It has been a busy first few months of the year for privacy, both in respect of the ‘bedding in’ of New Zealand’s new privacy law regime and recent developments abroad that may have an impact on New Zealand businesses, particularly those that deal with customers in the EU. We’ve covered off below some of the key implications of this year’s developments, as well as a glimpse into privacy and tech developments in 2021.
Aotearoa’s new ‘new normal’ – Privacy Act 2020 is here
The 2020 vernacular for privacy enthusiasts wasn’t limited to ‘social distancing’, ‘flattening the curve’, ‘and ‘unprecedented times’: 2020 also saw the long awaited commencement of the Privacy Act 2020, which introduced terms like ‘notifiable privacy breach’, ‘compliance notice’, and ‘IPP 12’ into the everyday language of New Zealand’s privacy professionals. We’ve published a number of insights about the new Act, including here.
Now the focus has shifted to how the new requirements introduced by the Privacy Act will work in practice, particularly when sending data offshore, dealing with the notifiable privacy breach regime, and understanding when the Privacy Act applies to overseas businesses. Our experience so far is that some aspects of the new regime aren’t quite as straightforward as they may first appear.
Sending data offshore
The Office of the Privacy Commissioner (OPC) has been busy in developing resources to help businesses navigate the requirements of new IPP 12, which applies to businesses that send personal information overseas.
In addition to the Privacy Commissioner’s set of model contract clauses designed to help businesses comply with IPP 12 (our thoughts on which you can read about here), this year, the OPC has released new tools and guidance – including its ‘Model Contract Clauses Agreement Builder’ and ‘principle 12 decision tree’.
But it remains the case that demonstrating compliance with IPP 12 won’t necessarily be a ‘tick box’ exercise, nor will relying on the OPC’s model clauses necessarily provide the most efficient or practical route for businesses sending data offshore, particularly when dealing with offshore service providers with their own established standard terms of their own. We’ve been helping businesses come to grips with the new regime and their best course of action in terms of compliance.
When are you ‘carrying on business in New Zealand’?
The answer isn’t quite as straightforward as you might think. The Privacy Act left open for interpretation the exact scope of what constitutes ‘carrying on business in New Zealand’: a key element when determining whether the Privacy Act applies to an overseas business.
We’ve assisted a number of clients based overseas to get to grips with the extent to which New Zealand privacy law now applies to them, and the OPC’s recently issued guidance (as part of the principle 12 decision tree) provides a useful insight into the regulator’s views on what it might take for an overseas entity to fall subject to NZ privacy law.
Key factors that will be considered by the regulator include:
- Repetitive, systematic or continuing use of personal information in NZ;
- Websites targeted at New Zealanders;
- Activities that take place or are acted upon in NZ;
- New Zealand trade marks and .nz domain names registered by the business.
Our view is that this is not the end of the story: While a helpful steer, the OPC’s factors set out above are not definitive and, in any case, the position remains a grey area at this stage. Our advice to those businesses operating in this grey area is to proceed on the basis that New Zealand privacy law does apply to your conduct – it’s what your NZ customers will expect.
Getting your breaches in a twist
In our 2020 wrap-up of the year in privacy, we predicted that the Privacy Commissioner’s phone would be running hot as businesses get to grips with the new notifiable privacy breach regime. And if our experience in the first couple of months is anything to go by, it looks like that view was more than just crystal-ball gazing.
At the same time, cyber security incidents continue to increase – the most recently published quarterly report from CERT NZ (the government agency tasked with supporting businesses affected by cyber security incidents) show that reports of cyber-security incidents were at an all-time high in the third-quarter of 2020, following a spate of DDoS attacks, ransomware attacks, and online scams.
Here are a few top tips for how your business can stay ahead of the curve when it comes to managing your breach risks:
- Get in touch early: In our experience, the OPC continues to provide an educative and supportive role for businesses dealing with privacy breaches, especially for those that get in touch with the OPC early in the piece.
- Make a plan: Don’t wait for the ambulance to teeter off the edge of the cliff – we’ve helped a number of clients create a practical and realistic plan for dealing with breaches so that if a breach does arise, it’s clear what comes next. Making a plan means knowing who to call including who the key players in your crisis management team will be. We can help.
- Whose job is it anyway: We’ve previously touched on how changes to privacy law reinforce the importance of robust arrangements that you have in place with cloud service providers. Part of this process is establishing a clear process for managing a breach – providing clarity as to who is responsible for what and when.
Data isn’t just a hot topic in the land of the long white cloud. Recent developments across international waters could affect Kiwi businesses as well.
