In May two significant milestones were reached that will influence how New Zealand businesses can use data: the GDPR1 came into force and submissions closed on New Zealand's new Privacy Bill.
This Update provides:
a reminder of whether the GDPR will apply to your business, and
a summary of the practical implications of the GDPR, by comparison to the requirements that apply under the Privacy Act 1993 (NZ) (Privacy Act) and the Privacy Bill.
What is the GDPR?
The GDPR is a new European Union (EU) privacy regulation that is touted as the most important change in data privacy regulation in our generation. The core ambitions of the GDPR are to:
create one coherent data protection framework across the EU, and
strengthen and protect the privacy rights of EU citizens, even when their data is processed outside the EU.
One of the key changes under the GDPR is the expanded territorial scope. The "long arm" of the GDPR will now reach many New Zealand businesses.
This is a significant change, particularly given the extensive compliance obligations under the GDPR and potential fines – the most egregious breaches of the GDPR can attract a fine of €20 million or 4% of global turnover (whichever is higher).
Does the GDPR apply to your business?
Your business will be subject to the GDPR if you process personal information relating to individuals in the EU, whether or not they are EU citizens or residents, either as a result of:
offering goods or services to such individuals, or
monitoring the online behaviour of such individuals (where that behaviour takes place in the EU).
The mere accessibility of your website or email address or other contact details to EU residents alone will not trigger the GDPR. Additional factors are required, that make it apparent that you intend to offer goods and services to consumers in the EU, such as the use of a language or currency generally used in one or more Member States, with the possibility of ordering goods and services in that other language or currency.
For many global New Zealand businesses, the GDPR is also triggered as a result of group company requirements or as a result of providing services as a "processor" in respect of data that is subject to the GDPR.
In general, there is no minimum threshold for the size of a business that is subject to the GDPR. However, some exceptions apply to smaller enterprises with fewer than 250 employees.
What are the key differences between the Privacy Act and the GDPR?
New Zealand's privacy regime is 'principles based', in contrast to the more prescriptive nature of the GDPR. This means that New Zealand's businesses that are subject to the GDPR and the Privacy Act will have to comply with the requirements of two quite separate regimes. However, compliance with the GDPR represents good practice under New Zealand's privacy laws and, other than a few specific requirements of the Privacy Act, compliance with the GDPR will satisfy most obligations under the Privacy Act.
The following table summarises some of the key requirements of the GDPR and the relevant position under the Privacy Act.
Mandatory data breach notification regime applies, where a data breach occurs that is unlikely to "result in a risk for the rights and freedoms of individuals".
No express mandatory data breach notification regime. Nonetheless, notification may be required if necessary to safeguard personal information from misuse following a breach (for example, where unauthorised access to credit card details has occurred).
However, a mandatory data breach notification regime is a
key proposal under the Privacy Bill.
Data portability obligation applies. This means that individuals have the right to receive their personal data, in a "commonly used and machine readable format", for that data to be transmitted to another controller (such as an alternative service provider).
Data portability obligations only apply to local and cellular number portability.2
The Office of the Privacy Commissioner has previously recommended that data portability be included in any reform of the Privacy Act; however this recommendation is not reflected in the Privacy Bill.
Privacy by design
"Privacy by Design" is mandatory. This means that data protection policies must be included from the outset of the design of systems.
No express concept of "Privacy by Design". However, the Office of the Privacy Commissioner recommends Privacy by Design as best practice, including undertaking Privacy Impact Assessments at an early stage of the design process.
Data access controls and data minimisation
Data controllers must only hold and process the data absolutely necessary for the completion of its duties and must limit access to personal data to those needing to act out the processing.
No express requirements relating to data minimisation or access controls.
However, they are nonetheless best practice to comply with the Privacy Act. For example, to comply with the requirement that personal information may only be held for so long as is necessary for a lawful purpose. In addition, certain Codes of Practice include prescribed maximum retention periods (such as the Credit Reporting Privacy Code). Access controls may also be required to satisfy the general obligations to use reasonable security safeguards.
The GDPR introduces the concept of data risk categorisation to try and ensure the obligations in the GDPR apply in a proportionate manner. For example, additional protections apply in respect of:
"high risk" data processing
automated decision making and profiling
"sensitive" personal data, and
No express data categorisations apply.
The Office of the Privacy Commissioner recommends that, in relation to children, agencies take a practical approach and treat the child's parent/s or guardian/s as the child's representative when dealing with very young children who are not able to act on their own behalf.
Detailed and specific privacy notice requirements apply. In some cases, explicit affirmative consent (e.g., actively ticking a box) or "highlight notices" (to draw attention to unexpected practices and sensitive information) is required.
Authorisation of individuals is a core concept, however, the Privacy Act does not set out specific prescriptive requirements for authorisation or for privacy policies.
Restrictions on the transfer of personal data outside the European Union, to third countries, or international organisations apply.
New Zealand's privacy laws have been recognised as "adequate" by the European Commission. This means personal data can be transferred freely between the EU and New Zealand.
No specific restrictions apply to the transfer of personal data outside New Zealand. However, the general security obligations under the Privacy Act may be applicable to this practice.
The Privacy Bill includes new provisions that are intended to strengthen cross-border data flow protections.
Next steps – don't get caught out
If you haven't done so already, it is imperative that you consider whether the GDPR applies to your business.
Even if your business is not subject to the GDPR, this is a timely reminder to consider your data governance and practices. This will assist with front-footing upcoming changes under the Privacy Bill, as well as, with ensuring that you have robust data governance practices in place to support your digital and data strategy.
Please contact our privacy team if you would like any advice or assistance in relation to the matters addressed in this client update.
Our privacy team is closely monitoring the Privacy Bill and will continue to provide updates. Please refer to our previous update available
This publication is necessarily brief and general in nature. You should seek professional advice before taking any action in relation to the matters dealt with in this publication.