Five themes from the Privacy Bill submissions
The Privacy Commissioner recently appeared before the Justice Committee to advance his view that privacy is a “fundamental human right” and the changes proposed in the Privacy Bill (Bill) are “not sufficient”. 164 submissions were received by the Justice Committee on the Bill and we have summarised five key themes from the submissions.
The Justice Committee’s report is due on 11 October 2018. If significant policy development is recommended at this stage, we can expect another round for submissions before the Bill is considered again by Parliament.
1. More clarity is needed around when a privacy breach must be notified
The most common concern with the proposal to require mandatory breach reporting is the risk of over-reporting and compliance costs for organisations. This is due to a perceived lack of clarity in the Bill around when organisations will be required to notify breaches. The common submission made by organisations was that some kind of threshold or test should be included, such as the Australian ‘reasonable person’ test. Many submissions referred to harmonisation with the Australian privacy regime, in order to reduce compliance costs. We refer you to our previous article which discusses the Australian regime further.
2. Closer alignment with GDPR should be considered
New Zealand’s “adequacy” status with the European Union (EU) has been called the jewel in the crown of New Zealand’s privacy framework and, to date, this status remains following the General Data Privacy Regulation (GDPR) coming into force. Adequacy status allows many New Zealand businesses to benefit from free transfers of personal information between the European Union and New Zealand. This is a benefit only a handful of countries have. As such, a key concern is ensuring that any changes to New Zealand privacy law maintains that adequacy status.
If the EU was to conduct a review of New Zealand’s adequacy status, closer alignment with the GDPR would assist protecting this status. Closer alignment would mean including two other data protection principles that have been implemented under the GDPR, but which do not exist under our privacy framework: the rights to data erasure (also referred to as ‘the right to be forgotten’) and data portability (the right to receive personal information in a commonly-used machine readable format, and to request transfer of that to third parties). We refer you to our previous articles on open banking and the GDPR (articles one and two) which discuss these further.
3. Further modernisation/future-proofing is needed
The Bill is largely based on the Law Commission’s review in 2011. A number of submissions highlighted concerns, given the Review is now eight years old and the Bill has not taken into careful consideration post-2011 technological and legal advancement (which has been significant!). It has been suggested in submissions that any future legislation should be subject to periodic review, or be robust and flexible enough to keep up with future advancements. It will be interesting to see how this would operate in practice, i.e. whether there is a set review timeframe built into the Bill, or whether this is achieved through codes or regulation.
4. Practicality of Human Rights Review Tribunal’s role should be considered
The role of the Human Rights Review Tribunal (HRRT) under the Bill is to hear privacy complaints and appeals, and enforce access directions and compliance notices of the Privacy Commissioner. The submissions identify that consideration will need to be given to how the HRRT will manage an increased privacy caseload, given the resource constraints it currently faces.
5. Accountability of Privacy Commissioner is needed
The Bill strengthens the Privacy Commissioner’s powers to help improve privacy standards and ensure compliance. However, the increase in such powers has given rise to concerns about the Privacy Commissioner having too much discretion and as such, an accountability mechanism has been suggested.