Life after Leave – UK adequacy decision
Brexit posed an interesting conundrum for the free-flow of data between the European Economic Area (EEA) and the UK.
Since leaving the EU, the UK has become a ‘third party’ country for the purposes of the European General Data Protection Regulation (GDPR), therefore requiring businesses that transfer data between the EU and the UK to establish that the information in question will be adequately protected, or that another basis for the transfer applies – potentially creating a compliance headache for a significant number of businesses. While the free-flow of data was ensured temporarily by an interim agreement, that agreement was due to expire in June 2021.
So we expect businesses would have been relieved to hear that the European Commission issued a draft ‘adequacy’ decision for the transfer of personal data between the EEA and the UK. If confirmed (and it is an ‘if’ for now), the decision means that the UK is on the ‘white list’ of third party countries outside the EEA to which data may be transferred, on the basis that its laws provide an ‘essentially equivalent level of protection’ to that guaranteed by the GDPR.
But businesses will still be holding their breath. Right now, there’s still a risk that the proposed decision won’t make it past ‘draft’ – the publication of the decision is just the beginning of the process, and the European Commission still needs to adopt the decision (and before making a final decision, take into account the opinion of the European Data Protection Board and request the green light from each of the member states’ representatives).
Closer to home:
- Our own cross-border data transfer regime under IPP 12 contemplates a ‘white list’ by virtue of countries being ‘prescribed’ by regulations. But don’t hold your breath on any decision in that regard – initial regulations are expected to come out in 2022, and the Ministry has indicated that only one or two countries will be prescribed annually.
- Aotearoa is itself due to convince the European Commission that we should retain our status of adequacy (as one of few third party countries currently with the privilege). Those doing business with EU based customers, or who are part of a multinational, should watch this space.
GDPR’s long-arm tested
At the time the GDPR came into force, we pondered just how far the long-arm of European data protection law could stretch.
The UK’s High Court of Justice was recently faced with a similar question which it addressed in a decision issued in January 2021, dealing with the application of the GDPR to US based publications with a significant contingent of UK readers. The merits of the case turned on the GDPR’s extraterritorial scope – the British citizen claimant argued that since the US publisher’s website solicited donations in sterling and euro, accepted UK shipping addresses purchased through its store, and placed cookies on reader’s devices, they were caught by the GDPR’s territorial scope. But the High Court disagreed – finding that the claimant had failed to establish that the US publishers were either ‘established in the EU’ or ‘offering goods and services to individuals in the EU’.
Coming up next in 2021
While 2020 has taught us that predicting what’s to come over the course of a year can be a fool’s errand, in the world of tech and privacy, we’ll be keeping an eye on the following:
- COVID-19: The global pandemic continues to drive decisions around data, and we don’t see this slowing down, particularly as the world begins to tentatively re-open. Our Big Reset thought leadership piece in April 2020 predicted that supply chain pressures and the rise of the ‘shut-in economy’ would see a focus on technology-based solutions, such as a digital immunity verification card to gain entry into certain premises. The newly proposed COVID-19 passports are now seen by Government as ‘almost inevitable’ within the next year, so an extension of requiring vaccine verification as a condition of entrance to private premises doesn’t seem outside the realm of possibility in the not so distant future.
- Blockchain: Perhaps Fleetwood Mac were onto something when they sung about the chain ‘keeping us together’. While probably not what Stevie Nicks had in mind, the rise and risk of the NFT marketplace – that is a marketplace for ‘non-fungible tokens’, primarily digital art – demonstrates that blockchain isn’t going anywhere fast. The Privacy Commissioner has previously reflected on whether or not blockchain can ‘revolutionise’ privacy – so we’ll be watching this space to see how the practical issues raised by a system based on the permanency of data will stack up against our 27 year old privacy principles.
- Enforcement action: While the OPC has indicated that a 3-6 month ‘grace period’ will apply in respect of new obligations imposed on agencies, we’d expect the Privacy Commissioner to be eager to flex his new powers under the Privacy Act in respect of those obligations that businesses have had 27 years to get used to – we’d expect to see compliance notices aimed at ‘raising the bar’ for a particular industry or standard.
- First Privacy Act 2020 decision?: The nitty-gritty of the new privacy law regime may well be subject to further clarification by the judiciary, particularly once the Privacy Commissioner begins to exercise his new compliance powers.
- First prescribed country?: As indicated above, the Ministry of Justice has now begun the process of selecting the first countries to be ‘prescribed’ under IPP 12 – facilitating the free-flow of data. While we likely won’t see a decision this year, we may see an indication about which countries will be up first. Our office sweepstakes have Australia as an early favourite, with the EU also having reasonable odds – if for not a win then a strong placing.