Earlier this week, Alex Chapman of Buddle Findlay's TMT team attended the first International Association of Privacy Professionals Australia and New Zealand summit in Sydney. The conference included a number of interesting speakers who touched on a range of privacy and data issues. Alex's 'top takeaways' are set out below:
Duty of care
There was some discussion about how culpable agencies (in particular, online platforms) should be for the harm caused through use of their services. Of particular note, the New Zealand Privacy Commissioner (Commissioner) made a thought provoking speech regarding agencies' broader responsibilities in respect of the harm they cause. While the Commissioner acknowledged that agencies already have responsibilities in relation to the data that they hold and are subject to various regulations (both internationally and domestically), he suggested that this may be insufficient to address the potential harms that agencies' services and products may cause. In this context, the Commissioner proposed that agencies should, at the very least, be subject to an overarching duty of care to ensure that they are liable for the harm that they cause. What this duty of care may look like or how it could be enforced remains to be seen; if this duty gains traction and becomes law at any point, then this will be a matter for close review for agencies over the next few years.
Transparency
As we've commented on before, the days of 'click to consent' are over. The Commissioner has again emphasised that agencies must take reasonable steps to ensure that users are aware of what is happening with their information and that his office will be asking agencies how they were able to form the view that a user was aware of how their personal information was being used. This may include agencies having to provide evidence of how long it took for a user to click 'accept' to the terms of a privacy policy (so as to identify whether the period of time was actually sufficient for the user to have digested the terms of the privacy policy).
Interestingly, the Commissioner also noted that the idea that transparency is the great 'panacea' for processing personal information seems to ask a lot of consumers, particularly where those consumers are children. In this regard, the Commissioner suggested that agencies' obligations to ensure that their policies are transparent and clear for children (as required in the Privacy Bill) will be a 'trojan horse' for ensuring that privacy policies are transparent and clear for all consumers.
In our view, agencies should be on notice that the Commissioner expects them to explain in meaningful ways how their personal information is being used. Ahead of the Privacy Bill coming into effect, agencies should start thinking about whether their privacy policies and data collection processes will allow them to demonstrate that their users were informed about how their personal information will be used.
The new Privacy Act is on its way
After a long wait, the Privacy Bill 2018 is now expected to be in force in July 2020. Agencies should start considering now the implications of the Privacy Bill to ensure that they are ready to meet the new requirements. In particular, agencies should consider:
- Whether they have processes in place to satisfy the mandatory notification obligations for privacy breaches where it is reasonable to believe that the relevant breach has caused serious harm or is likely to do so
- The extent to which any cross-border transfers of personal information satisfy the requirements of the new Information Privacy Principle 12.
Agencies should also be aware that the new Privacy Act will apply to agencies located off-shore where that agency is "carrying on business in New Zealand", regardless of where the relevant information is collected or held and whether or not the agency has a physical presence in New Zealand, charges monetary payment, or makes a profit from its business in New Zealand. In our view, the scope of "carrying on business in New Zealand" is very broad and it will be interesting to see how this extra-territoriality reach is applied in practice.
Consumer rights in action
While the use of personal information is traditionally the domain of privacy regulators, there was some discussion about the scope for other regulators to exercise their rights to ensure that consumer's personal information is not used in misleading or deceptive ways (for example, see the recent ACCC action against Google). The Commissioner himself noted that data protection laws alone may not be enough to combat the potential harms and queried whether we need more agile consumer protection mechanisms to allow privacy regulators to work together with consumer safety regulators. In New Zealand, it seems that there is already some scope for the Commerce Commission to be able to take action under the Fair Trading Act 1986 in respect of misleading or deceptive conduct and it will be interesting to see how or whether this plays out here in respect of the use of personal information.