had concerns about the policy, considering that it exposed directors and their families to disgruntled shareholders, customers or protest groups and that it increased the risk of industrial espionage and cybercrime as home IT systems tended to be less secure than office ones.

The change is part of a wider package, which will be legislated for this year and will include provisions to tighten the rules around beneficial ownership to make it easier to see who owns and controls a company.

To learn more, read the Minister’s statement.

OPC on biometrics and privacy

The deeply personal nature of biometric information means that any technologies engaging it will inevitably attract the attention of privacy regulators, and a number of jurisdictions have developed specific regulatory frameworks to manage the associated privacy risks.

The New Zealand Office of the Privacy Commissioner (OPC) considers that the privacy principles and the tools in the Privacy Act 2020 are sufficient at this stage to deal with biometric information issues but is continuing to monitor the issue. In October 2021, it outlined its thinking in a 17-page “position paper” which it undertook to review with key stakeholders six months after publication to assess whether any further steps are needed.

On that timeframe, we would expect to see consultation from OPC shortly.

Read the statement, and position paper.

OPC guidance on working with sensitive information

The OPC has produced a seven page guidance for agencies required to collect and/or hold sensitive personal information, this being information about the individual that has some real significance to that individual, is revealing of that individual, or generally relates to matters that the individual might wish to keep private.

Read the guidance.

Police press ‘pause’ on facial recognition technology

The Police have pressed pause on the use of automated facial recognition technology (FRT) until the security, privacy, legal and ethical perspectives are fully understood.

The decision followed a police-commissioned review which found that police did not have social licence or consent to use live FRT, that the use of it might generate opposition to using CCTV feeds in general, and that the impacts of monitoring protests or community events would likely affect Māori disproportionately.

To learn more, see the RNZ report.

Data and Statistics Bill

The Data and Statistics Bill seeks to modernise how data and official statistics are collected, held and published by the government and was reported back on 9 May.

The Bill was intended to be non-controversial but was criticised by the NZ Council for Civil Liberties for having insufficient regard to the principles of the Privacy Act and for giving too much discretion to the Government Statistician.

The OPC had been consulted during the policy development phases and had “an overall comfort” with the Bill’s design but put in a late submission recommending a number of additional safeguards.

The select committee adopted some of these recommendations but decided that others were not necessary. The result is a relatively small number of mainly technical amendments.

View the Bill.

New privacy regime delivering results

The OPC Annual Report for 2021, the first since Privacy Act 2020 came into force in December 2020, shows a 97% increase in the number of reported breaches against the previous six months. More than half of the complaints involved emotional harm and around one third involved risk of identity theft or financial loss.

The higher activity rate will reflect the fact that reporting is now mandatory. But the OPC has also built capacity through an organisational restructure. Key changes include:

a Strategy and Insights function to support an “intelligence-based approach” to where the OPC should focus its effort
the appointment of a Principal Adviser Māori, and
a Compliance and Enforcement team to take the lead on addressing systemic issues that may require the use of the OPC’s new enforcement tools.

Read the 2021 Annual Report.

Latest OPC privacy survey – level of public concern unclear

According to OPC’s latest Privacy Awareness and Engagement – a two yearly snapshot – the three privacy concerns most worrying New Zealanders are:

businesses sharing their personal information without permission
data being collected about children online without parental consent, and
the security of information on the internet.

Each of these issues attracted a 60% “concerned” response. But overall, the results showed that the level of concern about individual privacy and protection has fallen back to the levels experienced in 2001 (about 50%), after surging through the 2010s.

OPC noted, though, that further investigation would be needed before a firm conclusion could be drawn as Internet NZ’s 2021 survey had found “the exact opposite”.

View the survey.

International

Australian privacy law review

The Australian Federal Government is reviewing the Australian Privacy Act 1988. Review areas include:

whether the Act effectively protects personal information and provides a practical and proportionate framework for promoting good privacy practices
whether individuals should have direct rights of action to enforce privacy obligations
whether a statutory tort for serious invasions of privacy should be introduced into Australian law
the effectiveness of existing enforcement powers and mechanisms, and
the desirability and feasibility of an independent certification scheme to monitor and demonstrate compliance with Australian privacy laws.

Submissions on the first consultation round closed on 10 January 2022.

The 230 page submission from the Office of the Australian Information Commissioner (OIAC) supported the establishment of a positive duty on organisations to handle personal information fairly and reasonably, saying this would provide a new baseline for privacy practice that meets community expectations and would help to restore and grow trust.

