Privacy is an evolving area of law as regulators try to keep up with fast-developing technologies, the rapid accumulation of private data and increasingly sophisticated cyber-criminals.

It is important to stay on top of these developments. The risk for organisations for getting it wrong can be very high – both when the organisation is a victim and when the organisation fails to maintain expected standards of confidentiality and data integrity.

Legislation and regulation

New Zealand

New Zealand to get a Consumer Data Right

The Consumer Data Right (CDR) will be similar to the GDPR concept of data portability and is expected to allow consumers to require data holders securely share the consumer’s data with third parties.

The CDR will provide consumers with greater access to, and control over, their data and is intended, over time, to give access to a wider range of products and services and to facilitate competition among providers of such products and services in designated sectors.

The CDR will be introduced on a sector by sector basis, similar to the approach adopted in Australia in 2019. The Government expects to introduce CDR legislation in 2022.

Read our commentary and the Government announcement.

Privacy concerns around COVID scanning and physical sign in policy

An open letter led by Dr Andrew Chen, a research fellow at The Centre for Informed Futures in The University of Auckland, and signed by around 120 people, including Michael Baker, Siouxsie Wiles, Shaun Hendy and some heavy hitters from academia and the law, urges the Government to provide stronger legislative protections around contact tracing records.

The letter follows the Government’s 22 August announcement that record keeping would be mandatory and would remain in place for some high risk venues at all alert levels. Dr Chen had expected that the Public Health Order would include clear privacy protections but the only protection it offers is that the records will be deleted after 60 days.

Concerns include that the lack of privacy protections could allow police and government agencies to misuse the information for investigatory or enforcement purposes, private sector agencies to use it for marketing, employers to use it for purposes outside of health and safety, or individuals to use it “coercively” against other individuals.

Minister Hipkins has given an “absolute reassurance” that the data will not be misused and is so far resisting the need for further regulation. And the Office of the Privacy Commissioner (OPC) has issued guidance reminding organisations of their obligations under the Privacy Act to ensure that any personal information is held securely and cannot be accessed by people who do not need to see it.

To learn more, see the letter and OPC guidance.

OPC guidance on handling privacy breaches and complaints

The OPC has issued helpful and practical new guidance across a range of topics, including:

advice for organisations on dealing with privacy breaches, including guidance that it expects to be notified of breaches that reach the “serious harm” threshold within 72 hours of the organisation becoming aware of the breach - with no allowance for weekends or public holidays, and
blog posts on:
- how the OPC has dealt with three organisations which have sustained privacy breaches since the Privacy Act 2020 came into effect
- how the OPC works to settle complaints, providing useful insight on the OPC’s general approach to facilitating settlements and trends in relation to settlement outcomes (including some examples of actual financial settlements), and
- the approach the Human Rights Review Tribunal has taken to date on awarding damages for emotional harm flowing from privacy breaches.

Closer privacy relationship with the UK

The OPC has entered a Memorandum of Understanding (MOU) with the UK Information Commissioner’s Office which commits both parties to promote exchanges to assist each other in the enforcement of privacy laws.

There is also every reason to expect that the relationship may be deepened beyond the MOU with the announcement late last month that John Edwards is the preferred candidate for the role of UK Information Commissioner. The appointment process requires a number of steps by the UK Parliament so may take several weeks.

Read the MOU and OPC statement.

International

German competition authority flexes muscles against tech giants

The Bonn-based Federal Cartel Office (the Office) has initiated an inquiry into whether Google Germany, Google Ireland and parent company Alphabet are exploiting their market dominance to constrain the discretion consumers have over the use of their data.

The Office was given new powers under recent reforms to Germany’s competition laws and has been using them to take on the tech giants, having already opened investigations into Facebook and Amazon over their data practices.

Critics claim that the matters the Office is trying to prosecute on a competition basis would be more appropriately dealt with under the EU’s privacy laws. Restrictions imposed by the Office on Facebook in 2019 led to a protracted court battle and have now been referred to the European Court of Justice for an opinion on whether the Office overreached its jurisdiction.

To learn more, read Reuters article.

UK retains EU adequacy status

The EU has awarded the UK adequacy status under the General Data Protection Regulation (GDPR) and the Law Enforcement Directive on the basis that the UK data protection system continues to be based on the rules which applied before Brexit.

However the EU has put in place a four year “sunset clause” to protect against the possibility that the UK may diverge in future from the EU framework.

Read the EU Commission statement.

Google agrees to play nicely in the sandbox

The online advertising industry is concerned that Google’s plans to remove third party cookies from its Chrome browser will compromise their ability to collect information for personalising ads and would make them ever more reliant on Google’s user databases.

The UK Competition and Markets Authority (CMA) has been engaging with Google on the matter and Google gave the CMA an undertaking that whatever it develops in its Privacy Sandbox project to effect its decision to remove third party cookies from its Chrome browser will not provide it with an unfair advantage.

