2020 Litigation Forecast - The Year of the New Privacy Act

It has been coming for years, but 2020 finally looks set to be the year of the new Privacy Act. The much-anticipated privacy reform is making its way through its final stages in Parliament.

The Privacy Bill (first floated in 2012) is now being referred to as the Privacy Act 2020, with hopes that it will be enacted in Q2 2020, and in force in Q3. Given the Bill has bipartisan support, it is likely to be passed in its current state, requiring greater attention to privacy compliance by all organisations in New Zealand.

The Bill’s passage into law is a milestone of varied significance

The mixed range of new and old measures in the Bill and the ongoing low penalties for non-compliance, particularly when viewed on an international scale, could affect its significance.

Nevertheless, the enactment commands some attention. The New Zealand Privacy Commissioner has made it clear that he means business with the powers he has been given, and there is an increasing range of options beyond the new Act, including internationally, for organisations to be held to account if they do not take personal privacy and data protection seriously in the years ahead.

‘It’s 2019, and time to raise your game' was the message from the Privacy Commissioner to New Zealand organisations over the course of 2019, both in terms of overall approach to privacy protection, and in the context of his concerns about the “pervasive and persistent problem” of “click to consent” data collection (used by agencies worldwide).

Globally, 2019 was a year to be remembered

We saw significant fines levied against global data juggernaut Facebook, as well as sanctions imposed on British Airways and Marriot Hotels for data breaches involving customer personal information. The antitrust- like levels of financial sanction in these cases demonstrated the might of Europe’s General Data Protection Regulation and keenness of data regulators to use the arsenal that is available to them.

Our own privacy regulator is likely to be just as keen, albeit using his own more limited range of tools in his enforcement toolbox. These include the Privacy Commissioner’s ability to:

  • make binding information access determinations, following requests made by individuals for personal information from agencies;
  • issue compliance notices that require an agency to do (or cease doing) something that is inconsistent with the privacy principles; and
  • ‘name and shame’ agencies that are the subject of compliance notices.

Changes will have impact

While the proposed new financial sanctions max out at $10,000 (an increase from $2,000), the reputational impact of ‘named and shamed’ privacy infringers will be felt in New Zealand’s small market.

The Bill’s most significant change is that New Zealand will have a Mandatory Breach Reporting regime (following the paths of European, Australian, and Californian privacy laws). The proposed regime will impose obligations on an agency who suffers a data breach to notify both the Privacy Commissioner and affected individuals where the breach could cause ‘serious harm’.

Caution against complacency

If breach reporting trends in Australia and the UK are anything to go by, the Privacy Commissioner will have his work cut out for him. In both jurisdictions, the data regulator experienced a significant increase in reporting of breaches; in Australia, the spike in breach reporting was more than 75%.

One difficulty the Privacy Commissioner will face, which he has already publicly grappled with, is whether the resourcing of his office will match the increasing demands placed on it. There is some indication of a resourcing increase, and Kiwi ingenuity will hopefully help bridge at least some of any resourcing gap. It may mean that the Privacy Commissioner needs to make a few high-profile examples of non-compliers early in the new regime and let that set a tone for compliance expectations going forward.

We therefore caution organisations against complacency with respect to privacy. The new Privacy Act 2020 looks set to increase litigation risk for both New Zealand agencies and any agency that carries on business in New Zealand (the Bill does have some extra-territorial effect).

Swimming in the regulator slipstream

The Privacy Commissioner is keenly aware that he is not fully armed on his own to protect the privacy of individuals whose personal information is collected by agencies.

He has argued often and publicly – and to date largely unsuccessfully – for stronger measures to be at his disposal. His office is therefore openly looking around for, and collaborating with, other regulators who are better placed to help fill the enforcement gap.

First in line is the New Zealand Commerce Commission, that is already turning its focus to privacy issues. If international practice is anything to go by, it is likely to have a greater role to play in the privacy arena before long.

Internationally, Facebook has been sanctioned in both the United States and Italy for unfair trade practices by the competition regulators. Further, the ACCC in Australia is investigating both Google and Facebook for unfair practices. The core issue in these types of cases is that agencies are not doing what they say they are doing with personal information, and that is not good enough.

In New Zealand, where agencies are not following their own policies, or policies are onerous or unclear, they risk either:

  • a declaration that the privacy policy contains unfair contract terms, or
  • engaging in misleading or deceptive conduct in trade. And the Commerce Commission’s ‘stick’ is far greater than that wielded by the Privacy Commissioner.

2020 – sink or swim

2019 demonstrated that privacy and data protection issues extend into all aspects of organisational culture, management and design, from consumer relations and people functions to legal and commercial risk profiles. Consumers are wising up to the importance of personal privacy protections and are seeing privacy rights enforced in many sectors.

With a new Act in place during 2020, we will likely see our first enforcement action underway within the year, as well as greater activity from the Commerce Commission in this area. No organisation will want to be handed the first sanction. We expect organisations in New Zealand and beyond will need to continually raise their game on protection of personal privacy in the years ahead. Organisations will be well served by treating privacy protection as a cultural norm; to embed it in the design and fabric of how an organisation works.

Read the full Litigation Forecast

Who can help