But, to be effective, it would need to be backed by organisational accountability measures similar to those under the European Data Protection Regulation (GDPR), a greater ability to pursue significant privacy risks and systemic non-compliance, and a simplified civil penalty regime.

Chapman Tripp will monitor the progress of the Australian review and any resulting legislation from the perspective of likely relevance to New Zealand.

View the website announcement, and the OIAC submission.

Establishment of Digital Platform Regulators Forum

The Australian Competition and Consumer Commission (ACCC), Australian Communications and Media Authority (ACMA), Office of the Australian Information Commissioner (OAIC) and the Office of eSafety Commissioner have created a digital platform regulators forum.

This forum is intended to increase cooperation and information sharing between digital platform regulators as Australia increasingly looks to regulate against big tech.

View the OAIC statement, and the article.

Companion piece of legislation

A companion reform, being developed in tandem with the review but further advanced and expected to be passed this year, is the Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021. Among its provisions are:

tighter obligations on social media and other online platforms to obtain informed consent
a binding online privacy code of conduct to be jointly developed by OIAC and industry, which will provide specific protections for children, including a new requirement on social media platforms to take all reasonable steps to verify the age of their users and to obtain parental consent for users under 16, and
sharply higher maximum penalties (just over AU$0.5m for an individual and up to $10m for a body corporate).

The Bill’s definition of “online platforms”, as now drafted, catches many insurers, banks, superannuation funds and other financial providers, causing concern in these industries about the likely implications for them.

To learn more, read the article.

EU Digital Services Act – “paradigm shift in tech regulation”

The European Parliament and EU Member States agreed in April on a Digital Services Act (DSA) to come into force either 15 months after final sign-off, or on 1 January 2024 – whichever is later.

The DSA contains EU-wide due diligence obligations to apply to all digital services that connect consumers to goods, services, or content. The obligations are calibrated to the size of the organisation.

Companies with more than 10% of the 450 million consumers in the EU will be required to implement procedures for faster removal of illegal content and to provide comprehensive protection for users' fundamental rights online. Non-compliance will attract fines of up to 6% of a company’s global annual revenue. Repeat offenders can be banned from operating in the EU single market.

European Commission President Ursula von der Leyen said the DSA would give practical effect to the principle that what is illegal offline should be illegal online.

Ben Scott, former tech policy adviser to Hillary Clinton, described the changes as “nothing short of a paradigm shift” and “the first major attempt to set rules and standards for algorithmic systems in digital media markets”.

The DSA complements the Digital Markets Act (DMA), also recently agreed, which has more of a competition focus and targets online advertising and messaging services.

To learn more, see the NZ Herald article, and EU statement.

Decisions and enforcement

New Zealand

Update on MoH, WOCA stoush

After our commentary was published, WOCA filed new proceedings, this time in the High Court where it scored a second win, and two Ministers – Health Minister Andrew Little and Māori Development Minister Willie Jackson – went public with their frustration at the Ministry’s continuing unwillingness to cooperate fully with WOCA.

Little in particular was quoted as saying:

“I’d rather be dealing with a whole bunch of privacy complaints after the fact if it means that we get our vaccination programme going as we need it to go”.

To learn more, view the OPC case note.

Court guidance on provision of private health data

The judicial challenge against the Ministry of Health’s refusal to supply Whānau Ora Commissioning Agency (WOCA) with the contact details of unvaccinated Māori has led the High Court to provide guidance on the factors agencies should consider when asked to disclose private health data in a pandemic situation.

Read our commentary.

Aviation Security takes on the Privacy Commissioner

Stuff has obtained under the Official Information Act what it describes as “a series of terse letters” between the Office of the Privacy Commissioner (OPC) and Aviation Security (Avsec) about a trial of new facial recognition software at Wellington Airport, begun in February this year and scheduled to run until the end of October.

OPC was concerned that the technology was “potentially intrusive and inaccurate” and that Avsec had “leapt to this solution without first undertaking a thorough examination of the alternatives”. It raised these concerns also with the Civil Aviation Authority.

However Avsec obtained independent legal advice that the tool did not contravene the Privacy Act. Avsec told Stuff that the image was stored only while the person was in the airport security queue, and was held on a highly secure server before being deleted.

To learn more, see the article.

OPC strengthens engagement in the domestic rental sector

The OPC has launched a new compliance monitoring programme, supported by new guidance for landlords and tenants and an anonymous tip line, following an investigation earlier this year into reports of over-collection, and unauthorised use, of personal information in the sector.

