Privacy Act 2020: One Small Step for New Zealand, but No Giant Leaps in Sight
By Max Pendleton
Law is a continual balance between rights of the individual and the needs of the community. In the field of privacy, your right to keep your personal information is weighed against the right other people have to that information; a careful pendulum of increasingly high stakes.[2] In New Zealand, our privacy law pertaining to personal information is contained in the 1993 Privacy Act. Ever since its first review in 1998 however, reports were being made that a more substantially updated act would need to come into force.[3] In 1993, the World Wide Web was in its infancy, and its potential for change was unforeseeable.
Today, amid memes and cat videos, the Privacy Act 2020 is being passed into law, amending and repealing its 1993 sibling.
The Privacy Act 1993
The Privacy Act is concerned with regulating the use and dissemination of personal information; unique signifiers that can be traced back to an identifiable person, such as people’s names, contact details, financial health, purchase records.[4] To this end, the Privacy Act establishes two key features: the Privacy Commissioner and the associated Office, and the Information Privacy Principles (IPPs). The Privacy Commissioner is charged with carrying out a list of functions laid out in section 13 of the Privacy Act 1993. Briefly put, the Commissioner as a public body makes public statements on matters affecting privacy, investigates potential breaches of privacy, and leads studies into best practice.[5] The Commissioner is also the source of the Codes of Practice: delegated legislation which contain specific privacy rules for certain groups or sectors, such as health information.[6]
The IPPs contain the fundamental rules for how personal information is regulated in New Zealand. In the 1993 Act there are 12 IPPs and its 2020 counterpart has 13. Whenever personal information is collected or used by anyone—be it company, government, or even individual—the principles lay out what rights and obligations are involved. You can find out all about the privacy principles here, helpfully listed and explained on the Privacy Commissioner’s website.
2020 Changes
The 1993 Privacy Act was designed to be ‘technology-neutral’ in hopes it would not need substantial reform in future.[7] Given that the new Act only came along this year and is so similar to its predecessor, it arguably succeeded.
In short, the 2020 Privacy Act is a response to the Internet. Instantaneous communication has broken down many distance-related barriers. Individuals can coordinate across the globe, and businesses like Netflix and Amazon can make use of the new opportunity. For governments however, it meant their citizens being exposed to a number of unprecedented interactions that could not have even been conceived of at the time of their laws’ drafting. The 2020 Act starts there.
A new IPP was introduced with the Act.[8] Under it, information cannot be disclosed overseas unless there are safeguards comparable to New Zealand law. This can be established via contract or by the local laws of the recipient nation. Previously, there was no explicit rule that said the Privacy Act applied to overseas businesses and organisations even if they conduct their business in New Zealand. E-commerce has a history of being problematic when it comes to jurisdiction due to how these businesses inherently extend beyond the limits of a single nation’s sovereignty.[9] It’s always been a bit awkward when an international service provider, like Google or Lime, operated in New Zealand.
A well-received change was the creation of a privacy breach notification regime. This requires agencies to notify the Commissioner when a privacy breach occurs that has or is likely to cause serious harm. A privacy breach is the unauthorised or accidental disclosure, alteration, or destruction of personal information,[10] such as the recent email mix-ups at Immigration NZ.[11] Previously, agencies were merely encouraged to do so.
The Commissioner also has a new power to issue compliance notices. These are used to force agencies to comply with the Act by requiring them to do something, or stop doing something.[12] The Human Rights Review Tribunal can then enforce those notices, with the right to appeal, bringing the powers of the New Zealand court system to bear.[13]
Lastly, the maximum fine that applies to an agency that breaches an IPP has been raised from $2,000 to $10,000.[14]
The Privacy Act 2020 in the International Context
Data Breach Regime
Australia has similar provisions to New Zealand. Their main Federal statute, the Privacy Act 1988, has a list of principles known as Australian Privacy Principles, which apply to private sector entities with a turnover of at least AU$3 million, as well as government agencies.[15] New Zealand’s privacy regime has no limiting provision such as this, applying to everyone from individuals to businesses of every size. Like New Zealand, the Australian Privacy Commissioner has full power to conduct investigations and enforce the Privacy Act.
