With 2022 now in the rear view mirror, we've been thinking about what lies ahead for privacy and data protection in 2023, and have outlined what we see as five key themes to watch out for:
1. Reform of the New Zealand Privacy Act?
2022 saw two significant consultations concerning potential privacy reform – namely in relation to the use of biometric technologies in Aotearoa New Zealand and possible changes to the Privacy Act 2020 to address perceived concerns regarding "indirect collection of personal information" (ie when agencies collect personal information indirectly via a third party). While the Privacy Commissioner announced late last year that it will undertake further consultation and "targeted engagement" in relation to a new Code of Practice for Biometrics this year, the outcome of the indirect collection consultation process is ongoing. However, it is likely that this will involve some amendment to the Privacy Act. As indirect collection is common practice in New Zealand and biometric technologies are becoming increasingly common, we anticipate that both reviews will have impacts for a significant number of New Zealand businesses.
2. Australian law reform
In the wake of the Optus and Medibank breaches (which, in relation to Medibank alone, involved the hacking of personal information of at least four million individuals), in late 2022 the Australian government moved to introduce harsher penalties for non-compliance with the Australian Privacy Act. Specifically, the penalties for interference with privacy were increased to the greater of A$50m, three times the value of the benefit obtained from the privacy interference (if that can be determined), or 30 percent of the organisation's turnover during the relevant period. Those penalties will bring Australia closer into line with EU/UK General Data Protection Regulation (GDPR) penalties and are significantly higher than potential penalties under the New Zealand Privacy Act. It is also only the first step in Australian privacy reform, with more substantial legislation promised for this parliamentary term. Again, it's expected that reforms will seek to align Australian privacy legislation more closely with GDPR.
These developments are significant for businesses in New Zealand because the Australian Privacy Act applies extraterritorially to agencies that collect or hold Australians' personal information (even if they do not directly collect that information from a source in Australia). Further, the Australian changes will possibly serve as a signpost of future privacy reform in New Zealand.
3. Regulation of artificial intelligence (AI)
While the potential benefits AI offers society are considerable and likely to increase over time as technology improves (eg in relation to healthcare), AI does pose challenges for society particularly in relation to issues of bias, privacy, and transparency of decision-making. In that context, it will be interesting to keep a watching brief on the European Commission's proposed Artificial Intelligence Act. The Act applies a risk-based approach to regulating AI – prohibiting certain AI practices (eg the use of AI systems that exploit the vulnerabilities of a specific group of persons) and imposing requirements in relation to AI systems that are classified as "high risk". The maximum penalty for non-compliance is significant at €30m or, if the offender is a company, up to six percent of its total worldwide annual turnover for the preceding year, whichever is higher (notably, this penalty is even higher than the maximum penalty under the GDPR). The Act also has a broad extra-territorial reach, including to providers and users of an AI system that are located outside of the EU but where the output produced by the AI system is used in the EU. The development of this legislation will be of particular interest, not only because of its extra-territorial scope, but because it is, so far as we are aware, the first of its kind.
4. Cyber security
We're anticipating data breaches will continue to be front of mind for Board directors and senior management this year, particularly in light of the recent Optus and Medibank breaches in Australia (as discussed above) and the resulting increased penalties under the Australian Privacy Act. We're expecting that businesses will have an increased focus on data audits to identify what data they hold, why they hold it and how they use it, data retention policies (to ensure they don’t hold what they don’t need), IT risk mitigation strategies and business continuity arrangements.
5. Consumer data rights
In November 2022, the Commerce and Consumer Affairs Minister confirmed that the banking sector will be the first sector designated to implement a consumer data right (CDR) in New Zealand to allow consumers (including individuals and businesses) to securely share data held about them with third parties. While we have not as yet seen draft legislation (which was due by the end of 2022), a Cabinet Paper released by the Office of the Minister of Commerce and Consumer Affairs late in 2022 proposes rolling out a CDR on an industry by industry basis (with the banking sector to be the first sector), with the regime administered by the Ministry of Business, Innovation and Employment (MBIE) (this role would include, for example, setting the relevant data standards and licensing data recipients) and the Commerce Commission having responsibility for CDR compliance and enforcement generally. The Privacy Commissioner and Human Rights Review Tribunal would then have responsibility for investigating and providing redress in relation to privacy and information security issues (in line with the Privacy Act 2020 processes). The Cabinet Paper also proposes significant penalties for breaches of CDR requirements including for the most serious breaches, for an individual, imprisonment for a term of up to five years and/or a fine of up to NZ$1m. For a body corporate, the fine would be the greater of NZ$5m or either (a) three times the value of any commercial gain or (b) 10 percent of the turnover in the periods in which the breach occurred if commercial gain cannot be ascertained. While the detail of these proposals will need to be worked through in the legislation drafting stage, clearly, privacy and data protection will be a critical component of this system. It will be important to ensure that privacy is protected, but it will also be vital that consumers trust (and, therefore, are more likely to use) a CDR.
In a privacy context, and in the absence of any express detail in the Privacy Act about what constitutes valid "authorisation", it will be interesting to see how the consumer consent for data sharing between entities under the CDR system develops, and whether this has any flow on implications for how authorisation under the Privacy Act is applied more generally (eg in relation to whether authorisation/consent should be time bound and capable of withdrawal, as proposed by MBIE in relation to the CDR).
If you have any questions about privacy and data protection, or if you would like to discuss any of these themes, please get in touch with one of our team.