A revamped Privacy Act is about to kick in. Here's why we think it doesn’t go far enough to protect consumers.
National MP Hamish Walker and ex-party president Michelle Boag were caught out in July leaking the personal information of Covid-19 patients to the media. The politically motivated leak included the names, dates of birth, ages and quarantine locations of each of the patients.
Despite being caught out, neither Walker nor Boag faced any penalty under the Privacy Act.
Why? The Privacy Commissioner can’t prosecute individuals or organisations and has no jurisdiction over members of parliament. The bad news is little will change when a revamped Privacy Act is rolled out in December.
When our first Privacy Act hit the law books in 1993, it was considered world leading. Fast-forward 27 years, the act is showing its age and has failed to keep up with the brave new world we live in.
The long-awaited overhaul of the legislation has brought some improvements. A company that fails to report a serious data breach could now be fined by the courts, though only up to $10,000 (see “Key changes”).
It will also be a criminal offence to mislead an agency to access someone else’s personal information and to destroy personal information knowing that the person requested it.
However, the Privacy Commissioner still won’t have any powers to fine or prosecute individuals or organisations for any other serious breaches of a person’s privacy. Without the threat of a meaningful penalty, there’s much less incentive for companies to play fair.
Compare that to the EU. In 2019, France’s data regulator fined Google €50 million ($85m) for breaching privacy rules set out in the EU’s General Data Protection Regulation. Australia and the UK have also given their privacy regulators the ability to issue penalties.
Back here, the only realistic chance a company will face a financial sanction is if the case is referred to the Human Rights Review Tribunal (see “Privacy complaints”). That can be a time-consuming process, reliant on an overworked tribunal system. Confidential settlements also mean the outcome may never be made public.
The chance to strengthen consumers’ privacy rights in other areas has also been missed.
There’s no “right to be forgotten” (also known as the right to erasure) as EU consumers enjoy. Under EU privacy rules, consumers can request their personal data be erased when a company no longer needs it for the purpose it was originally collected.
The furthest our law goes is stating organisations shouldn’t keep information longer than is necessary. But this isn’t the same as a right to be forgotten.
The new act also doesn’t do anything to address the vexed issue of algorithmic transparency. If you’re denied a loan based on a company’s algorithmic system, such as automatic credit screening, you should have a right to know why.
Making companies front up about the assumptions built into these systems helps ensure biases – based on factors such as ethnicity, gender or incorrect information – don’t skew decision-making. It also ensures companies can’t hide behind machines and must take responsibility for their programming assumptions.
The Privacy Commissioner argued for the act to include fair practice provisions for automated decision making. But this didn’t happen.
Data collection is an increasingly unavoidable part of everyday life. When you download an app, sign up to a loyalty scheme or open a bank account, you’re required to share personal data.
What’s done with this data – how it’s used, where it ends up – can have major implications for consumers.
If a company knows how much you earn, it may try to charge you more for a product because it assumes you’ll be willing to pay a higher price. Or it could refuse you service because it thinks you’re a bad credit risk based on where you live.
There’s also the ever-present risk your information could be hacked and you suddenly find your bank account has been emptied or thousands of dollars of debt has been racked up in your name.
In 1993, our privacy law was ground-breaking. But the same can’t be said about the law today. Without stronger privacy protections and penalties for breaches, consumers will be left to shoulder much of the responsibility for safeguarding their data.
There are four key changes to the Privacy Act:
Mandatory data breach reporting: organisations that fail to report serious data breaches (such as a computer hack) to affected individuals and the Privacy Commissioner could be fined up to $10,000. Breaches must be reported if they cause or have the potential to cause “serious harm” to individuals.
Compliance notices and new criminal offences: the commissioner will be able to issue notices, requiring organisations to comply with the act. It will also be an offence to destroy personal information knowing that a request has been made to access it.
Regulation of cross-border data sharing: unless the individual expressly authorises the disclosure, organisations will only be able to share personal information with an agency outside New Zealand if that agency operates in a jurisdiction with similar privacy safeguards.
Extraterritorial effect: overseas companies operating in our market, such as Facebook and Google, will be subject to the act and have to report data breaches if they involve New Zealanders’ information. This applies even if the company doesn’t have a physical location here.
1993 – Privacy Act passes.
1997 – Consumer NZ recommends the Office of the Privacy Commissioner be given broader powers.
2011 – Law Commission recommends repealing and replacing act.
2014 – Government announces reform of the act.
2018 – Privacy Bill introduced into parliament.
2020 – New Privacy Act comes into effect in December.