Privacy Commissioner’s $1m problem with the Privacy Bill

Privacy Commissioner John Edwards is broadly happy with the Privacy Bill, introduced to Parliament yesterday.

But he notes the legislation, as it stands, leaves him as a toothless watchdog, with limited powers to enforce its modernised provisions.

The bill includes one of his key requests: that data breach disclosure be made mandatory.

But Mr Edwards also wanted the power to punish breaches of the act, with fines of up to $100,000 for individuals and $1 million for companies who fail to meet their privacy obligations.

And there have been a number of instances recently where companies like LinkedIn, Uber, Facebook (via Cambridge Analytica) and former Spark email provider Yahoo have tried to keep data breaches quiet, only admitting them after media attention. All involved New Zealand customers. How many local companies have spilt their customer’s data, is not known given the optional disclosure under the current law.

As it stands, the Privacy Bill has a relatively modest $10,000 fine for a breach of its provisions.

Mr Edwards hopes to jack that up during the select committee stage and will be making a submission. He says his proposed level of fines would simply bring New Zealand into line with Australia and Europe.

Data portability also AWOL
The bill also excludes another of the key elements from the wish-list he compiled in 2016: data portability, or the ability to take all your customer information with you when you switch from one service provider to another (a measure modelled on the EU’s General Data Protection Regulation, which comes into effect in May this year).

Here, Mr Edwards is willing to wait for the next update of the legislation, assuming it happens at a speedier pace than last time.

The Privacy Bill, in its first-reading shape, is not perfect because it’s both taken far too long, and been too rushed.

The “too long” criticism stems from the fact that the Law Commission first proposed a major overhaul of the now 25-year-old Privacy Act back in 2011. Mr Edwards notes the world has moved on since then.

And it’s too rushed in that Labour has sped it to the floor of Parliament without a “first principles” review of the commissioner’s series of recommendations made in 2016.

Mr Edwards hopes the select committee process will fill the breach (Justice Minister Andrew Little, who is in the Netherlands en route to the UN, was not in the House for the bill’s introduction yesterday; his office says he has no comment on the commissioner’s criticisms of the legislation at this point).

And he hopes it will be done with balance. "What I really want to make sure are that the incentives are in place for industry not to sit on their innovations because they're scared, but just to take the time to ensure that they've thoroughly thought through the implications of a new product or service they're launching," he says.

Five minutes to midnight, or at least Black Mirror
Mr Edwards could work up quite a head of steam in front of the select committee, if his comments to NBR are anything to go by.

“This area, which used to be a backwater of the law, is now on the front pages almost every day. We’ve seen this week extensive reporting of firms like Cambridge Analytica using data from Facebook and the role that may or may not have played in influencing domestic polls in the US and the UK. So this really is the issue of the moment," he says.

"The challenges are not going to diminish.

“Just around the corner, we have quantum computing.

“China has launched this social credit system that says ‘If you haven’t been a good enough citizen by your data scores, then maybe you won’t be able to have access to public transport for a year.

“We are five minutes away from Black Mirror scenarios.

"This is a once-in-a-generation chance to sort it out."

All content copyright NBR. Do not reproduce in any form without permission, even if you have a paid subscription.

* To make the measure more saleable to business, The Privacy Commissioner proposed a two-step mandatory data breach process. Any organisation that inadvertently leaked its customer’s data, or had it stolen, would have to tell him; the commissioner would then make a judgment call if a wider alert was warranted.

National was shaping up to adopt that approach. But the commissioner's policy team notes, "The Bill moves away from the previous government’s proposed two-tier model that would have set a lower threshold for notifications to the Commissioner, and a higher threshold for notifications to affected individuals.

"The Bill is now closer to the Law Commission recommended single tier model that agencies must notify both the Commissioner and affected individuals where there is a risk of harm to individuals from the privacy breach. (“Harm” is defined in the Act (clause 75(2)(b)) as including loss, damage, detriment, adverse effects in rights, benefits, privileges etc. and significant humiliation, loss of dignity or injury to feelings.)

"Agencies will need to make a risk assessment about when and whether to notify and OPC will produce guidance to assist with that assessment. The Commissioner can publicise the breach only in certain circumstances – where the agency consents, or where it is in the public interest (clause 123). Note that there are a number of exceptions to having to notify individuals."