Imagine the writer’s horror to discover when doing a Google search on an unrelated topic, to have pop up on the screen, a list of merchants she used her credit card at, their locations and when she purchased, going back months. And for good measure, accompanied by a map of New Zealand showing where those merchants are located. Mr Google had collected and stored the writer’s personal financial data and was letting her know it had done so. Had the writer consented to this? Probably, but she has no idea when or how. There must be an On–Off button somewhere in Google she didn’t turn off.
The current Privacy Act 1993 doesn’t help, because Google has stored that personal data off-shore in one of those vast (usually underground) data storage monoliths called the Cloud. The Privacy Bill is still working its way through the Parliamentary legislative process but it might help in these circumstances. It has new provisions that are intended to strengthen cross-border data flow protections, and aims to clarify the law applicable to overseas service providers engaged by New Zealand agencies.
The Privacy Bill is long overdue. It repeals and replaces the Privacy Act 1993, as recommended in the Law Commission’s 2011 review of the Privacy Act 1993. Its key purpose is to promote peoples’ confidence that their personal information is secure and will be treated properly. It has been on the Parliamentary agenda since April 2018. Having completed its second reading in Parliament, it is currently in Committee of the Whole House which is considering the Select Committee recommendations. The Bill states the new provisions will come into effect on 1 July 2019, with a six-month transition period.
The Bill keeps the principles-based framework of the Privacy Act 1993, while updating the law to reflect the needs of the digital age. Major elements of the current Act will be retained, particularly the 12 Information Privacy Principles.
The key changes are:
- Mandatory reporting of privacy breaches to the Privacy Commissioner if there is a risk of serious harm to the individual as a result of unauthorised or accidental disclosure of personal information. Non-notification will be an offence.
- Co-liability for employers and principals for notifiable privacy breaches caused by employees or agents.
- Strengthened powers for the Privacy Commissioner in shortening the timeframe for compliance with information gathering requests, issuing enforceable compliance notices to carry out an action, or to cease and desist, and increasing penalties for non-compliance.
- Stronger cross-border data flow protection: reasonable steps must be taken by New Zealand agencies to ensure personal information disclosed in other jurisdictions is subject to adequate privacy standards. The Bill aims to clarify the law applicable to overseas service providers engaged by New Zealand agencies.
- New criminal offences with the introduction of a fine of up to $10,000 for misleading an agency in a way which affects a person’s personal information or when a person destroys another’s personal information following a request by that person for access.
There are still some significant issues to iron out. The most controversial aspect of the Bill is the uncertainty around mandatory reporting. Reporting is required as soon as possible to the individual concerned and to the Commissioner if the agency suffers a privacy breach and believes there is a risk of causing ‘serious harm’ to the individual. The proposed test for ‘serious harm’ found in section 117 requires consideration of a non-exclusive number of factors. It includes an assessment of the sensitivity of the personal information, which is very subjective. Many consider the threshold for ‘serious harm’ is too low. The New Zealand Law Society submitted there should be a ‘brighter line’ higher threshold for reportable privacy breaches in line with the equivalent Australian legislation. Perhaps there will be greater clarity in the Codes of Practice to be issued by the Commissioner?
Because non-notification of a notifiable breach will be a criminal offence, it is likely to result in over-notification to the individual concerned and to the Privacy Commissioner.
News media which are regulated and whose business is carrying out ‘news activities’ and ‘media activities’ are excluded from the definition of agency, so are not covered by the Bill. Arguably, bloggers, tweeters who are not news agencies, and investigative journalists who write books, not news activities, would be caught, as will Facebook and other unregulated social media.
Information which is stored or processed by one agency on behalf of another agency would remain accountable for information held by another agency as its agent. This includes Cloud providers and information sent overseas for storage or processing on behalf of an agency. However, commentators believe a storing or processing agency that used or disclosed the information for its own purposes should also be held accountable to the affected individual.
So mind the writer’s own business Mr Google.