The impending referendum regarding the United Kingdom’s membership of the EU raises many questions with international implications.
Among them, lawyers have questioned whether the UK would be regarded by the European Commission as a ‘safe third country’ in the event of a ‘Brexit.’ The UK would need to have this status in order for EU personal data to be transmitted lawfully between the United Kingdom and EU countries.
Fortunately for us, New Zealand’s privacy laws have already been considered and found adequate. In December 2012 the European Commission confirmed that New Zealand’s privacy laws are compatible with EU data protection legislation. This means New Zealand organisations can freely transfer personal information between New Zealand and EU countries if they comply with New Zealand law when dealing with that personal information.
In New Zealand a Cabinet Paper released in May 2014 suggested several reforms to our privacy legislation, including mandatory reporting of privacy breaches, new offences and increased fines, and new powers for the Privacy Commissioner, such as the ability to issue compliance notices.
In the EU, enhanced data protection standards will be achieved by a (GDPR) agreed in 2015 that will most likely come into force in 2018. The GDPR will not only be directly applicable in all EU member states but also will cover data processing outside the EU where it relates to the offering of goods or services to data subjects in the EU or monitoring the behaviour of EU data subjects.
The implication for New Zealand organisations is that if they wish New Zealand to maintain its ‘safe third country’ status, our privacy practices will need to match the enhanced data protection laws that are about to be implemented in EU member states. New Zealand organisations should consider what measures they need to put in place to ensure their privacy practices remain compliant with EU standards.
Organisations must designate a Data Protection Officer to ensure compliance with the General Data Protection Regulation.
Key changes to be implemented in the EU that are likely to be relevant to New Zealand organisations include:
o Expanded territorial reach
Unlike existing data protection legislation, the GDPR applies to organisations outside the EU whose processing activities relate to the offering of goods or services to EU data subjects. It also applies to the monitoring of customers or users who are in the EU, for example through tracking techniques that enable personal preferences to be predicted. In practice, this is likely to mean that a New Zealand business that targets EU consumers would be subject to the GDPR.
o Requirement to demonstrate consent
Although the Privacy Act requires agencies to take reasonable steps to ensure that individuals are aware of details about their personal information, including the fact that the information is being collected, and the purpose for which the information is being collected, the explicit consent of the individual is not currently required by New Zealand law as it is in the EU.
o Breaches and accountability
Organisations must designate a Data Protection Officer to ensure compliance with the GDPR. The Data Protection Authority must be notified of breaches without undue delay. It is likely that New Zealand organisations dealing with personal information will soon be required to comply with notification requirements. The GDPR places onerous accountability obligations on data controllers to demonstrate compliance.
o Right to data portability
This right imposes a requirement to provide personal data to the data subject in a commonly used format and to transfer that data to another controller if the subject requests. This right applies where the data subject provided the personal data based on their consent or the processing is necessary for the performance of a contract. It does not apply where processing is based on another legal ground other than consent or contract, for example where organisations process data in the exercise of their public duties.
o Right to erasure and ‘to be forgotten’
This topic has attracted a huge amount of interest, particularly since the decision by the Court of Justice of the European Union (CJEU) in a case brought against Google Spain SL.
The CJEU held that an internet search engine operator is responsible for the processing it carries out of personal information which appears on third party web pages. An individual may request hyperlinks to be removed from the search engine's index. Grounds for removal include cases where the search result(s) ‘appear to be inadequate, irrelevant or no longer relevant or excessive’.
The approach adopted by the CJEU in the Google Spain case is reflected in a more limited form in the GDPR which enables individuals to require the data controller to erase their personal data without undue delay. A related obligation requires the data controller to take reasonable steps to inform third parties that the data subject has requested the erasure of any links to, or copies of, that data.
New Zealand privacy legislation enables individuals to request access to their information if it can readily be retrieved and to request correction of their personal information. In addition, an agency that holds personal information must not keep that information for longer than is required for the purposes for which the information may lawfully be used. However, individuals do not have any specific right under the Privacy Act to require erasure, or to withdraw their consent to the retention of their personal information since their consent is not required in the first place.
o Privacy by design and by default
Privacy by design calls for data protection to be designed into business processes for products and services at the initiation of system design. Current EU data protection laws and the New Zealand Privacy Act have no concept of 'privacy by design' or 'privacy by default', nor is there an explicit obligation that states that privacy should be a paramount consideration at the design stage of any business process implementation project. However, in the New Zealand Privacy Act the concept of data minimisation is recognised to the extent that an agency that holds personal information must not keep that information for longer than is required for the purposes for which the information may lawfully be used.
Implementation of the GDPR will introduce additional obligations for data processors that are subject to the data protection legislation of the EU. Although many of those new obligations do not currently appear in the New Zealand Privacy Act, some are likely to be addressed in upcoming reforms.
However, unless the European Commission reviews its decision that New Zealand privacy laws provide adequate protection for EU data subjects, New Zealand organisations whose activities fall within the scope of the GDPR may lawfully continue to deal with data relating to EU data subjects by complying with the New Zealand Privacy Act.
In light of these developments, New Zealand organisations that collect, store, use, and share personal information should review their privacy policies and practices to confirm that these remain up-to-date.
Ross Johnston (ross.johnston@kensingtonswan.
Send news tips and comments to divina_paredes@idg.co.nz
Read more: CIO Upfront: Data Matching – A goldmine, but beware privacy laws
Follow Divina Paredes on Twitter: @divinap
Sign up for CIO newsletters for regular updates on CIO news, views and events.
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, CDOs, COOs, CTOs and senior IT managers.
Read more: How ‘secure digitisers’ compete to win
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.