However the CMA’s investigation concluded that, while the alternative tracking technologies Google was developing through Sandbox would better protect users’ privacy, they would also allow Google to exploit its dominant market position.

There is some scepticism in the industry as to how much these commitments will affect Google’s conduct in practice. The CMA is now consulting on the commitments.

Read the article.

UK Children’s Code fully in force

The Children’s Code developed by the UK Information Commissioner’s Office came into full force on 2 September after a year in transition. It ensures that online services likely to be accessed by children respect a child’s rights and freedoms when using their personal data.

The Code has already been influential with members of the US Senate and Congress calling on US tech and gaming companies to adhere to it on a voluntary basis.

See the ICO statement.

New data protection regime in China

China’s Data Protection Law came into force on 1 September 2021 and will be reinforced by a companion piece of legislation – the Personal Information Protection Law (PIPL) – which was enacted on 21 August and will come into effect on 1 November 2021.

Both are planks in the Chinese Government’s “informisation policy” which President Xi Jinping has characterised as the modern equivalent of industrialisation.

The PIPL is modelled on the GPDR, although with a stronger cybersecurity focus, and aims to regulate personal information processing activities, safeguard the orderly flow of data, and facilitate the reasonable use of private information.

As the regulations and even some infrastructure to support the new regime are still being developed, it is difficult to assess what the impacts will be for businesses dealing with China. But PIPL will require data handlers outside of China that process the personal information of Chinese citizens to establish a dedicated entity or to appoint a representative within China to be responsible for matters relating to their processing operations.

To learn more, read the article.

Decisions and enforcement

New Zealand

DHB wins against RNZ

The Wellington High Court has granted injunctions sought by the Waikato District Health Board (DHB) against Radio New Zealand (RNZ) and “unknown defendants”, finding that there are “serious questions to be decided” in relation to RNZ’s decision to publish illegally obtained information about a child patient of the DHB.

The child’s identity was not revealed but the Court found that it could be easily deduced by persons familiar with the family.

The information at issue was part of the stolen dataset which was posted on the dark web by the hackers responsible for the 18 May cyberattack, and which they supplied to media outlets in an attempt to provide more leverage to their extortion of the DHB.

The Court rejected RNZ’s defence of public interest, saying:

In terms of where the overall justice of the matter lies, there are strong arguments to the effect that it is not in the public interest that the confidentiality of the private, personal and sensitive information in the stolen dataset be breached.

"Equally, there are public policy arguments against permitting unknown defendants to attempt to profit in a way which assists extortionists to inflict maximum pressure on their victim to comply with their ransom demands and/or to intimidate other potential victims by demonstrating to them the willingness of media organisations in particular to utilise stolen confidential data for their own ends."

The Privacy Commissioner has stated that he will consider applying for leave to intervene in support of the DHB in any substantive hearing. He is also considering referring RNZ to the Broadcasting Standards Authority and/or the New Zealand Media Council.

See the decision, the Privacy Commissioner’s statement and our commentary.

Government accuses China of malicious cyber activity in New Zealand

New Zealand has joined with the other Five Eyes nations, NATO, Japan and the EU in strongly condemning malicious cyber activity undertaken here and globally by the Chinese Ministry of State Security through Advanced Persistent Threat 40 (APT40).

The Minister Responsible for the Government Communications Security Bureau (GCSB), Andrew Little, said the GCSB had established the link through “a robust technical attribution process” and that it had separately confirmed that APT40 was responsible for the exploitation of Microsoft Exchange vulnerabilities in New Zealand this year.

GCSB considers that around 30% of serious cyberattacks against New Zealand organisations are State-sponsored.

See the statement.

International

Amazon whacked with record fine for GDPR breach

Amazon has been fined a whacking €746m (NZ$1.2b) by the Luxembourg National Commission for Data Protection for non-compliance with the EU’s GDPR. The fine is more than 15 times larger than the previous record high fine imposed on Google by the French privacy agency.

The decision, which Amazon has said it will appeal, relates to how Amazon shows its customers ‘relevant advertising’, but little detail has been made public. Amazon maintains that no customer data was exposed to any third party.

Under the GDPR, fines can go as high 4% of the recipient company’s annual global sales. The Amazon award, although large, is nowhere near this ceiling. Amazon reported earnings of just under NZ$535b in 2020.

To learn more, see the NZ Herald article and Washington Post article.

Uber found to have interfered with privacy in Australia

The Office of the Australian Information Commissioner (OAIC) has determined that Uber interfered with the privacy of an estimated 1.2 million Australians (Uber customers and drivers) by failing to appropriately protect their personal data following a cyber-attack on US-based Uber Technologies Inc. and Dutch-based Uber B.V. at the end of 2016.

Rather than disclosing the breach to the OAIC, Uber paid the ransom demanded by the attackers, and waited almost a year before conducting a full assessment of the personal details that may have been accessed.

