By Melt Strydom
Days before a new privacy law takes effect in New Zealand, stark differences remained between advocates praising its stronger privacy protections and opponents badgering it as a “toothless tiger” because of its seemingly small fines compared with regulations in other countries.
“Even the best of laws, including the new European regulation, will have the same problem, but our law remains fit for purpose — as it is principles-based and is one-size-fits-all, covering all sectors,” Gehan Gunasekara, chairman of the New Zealand Privacy Foundation (NZPF), said of the New Zealand Privacy Act of 2020.
But Nick Valentine, a partner at the DLA Piper New Zealand law firm, told Digital Privacy News: “The decision not to broaden data-subject rights, and the obvious lack of real enforcement power in the form of meaningful fines, means we are left with a ‘toothless tiger’ of an act, which is out of kilter with global best practice.”
Approved in June by a unanimous vote of the House of Representatives in the 120-member New Zealand Parliament, the new privacy law takes effect Tuesday.
It repeals 27-year-old restrictions and requires companies to report significant data breaches to the Office of the Privacy Commissioner and to individuals affected by the breach.
“The protections in the privacy bill are vitally important.”Andrew Little, New Zealand Justice Minister.
Companies failing to report qualifying privacy breaches can be fined as much as $10,000 for each offense.
“The protections in the privacy bill are vitally important,” New Zealand Justice Minister Andrew Little told Digital Privacy News. “The key purpose of the reforms is to promote and protect people’s privacy and give them confidence that their personal information is properly safeguarded.”
In addition, the law imposes restrictions on cross-border transfers of personal information, with companies now having to take steps to ensure that personal information transferred outside New Zealand is protected by privacy standards that are, if not equal, at least comparable to the new law.
That portion reflects parts of the European Union’s General Data Protection Regulations (GDPR) and applies to overseas companies doing business in New Zealand, whether they are physically or legally based there.
“Our law remains fit for purpose — as it is principles-based and is one-size-fits-all, covering all sectors.”Gehan Gunasekara, New Zealand Privacy Foundation.
If such international platforms as Facebook or Twitter, for instance, handle the personal information of New Zealanders — they must comply with the new law, regardless of where their servers are located.
The new regulation also gives the privacy commissioner the authority to refer complaints to overseas privacy enforcement agencies, like the U.S. Federal Trade Commission or the Australian Privacy Commissioner, or to consult them in determining how to respond to the complaints.
New criminal offenses also are outlined in the law. For instance, individuals could be charged for misleading an agency to obtain another person’s private information — and a company likewise for willfully destroying information after it received a request to access that data.
Offenders on both fronts could be fined as much as $10,000 for each instance, under the law, and the privacy commissioner could issue compliance orders that also could bring maximum fines of $10,000.
“We are left with a ‘toothless tiger’ of an act, which is out of kilter with global best practice.”Nick Valentine, DLA Piper New Zealand law firm.
The act also allows for class-action lawsuits against violators. Previously, citizens could file a privacy-breach complaint with the New Zealand Human Rights Review Tribunal.
The procedure remains, but the law now authorizes the tribunal to award as much as $350,000 to each class member.
In defending the 2020 law in a recent radio interview, NZPF’s Gunasekara, also an associate business professor at the University of Auckland, noted that modeling parts after GDPR would deter possible hackers — since New Zealand’s privacy commissioner could now investigate such claims.
“What people are missing is the fact that the commission has jurisdiction to investigate complaints for one thing — and, also, people must not forget that class actions are now possible.”
“The level of powers and fines provided for in this legislation is still at the low end.”Jordan Carter, InternetNZ advocacy group.
But privacy advocates told Digital Privacy News that the law already was outdated and that New Zealand officials lacked authority to impose tough penalties on violators.
“While the new act is a real improvement,” said Jordan Carter, CEO of the nonprofit advocacy group InternetNZ, “its origins are in a law commission review in 2011.
“The main changes were agreed upon in 2014.
“Time, and people’s expectations, have moved on since then — and we will need to update the privacy law more sooner rather than later.”
He added: “The level of powers and fines provided for in this legislation is still at the low end, compared to laws in Europe and Australia.”
Valentine, the DLA Piper lawyer, told Digital Privacy News that “the privacy commissioner does not have the ability to hand out the massive fines we have been seeing for privacy breaches in the U.K., EU and U.S.A.”
Regardless, NZPF’s Gunasekara said he saw the law introducing greater cooperation among international agencies, resulting in more accountability.
“We’ll see New Zealand team up perhaps with the Federal Trade Commission in the U.S., or the Australian privacy commissioner — and, together, they will take these companies to task,” he told Digital Privacy News. “And that is a very real possibility.”
Melt Strydom is a writer in New Zealand.