2020 Litigation Forecast - The Year of the New Privacy Act

It has been coming for years, but 2020 finally
looks set to be the year of the new Privacy Act.
The much-anticipated privacy reform is making
its way through its final stages in Parliament.

The Privacy Bill (first floated in 2012) is now being referred
to as the Privacy Act 2020, with hopes that it will be
enacted in Q2 2020, and in force in Q3. Given the Bill has
bipartisan support, it is likely to be passed in its current
state, requiring greater attention to privacy compliance
by all organisations in New Zealand.

The Bill’s passage into law is a milestone
of varied significance

The mixed range of new and old measures in the Bill
and the ongoing low penalties for non-compliance,
particularly when viewed on an international scale,
could affect its significance.

Nevertheless, the enactment commands some attention.
The New Zealand Privacy Commissioner has made it clear
that he means business with the powers he has been
given, and there is an increasing range of options beyond
the new Act, including internationally, for organisations
to be held to account if they do not take personal privacy
and data protection seriously in the years ahead.

‘It’s 2019, and time to raise your game’ was the message
from the Privacy Commissioner to New Zealand
organisations over the course of 2019, both in terms of
overall approach to privacy protection, and in the context
of his concerns about the “pervasive and persistent problem” of “click to consent” data collection (used by
agencies worldwide).

Globally, 2019 was a year to be remembered

We saw significant fines levied against global data
juggernaut Facebook, as well as sanctions imposed on
British Airways and Marriot Hotels for data breaches
involving customer personal information. The antitrust-
like levels of financial sanction in these cases
demonstrated the might of Europe’s General Data
Protection Regulation and keenness of data regulators
to use the arsenal that is available to them.

Our own privacy regulator is likely to be just as keen,
albeit using his own more limited range of tools in
his enforcement toolbox. These include the Privacy
Commissioner’s ability to:

  • make binding information access determinations,
    following requests made by individuals for personal
    information from agencies;
  • issue compliance notices that require an agency to
    do (or cease doing) something that is inconsistent
    with the privacy principles; and
  • ‘name and shame’ agencies that are the subject
    of compliance notices.

Changes will have impact

While the proposed new financial sanctions max out
at $10,000 (an increase from $2,000), the reputational
impact of ‘named and shamed’ privacy infringers will
be felt in New Zealand’s small market.

The Bill’s most significant change is that New Zealand will
have a Mandatory Breach Reporting regime (following the
paths of European, Australian, and Californian privacy
laws). The proposed regime will impose obligations on
an agency who suffers a data breach to notify both the
Privacy Commissioner and affected individuals where
the breach could cause ‘serious harm’.

Caution against complacency

If breach reporting trends in Australia and the UK are
anything to go by, the Privacy Commissioner will have
his work cut out for him. In both jurisdictions, the data
regulator experienced a significant increase in reporting
of breaches; in Australia, the spike in breach reporting
was more than 75%.

One difficulty the Privacy Commissioner will face, which
he has already publicly grappled with, is whether the
resourcing of his office will match the increasing demands
placed on it. There is some indication of a resourcing
increase, and Kiwi ingenuity will hopefully help bridge at
least some of any resourcing gap. It may mean that the
Privacy Commissioner needs to make a few high-profile
examples of non-compliers early in the new regime and let that set a tone for compliance expectations going forward.

We therefore caution organisations against complacency with respect to privacy. The new Privacy Act 2020 looks
set to increase litigation risk for both New Zealand
agencies and any agency that carries on business in
New Zealand (the Bill does have some extra-territorial
effect).

Swimming in the regulator slipstream

The Privacy Commissioner is keenly aware that he is
not fully armed on his own to protect the privacy of
individuals whose personal information is collected
by agencies.

He has argued often and publicly – and to date largely
unsuccessfully – for stronger measures to be at his
disposal. His office is therefore openly looking around for,
and collaborating with, other regulators who are better
placed to help fill the enforcement gap.

First in line is the New Zealand Commerce Commission,
that is already turning its focus to privacy issues.
If international practice is anything to go by, it is likely to
have a greater role to play in the privacy arena before long.

Internationally, Facebook has been sanctioned in both
the United States and Italy for unfair trade practices
by the competition regulators. Further, the ACCC in
Australia is investigating both Google and Facebook
for unfair practices. The core issue in these types of
cases is that agencies are not doing what they say they
are doing with personal information, and that is not
good enough.

In New Zealand, where agencies are not following their own
policies, or policies are onerous or unclear, they risk either:

  • a declaration that the privacy policy contains unfair
    contract terms, or
  • engaging in misleading or deceptive conduct in trade.
    And the Commerce Commission’s ‘stick’ is far greater
    than that wielded by the Privacy Commissioner.

2020 – sink or swim

2019 demonstrated that privacy and data protection
issues extend into all aspects of organisational
culture, management and design, from consumer
relations and people functions to legal and
commercial risk profiles. Consumers are wising up to
the importance of personal privacy protections and
are seeing privacy rights enforced in many sectors.

With a new Act in place during 2020, we will likely see
our first enforcement action underway within the
year, as well as greater activity from the Commerce
Commission in this area. No organisation will want to
be handed the first sanction. We expect organisations
in New Zealand and beyond will need to continually
raise their game on protection of personal privacy
in the years ahead. Organisations will be well served
by treating privacy protection as a cultural norm;
to embed it in the design and fabric of how an
organisation works.

Read the full Litigation Forecast

Who can help