After a Covid-enforced break, the annual IAPP (International Association of Privacy Professionals) ANZ Summit took place in Sydney in late November. As well as keynotes from the New Zealand Privacy Commissioner and the Australian Information Commissioner, various panels and speakers traversed topical privacy issues from indigenous data rights, to biometrics, AI and facial recognition technology, and a growing trend towards 'people-centric' privacy.
There were five clear themes that came through at various sessions during the summit.
- Cyber attacks are not going away
The recent Optus and Medibank cyber attacks in Australia were hot topics. Described by the Australian regulator as "a wake up call", the Optus breach in particular re-emphasises how essential it is to minimise data retention and ensure data isn't kept for longer than needed – after all, you can't lose what you don't have.
There is a clear expectation that organisations need to get their houses in order now to minimise damage in a worst-case scenario (and organisations that don't do this will risk regulatory attention). This might involve:
- Knowing what data you hold (and doing an audit if this isn't clear)
- Ensuring adequate investment in security, as well as tested back up and disaster recovery plans
- Reviewing retention, archiving and deletion policies and practices, to make sure that you are only holding on to what you need
- Taking another look at any anonymised or aggregated datasets to check that they aren't vulnerable to re-identification, given the large amount of data available online as a result of other recent breaches.
- Australian privacy reform is coming
In the wake of the Optus breach, the Australian government moved to introduce harsher penalties for non-compliance with privacy obligations by way of the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022 (currently awaiting Royal assent). That legislation increases penalties for interference with privacy to the greater of A$50m, three times the value of the benefit obtained from the privacy interference (if that can be determined), or 30% of the organisation's turnover during the relevant period.
Those penalties will bring Australia closer into line with the EU/UK General Data Protection Regulation (GDPR) penalties and are significantly higher than the equivalent in New Zealand.
It is also only the first step in Australian privacy reform, with more substantial legislation promised for this parliamentary term. Again, it's expected that the move will be to align Australian privacy legislation more closely with GDPR.
While the New Zealand Privacy Act is still relatively new, the Australian changes will possibly serve as a signpost of any future privacy reform on this side of the ditch.
- A move towards 'fair and reasonable' data practices
While much of New Zealand and Australian privacy law is built on the 'notice and consent model' (in other words, 'I can use your personal information in all the ways described in my privacy policy'), there were indications from both countries' Commissioners that businesses should rise above the noise of a compliance programme and ask themselves whether their data practices are fair and reasonable. Instead of the onus being on individuals to read and understand complex privacy documents, best practice in privacy compliance continues to move towards a much more intuitive approach focused on the reasonable expectations of the individual.
Organisations that are 'privacy mature' are increasingly seeing good privacy practice as an organisation wide exercise, and an extension of good customer service and good corporate citizenship. Whether this trend moves beyond good practice to an area of possible legislative reform (in the same way that fairness in consumer and small business contract terms has been codified in both Australia and New Zealand in recent years) will be one to watch.
- Indigenous data rights – so much more than just a privacy issue
Our clients are increasingly interested in understanding and acknowledging indigenous data rights and Māori data sovereignty in the context of their privacy programmes and practices. Two insightful sessions at the summit confirmed to us that while there can be overlaps between Māori data sovereignty issues and privacy issues, Māori data sovereignty issues are about so much more than where data is stored, or what is written in a privacy policy, and should not be considered as a 'bolt on' to privacy compliance.
This is because Māori data may be much more than 'personal information': information relating to a maunga or other aspects of te ao Māori is as deserving of safeguarding as personally identifiable information, and (conversely) information relating to identifiable individuals may give rise to rights vesting in iwi or hapū, and not just the individual(s) concerned. This means that principles of Māori data sovereignty may not align neatly with the Information Privacy Principles in the Privacy Act. Where issues do overlap, Māori data sovereignty considerations may be so fundamental that they pre-empt or override the approach to privacy. Each situation may require nuanced analysis from a public law, tikanga and Te Tiriti perspective (as well as a privacy perspective) to find the right outcome.
- Getting the basics right remains fundamental
With fast paced global regulatory change, increasingly sophisticated cyber criminals, and the constant availability of new data-led technologies, there is a lot going on that can keep privacy specialists up at night.
The key message from the summit was that, while the stakes are certainly getting higher, the fundamentals of a good privacy programme are not materially changing overall. By focusing on the basics like only collecting and keeping data that is really needed, treating individuals fairly, communicating transparently, and knowing what data is being held, organisations can set themselves up to manage privacy risk in a way that remains resilient for years to come.