Read the statement.

International

Google scores knock-out win in iPhone users class action

The UK Supreme Court has delivered a third round knock-out to Google in a class action brought by Richard Lloyd on behalf of the around four million Apple iPhone users in England and Wales in late 2011-early 2012 when Google secretly tracked its users’ internet activity without consent and used the data for commercial purposes.

Google had already paid a civil penalty of US$22.5m in 2012 to settle charges brought by the US Federal Trade Commission and US$17m in 2013 to settle consumer-based actions in the US. And it had already gone two rounds against Lloyd in the UK – winning in the first court only to have that win overturned in the Court of Appeal.

The Supreme Court decision, which was unanimous, will be welcomed by other data controllers as it establishes that:

damages for loss of control are not available for breach of the Data Protection Act 1988 (this has since been overtaken by the UK General Data Protection Regulation but the relevant provision is similar), and
even had the claim been able to brought as a representative action (as in this case), it would still have been necessary to establish the harm to each individual consumer.

To find out more, see the Supreme Court judgment.

Digital advertising and marketing in the EU

The Interactive Advertising Bureau Europe (IAB Europe) has been fined €250,000 by Belgian Data Protection Authority (DPA) for failure to comply with several provisions of the GDPR.

IAB Europe is a federation representing the digital advertisement and marketing industry in Europe. The decision may have implications for New Zealand businesses that handle the personal information or, or sell goods and services to, persons living in the EU. For further information or advice, please contact a member of our Privacy Team.

Google, Facebook fined for non-compliance with EU cookies regime

French data protection agency CNIL has fined Google €150m and Facebook €60m for breaching EU regulations by failing to make refusing cookies as easy as to accept them. Refusal requires “several clicks”, acceptance a single click.

The providers have each been given three months to come into compliance. If they don’t meet the deadline, they will have to pay penalties of €100,000 a day.

View CNIL's statement.

Data breaches

New Zealand

ACC appoints independent review on use of client information

The ACC Board and the Treasury have commissioned an independent review following the suspension of 14 staff for inappropriately accessing and using client information.

The Terms of Reference include making recommendations on:

systems and policies in relation to access and use of client data among ACC staff
oversight, monitoring and auditing to detect and deter inappropriate behaviours, and
ongoing staff training.

The review will be conducted over a maximum period of six months, beginning from mid-November.

Read the statement.

Cyberattacks against nationally significant targets on the rise in NZ

The Cyber Threat Report for 2020-21 by the National Cyber Security Centre (NCSC) shows a 15% increase on last year. The NCSC recorded 404 incidents, or which 113 (28%) indicated links to state-sponsored actors, and 110 (27%) were likely to be criminal or financially motivated.

Because the NCSC’s focus is on incidents affecting nationally significant organisations and likely to have a national impact, the total number of attacks will be much larger.

To learn more, view the report.

Still too loose

The results of two recent global studies indicate that rising cyberattack risk and the need to protect against it are still only dimly understood.

Cybersecurity solutions firm Check Point Software found that the number of reported cyberattacks worldwide surged 40% in the year to 30 September, and 40% of respondents to the 2021 Thales Global Cloud Security Study said they had experienced a cloud-based data breach in the past 12 months.

However only 17% of the survey had encrypted more than half their cloud-stored data – creating easy opportunity for cyber hacks. And, even among those businesses that had encryption, 34% left control of the keys to service providers rather than retaining control themselves.

View the Check Point Software survey article, and the Thales survey article.

Warning to AlphaEx cryptocurrency exchange users

IDCARE, an Australasian support service for victims of identity theft and cybercrime scams, has warned users of AlphaEx to take urgent measures to protect their identity after more than 1000 driver licence, passport, proof of age and ID card images were published.

232 Australians and 24 New Zealanders are affected.

To learn more, see the statement.

Teaching Council apologises unreservedly

The Teaching Council of Aotearoa New Zealand has apologised unreservedly to the “around 43” people affected by an inadvertent data breach involving a spreadsheet of information, some of it sensitive.

The breach, which occurred in December, was due to human error. The Council has since reviewed its processes to prevent a recurrence.

Read the Council's statement.

Speak to our experts

We hope you find our insights within this publication useful. Please get in touch with one of our experts if you would like to discuss any topic in more detail. We offer definitive advice on privacy and data protection regulations, their practical application, pitfalls and enforcement.

Kelly McFadzien, Partner