Update on Data Privacy- Privacy Act reform and the European Union’s General Data Protection Regulation
Data is the new currency, and the digital age has transformed the way we interact with the world on a daily basis. The recent revelations of data breaches by popular social media platform Facebook is one example of how much we as a society share information online and how privacy concerns might arise when we do so. This update addresses two significant developments in the area of data privacy that will impact virtually every individual and business in New Zealand.
New Zealand’s Privacy Act 1993 is now 25 years old, and although it has operated well since its inception, a new Bill has recently been introduced in Parliament to implement a number of changes recommended by the Law Commission in 2011. As our Privacy Commissioner, John Edwards notes, “if New Zealand citizens and industry are to reap the benefits of a digital economy, they need to have confidence that their regulatory regime is robust, and that their personal information will be kept safe, and used responsibly”.
Some of the key reforms in the Bill include:
- a requirement on individuals and companies that hold personal information about others to report privacy breaches to the Privacy Commissioner
- the strengthening of cross-border protections on personal information; as well as
- a broadening of the Privacy Commissioner’s powers in investigations and penalties.
The Bill is also timely. Its introduction is part of an effort to meet the global shift towards compliance with the European Union’s General Data Protection Regulation (GDPR) regime, which came into force on 25 May 2018. You may have already noticed that many internet services such as Facebook, Google, Airbnb and Twitter have updated their respective privacy policies in recent weeks to meet this change. While most individuals and companies in New Zealand are aware of their obligations under the Privacy Act 1993, they should also be aware that if they are operating or offering products and services within the European Union, they must also comply with the GDPR (this includes customers from within the European Union signing up for your newsletters). Non-compliance can be costly – with fines of up to €20,000,000 or 4% of a company’s total worldwide annual turnover in the most severe of cases.
If you or your company exchange personal information with partners or customers in the European Union, they will expect you to be compliant with the GDPR. We have found that most of our clients already have good systems in place to comply with the Privacy Act 1993. This often translates to compliance with the GDPR, but there are a number of differences between the two regimes that require a case-by-case assessment, particularly with regard to consent.
The Privacy Bill is currently before Parliament’s Justice Select Committee, and we expect the parliamentary process to continue into 2019. However, with the GDPR now in force, there is a real need for businesses operating or offering products and services within the European Union to assess their current systems for compliance.
At Glaister Ennor, we have a number of staff with expertise in data privacy; so, we can tailor advice to suit your particular needs to ensure your compliance with both the Privacy Act 1993 and the GDPR.