With the Privacy Act 2020, New Zealand’s requirement to notify upon a breach brings it into line with Australian standards. Australia has similar provisions under its Notifiable Data Breach scheme, wherein affected individuals must be notified, as well as the Office of the Australian Information Commissioner.[16]
A step up from New Zealand and Australia is the European Union. The General Data Protection Regulation (the ‘GDPR’) is famously one of the most robust privacy framework in existence today.[17] In terms of scope, the GDPR is a halfway point between the New Zealand and Australian approach, applying to all organisations operating within the EU, but not to certain law enforcement or national security measures, as well as individuals carrying out personal activities.[18]
As the GDPR is a regulation of the European Union, it applies Union-wide.[19] This means that it goes into forces as law in all member states to the European Union without domestic implementation. This makes it very useful in cross-border scenarios like e-commerce outlined before. A single standard for privacy means that there is no need for businesses and individuals to continually check if they are compliant with a multitude of countries’ laws.
On top of this, the GDPR has extra-territorial effect. Similar to New Zealand’s principle on disclosure outside our borders, an organisation is still bound by the GDPR when the organisation processes personal data of European Union ‘data subjects’. This applies so long as it is related to the ‘offering of goods and services’, though payment isn’t required.[20]
Fines
While New Zealand has generally kept pace, fines given out for a breach of privacy fall far below that of other countries. As aforementioned, the 2020 Privacy Act increases the maximum for fines to $10,000. This falls vastly short of Australia’s AU$10 million cap. While that particular maximum only applies to body corporates, individuals can still be fined up to AU$500,000.[21] This is dwarfed however, by the GDPR’s astounding €20,000,000 maximum (or up to to 4% of the total worldwide annual turnover for the proceeding financial year, whichever is highest).[22] That 4% annual turnover is no small provision, as Marriott International found when it was fined £99,200,396.[23]
It makes one wonder why New Zealand treats the personal data of its citizens so cheaply.
The right that’s been forgotten
One of the GDPR’s most standout features that hasn’t been mentioned yet is the ‘right to be forgotten’. Widely upheld by academics as one of the most innovative rights to be created in response to the digital challenges of our age,[24] the right to be forgotten grants the right to individuals to request personal information pertaining to them be deleted. In other words, no matter who owns your personal information, at the end of the day you still reserve the right to destroy it.
It was first established in the Costeja case, where the Court of Justice of the European Union ruled that it was an intrinsic human right.[25][MP1] Writing for the Equal Justice Project in 2016, Pooja Upadhyay considered the right to be forgotten as it emerged in the European Union, and whether it may be suitable in New Zealand.[26] It was considered that in the Human Rights Review Tribunal in Hammond v Credit Union Baywide bore in mind the right to be forgotten when making their ruling, demonstrating New Zealand court’s awareness of the emerging right.[27] It was concluded there needed to be more time to decide whether the right to be forgotten would suit New Zealand’s legislative climate.
Privacy is not private
Privacy as a concept is under assault. While most of us are relatively safe within our Western democracies, the dangers that George Orwell wrote about in 1984 have never been more present and active as they are today. Never have the tools to privacy’s deconstruction been more readily available. Social media has become something of a buzzword of negativity, dogmatically employed to bemoan the cultural and social evolution occurring. But it is not without merit.
The Cambridge Analytica scandal—while troubling in its own right—was a foreboding harbinger to the dangers technology poses to our slow-reacting legal systems.[28] And it demonstrated what everyone has known for a very long time: social media isn’t on our side. By some valuations, every Facebook user is worth $200, yet the users themselves never see a cent.[29] From a consumer point of view, Facebook is a social network to keep up to date with friends, family, and events. From a business perspective, Facebook is a farm, and the crops are the data of its 2.7 billion users. Rachel Simpson, writing for the Equal Justice Project, writes a lack of regulation and policing makes Facebook a digital frontier likened to the Wild West—where regulation in its infancy leads to an unhospitable environment.[30] Governments and companies have every incentive to disrupt privacy rights, and only the impartiality of the rule of law can successfully defend them.
Shoshana Zuboff, author of ‘The Age of Surveillance Capitalism’, is one of the biggest names to weigh in on the matter. Surveillance capitalists, she writes, exploit the widening inequity of knowledge for the sake of profits. She writes:[31]
“Privacy is public—it is a collective good that is logically and morally inseparable from the values of human autonomy and self-determination upon which privacy depends and without which a democratic society is unimaginable.”
Conclusion
Covid-19 has made the world embrace some uncomfortable changes. Privacy is becoming an increasingly rare commodity in the digital age of the 21st century, and tracing the pandemic has required us to give up some very important rights in order to fight the disease. With the rise of surveillance states and a lack of social media regulations, people are have become ever more conscious of how their words and actions are being recorded and disseminated.