Uber was found to be in breach of the Privacy Act 1988 by “not taking reasonable steps to protect Australians’ personal information from unauthorised access and to destroy or de-identify the data as required”.

The OAIC has ordered Uber to:

prepare, implement and maintain a data retention and destruction policy, information security program, and incident response plan
submit these policies and their implementation to review by an independent expert, with the findings referred to the OAIC, and
make any necessary changes emerging from this process.

See the OAIC's statement.

Data breaches

New Zealand

RBNZ cops first compliance notice under new Privacy Act

The Reserve Bank was issued with a compliance notice from the OPC on 15 September – the first use of this new tool created by the Privacy Act 2020.

The cyberattack experienced by the Bank in December 2020 and reported to the OPC on 9 January, identified a number of weaknesses in the Bank’s systems and processes for protecting personal information.

The compliance notice specifies the steps the Bank must take in order to address those weaknesses and to comply with privacy principle 5, relating to the storage and security of personal information.

The Bank commissioned a report from KPMG on the incident and the OPC’s findings of non-compliance with privacy principle 5 were consistent with that report. The Bank was already working on the issues identified in KPMG’s investigation at the time the compliance notice was issued.

View the compliance notice and RBNZ statement.

Waikato DHB and the nightmare scenario

Waikato DHB was thrown into a nightmare scenario when a ransomware attack on 18 May 2021 crashed its entire computer system.

Clinical services across the DHB’s five hospitals were severely disrupted, the landline was rendered inoperative and there was a real prospect (later substantiated) that patients’ medical files had been hacked.

The crisis is now a case study in how privacy breaches should be managed.

An Incident Response Team was set up to work with cyber security experts, the OPC, and the Police. The DHB also maintained a system of daily updates for the general public.
A leak of patient data with the threat of further release prompted the Government to escalate its response, bringing in the Officials’ Committee for Domestic and External Security Coordination.
The DHB refused to pay, a position supported by both the Government and Police.
The OPC warned the country’s other 19 DHBs to address any security failings identified in the Ministry of Health IT stocktake of 2020.

Health Minister Andrew Little said IT systems across the public health system were “a dog’s breakfast”, which was why $300m had been allocated in the budget to address the issue.

Subsequently on 22 July, HealthAlliance, supplier of IT services to the Auckland, Counties Manukau, Waitemata and Northland DHBs, reported a possible data breach.

See more on the Waikato DHB website, the OPC statement and the Stuff article.

Ransomware attacks up sharply on last year

Ransomware attacks reported to the Government’s Computer Emergency Response Team (Cert NZ) were up 150% in the June quarter. Sharp rises were also recorded for suspicious network traffic (up 125%) and unauthorised access (up 37%).

However the number of incidents in all three categories was still relatively low at 30, nine and 174 respectively.

This compares to 618 for phishing and credential harvesting (by far the most common category of offence) and 390 for scams and fraud (the second most common), although both were slightly down on the March quarter numbers – contributing to an overall quarter-on-quarter fall of 6%.

There is a consensus among the experts that cybercrime is significantly under-reported but the trends evident in the data are consistent with anecdotal evidence and with the Australian experience (see item below).

Read the report.

Small firms new target for ransomware attacks

A ransomware group known as Lockbit 2.0 has claimed responsibility for ransomware attacks on three small to medium sized South Island businesses, and has also been active in Australia.

One of the victims, Phoenix Services co-owner Philip Brown, said they were “up to date with every virus checker you could have and we still got hit”. His advice is to make sure data is adequately backed up.

Ransomware attacks are an increasing risk for businesses in New Zealand, according to an interview Incident Response Solutions founder, Campbell McKenzie, gave to Radio New Zealand.

And the latest Notifiable Data Breaches Report from the OAIC shows a similar experience across the Tasman. Of the 446 notifications received by the OAIC in the first half of this calendar year, 43% were cybersecurity incidents, and 24% of those cybersecurity incidents related to ransomware attacks.

Commissioner Angelene Falk used the announcement to lay out the Office’s expectations of businesses, saying:

We expect entities to have appropriate internal practices, procedures and systems in place to assess and respond to data breaches involving ransomware, including a clear understanding of how and where personal information is stored across their network.

To learn more, view the RNZ article and OAIC statement.

NZ caught up in global ransomware attack

New Zealand was caught up in sophisticated cyberattack on Kaseya, a California-based global software supplier in July, which saw customers using Kaseya’s VSA remote management and monitoring system have their devices encrypted by REvil ransomware.

The attack has been described as “colossal” and forced one victim – a Swedish supermarket chain – to close most of its 800 stores. Kaseya’s software is used by around 40,000 organisations globally, which includes New Zealand based organisations.

Following the attack Kaseya released a tool that users could run to check their VSA server for signs of compromise. CertNZ sent out an advisory encouraging affected organisations to use this tool.

To find out more, see the Stuff article and CertNZ advisory.