NZ Privacy Bill aims to match European Union’s GDPR

Next week the European Union’s new privacy regulation, the General Data Protection Regulation (GDPR), comes into effect after a two-year transition period. It couldn’t be more timely, after the Facebook-Cambridge Analytica controversy which forced Mark Zuckerberg to front US Congress last month.

The EU isn’t the only territory addressing ever-increasing privacy concerns; New Zealand has a new privacy law on the way too. The Privacy Bill was introduced in March of this year and is currently wending its way through Parliament. Public submissions on the bill close next Thursday, at which point a Select Committee chaired by Minister Andrew Little will decide on the next step.

The Privacy Bill repeals and replaces the twenty-five year old Privacy Act 1993. That act was born in a comparatively innocent, pre-Web time – when digital privacy for citizens wasn’t such a concern. The stated purpose of the new Privacy Bill is “to promote people’s confidence that their personal information is secure and will be treated properly.”

I reached out to New Zealand’s Privacy Commissioner, John Edwards, to ask him specifically how the new Privacy Bill will improve on the current act.

He replied that the Privacy Bill will give New Zealand “meaningful enforcement powers, such as an ability to seek fines for serious non-compliance.” The new bill makes it mandatory to notify authorities of a privacy breach, so the new fines could become a regular occurrence in this country.

Edwards also noted that the new bill includes “steps to address the increasing automation of processes that can affect access or entitlement to goods and services” – including the ability to question algorithmic transparency and the right to object to automated decisions.

It’s not just privacy breaches and opaque algorithms we need to worry about. Over the past several years, there’s been an increase in data analytics companies trying to use our personal data for commercial – or worse – means. Just look at what Cambridge Analytica managed to do with Facebook data. There’s also been an increase in cyber crime recently, including numerous global Internet companies getting hacked. The biggest case yet was the Yahoo data breach of 2013-14, which impacted over 3 billion Yahoo users.

Indeed, global technology companies have been put on notice by the European Union’s GDPR. While Facebook is a US company, the GDPR will apply to all companies that process the personal data of people residing in the European Union. The GDPR includes sweeping changes to how companies like Facebook can collect and use personal data. For example, people in the EU will be able to request that Facebook hand over any personal data it has collected about them, plus they can order Facebook to delete such data (the so-called “right to be forgotten”).

Facebook and other large tech companies have to take this seriously, since the EU is threatening to impose penalties of up to 4% of global annual revenue for violations. The EU has proven in the past that it’s willing (and able) to hand down huge sanctions to US technology behemoths. Apple was ordered to cough up €13 billion in taxes to the Irish government in 2016, while more recently the EU fined Google a record €2.4 billion for breaching antitrust law.

Facebook is scrambling to safeguard itself from those types of sanctions. It has published a special webpage promising to comply with the GDPR, and furthermore has said it will make the privacy controls and settings Europe will get under GDPR available to the rest of the world.

What about New Zealand businesses; do they have to comply with the GDPR too? Privacy Commissioner John Edwards thinks it’s not clearcut.

“Having European customers is not enough to bring a NZ business under the GDPR,” he said. Instead, he thinks EU officials will look for indicators like “a presence in Europe, targeting EU countries with European languages on your website, [and] offering sales in EU currencies.”

Edwards hopes to get more clarity as the GDPR matures. “Remember,” he said, “at this stage only 5 EU countries have compliant laws, so we are hardly going to be a priority for enforcement action.”

Regardless, one action that local businesses can take now is to make sure their compliance with NZ law is sufficient. “That should take you a long way toward compliance with the GDPR,” Edwards told me.

All that said, it’s important to note that our Privacy Bill does not go to the lengths the GDPR does to strengthen individual privacy. The Privacy Bill has no provision for NZ residents to demand that Facebook hand over all of their personal data, for example. Also while the Privacy Bill includes fines, they are significantly lower than the sanctions the EU can impose. NZ will only be able to demand up to $10,000 for a privacy breach – a far cry from the billions the EU can demand from global companies.

Even if the NZ government hands down a $10,000 penalty to Facebook, how likely is it that Facebook will take any notice? Our tiny population makes us a minor irritant to multinational companies. Whereas the European Union has over 500 million inhabitants, so it has significant leverage.

I asked John Edwards if New Zealand should perhaps consider creating a privacy alliance with global partners, much like the Five Eyes cyber security alliance we’re a part of.

“The idea of an international alliance is an interesting one,” Edwards replied. “I think international law is lacking in this space. There has been talk of a Digital Geneva Convention, and there are some treaties and other instruments under discussion. It is inevitable that the international community will have to agree some standards at some stage in this space. If you can do it for intellectual property (a la Berne Convention) why not privacy and data protection?”

Why not, indeed. But until we get such an alliance, it’s good to see the New Zealand government taking proactive action to improve our privacy law.