One step at a time, laws are catching up. Without the legal harmony of an overarching body like the European Union, some countries will get different laws faster than others. That is fine, and even to be welcomed. With the diversity of law in the international arena, we are able to draw from many different, ongoing experiments in how we can regulate the law. After spending such a long time in updating its privacy framework, New Zealand could have done better when looking at other jurisdictions, particularly with the need for much higher fees, and maybe the right to be forgotten. It could have also done worse. The Privacy Act 2020 is a substantial enough reform to keep New Zealand passably current in regard to the protection of personal data, but for the fight against surveillance capitalism, more will be needed.
The views expressed in the posts and comments of this blog do not necessarily reflect those of the Equal Justice Project. They should be understood as the personal opinions of the author. No information on this blog will be understood as official. The Equal Justice Project makes no representations as to the accuracy or completeness of any information on this site or found by following any link on this site. The Equal Justice Project will not be liable for any errors or omissions in this information nor for the availability of this information.
Featured image source: Richard Patterson on flickr
[1] David Streitfeld “European Court Lets Users Erase Records on Web” The New York Times (online ed, New York, 13 May 2014).
[2] Karen Curtis, Privacy Commissioner of Australia “Good privacy is good business” (New Zealand Privacy Issues Forum, New Zealand, Te Papa, Wellington, 30 March 2006) at 3.
[3] Office of the Privacy Commissioner Necessary and Desirable: Privacy Act 1993 Review (July 1998) at 8.
[4] Office of the Privacy Commissioner “What is Personal Information?” <https://privacy.org.nz/news-and-publications/guidance-resources/using-the-cloud/what-is-personal-information/>.
[5] Office of the Privacy Commissioner “What we do” <https://www.privacy.org.nz/about-us/what-we-do/>.
[6] Privacy Act 1993, s 46.
[7] Privacy Commissioner, “Privacy Act turns 25” (media release, 19 February 2018).
[8] Privacy Act 1993, s 6.
[9] Usman Ahmed and Brian Bieron, “Regulating E-commerce through International Policy: Understanding the International Trade Law Issues of E-commerce” (2012) 46 KLI 545 at 545.
[10] Privacy Act 2020, s 112(1)(a).
[11] “Privacy breaches at Immigration NZ: 'We open up our whole lives to them'” Radio New Zealand (online ed, Wellington, 6 August 2014).
[12] Privacy Act 2020, s 123(1).
[13] Sections 97, 98.
[14] Section 133(3).
[15] Privacy Act 1988 (Cth), s 6D(1).
[16] Office of the Australian Information Commissioner “When to report a data breach” <https://www.oaic.gov.au/privacy/notifiable-data-breaches/when-to-report-a-data-breach/>.
[17] Arielle Pardes “What Is GDPR and Why Should You Care?” Wired (online ed, California, 24 May 2010).
[18] Art 3(1).
[19] European Commission “Applying EU Law” < https://ec.europa.eu/info/law/law-making-process/applying-eu-law_en>.
[20] Art 2.
[21] Competition and Consumer Act 2010 s 56EV.
[22] Art 83(5).
[23] Information Commissioner’s Office “Statement: Intention to fine Marriott International, Inc more than £99 million under GDPR for data breach” (9 July 2019) <https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2019/07/statement-intention-to-fine-marriott-international-inc-more-than-99-million-under-gdpr-for-data-breach/>.
[24] Meg Jones Ctrl + Z: The Right to be Forgotten (NYU Press, New York, 29 March 2016).
[25] Case C-131/12 Google Spain v AEPD and Mario Costeja González [2014] OJ 4 (CJEU).
[26] Pooja Upadhyay “Cross-Examination: Data Deaths and a Funeral – The Right to be Forgotten” (5 April 2016) Equal Justice Project <https://www.equaljusticeproject.co.nz/articles/2016/04/cross-examination-data-deaths-and-a-funeral-the-right-to-be-forgotten>.
[27] Hammond v Credit Union Baywide (In-Court Media Application) [2014] NZHRRT 56 at [7.5].
[28] Julia Wong “The Cambridge Analytica scandal changed the world – but it didn’t change Facebook” The Guardian (online ed, London, 18 March 2019).
[29] Sara Fischer “How much revenue Instagram makes per American user” Axios (online ed, 2 July 2019).
[30] Rachel Simpson “Social media as the new wild west: How can we curb lawlessness on Facebook?” (28 July 2020) Equal Justice Project <https://www.equaljusticeproject.co.nz/articles/social-media-as-the-new-wild-west-how-can-we-curb-lawlessness-on-facebook2020>.
[31] Shoshana Zuboff “You Are Now Remotely Controlled” The New York Times (online ed, New York, 24 January 2020).