"The corporate world collectively shat itself when the new OSH [occupational safety and health] law came in," Privacy Commissioner John Edwards told an IAB NZ seminar this morning.
Edwards wants businesses and boards to treat the new Privacy Act - which passed on Tuesday and comes into force December 1 - with the same seriousness.
The Privacy Commissioner again bemoaned that the new legislation did not give him his requested power to levy big fines, like counterparts in the US and the UK who recently hit Facebook and British Airways with US$5 billion and £183 million penalties respectively.
Nor does the new law include his suggestion for data portability, or the ability for a consumer to take their data with them when they switch service providers - just one of a number of recent reforms in EU and Australia that haven't made it to our new legislation.
But the new act still gives the Commissioner some teeth.
The new legislation has the same basic principles as the old: Any organisation that collects data about an identifiable individual must not collect more information than it needs, store it securely and only use it for the purpose for which it was collected.
But there are a number of key changes to the way those principles are enforced, including mandatory data breach disclosure. If you lose data, mistakenly email it en masse to the wrong person or it gets stolen by hackers, you'll have to inform Edwards' office, and any affected customers.
Failure to report a harmful data breach could result in a fine of up to $10,000.
A common question from the IAB audience of media execs, ad execs and lawyers: what will constitute a breach worth reporting?
"If your kindergarten accidentally sends a message to all that reveals your child is gluten-intolerant, I don't want to hear about it," Edwards says.
A new "NotifyUs" interactive, "semi-intelligent" widget will be added to the Privacy Commissioner's website shortly to help organisations gauge when a breach passes the notification threshold.
Edwards cautioned the answers would never be black and white, however. The Privacy Act was prescriptive, like tax legislation. Because it was enforcing a set of general principles, there would always be judgment calls on what cases his office should pursue.
The Privacy Commissioner also gains the ability to issue compliance notices if you're, say, running a competition but overstepping the mark with the amount of personal data you collect or failing to store it securely. Failure to comply could see a referral to the Human Rights Commission, and ultimately a fine of up to $10,000.
And Edwards noted that while it was previously frowned on to destroy an employee's personnel file after they requested to view it, such behaviour will now result in a fine of up to $10,000.
It will also become a criminal offence to imitate someone to access their data, again with a fine of up to $10,000.
Obstructing the Privacy Commissioner will also become an offence, with the same fine.
Big Tech in the frame
Another big change is extra-territoriality. Edwards has had a number of high-profile standoffs with Facebook, which has refused to co-operate with orders from his office at times, saying it falls under US privacy law. Our new Privacy Act makes it explicit that any business that collects data from New Zealanders - even if it has a physical or legal presence here - will fall under our Privacy Act, as well as laws in their own country.
Asked if Facebook and Google would have to comply with requests to hand over user data after December 1, when the new Act comes into force, Edwards said that was "inarguably true".
Edwards said the Commerce Commission's (ongoing) prosecution against Switzerland-based online ticket seller Viagogo under the Fair Trading Act showed that the principle of extra-territoriality was workable (after initial resistance, Viagogo accepted NZ jurisdiction).
With his wider powers from December 1, Edwards told the IAB audience there was potential for his office to work in tandem with the Commerce Commission in various enforcement areas.
The extra-territoriality element goes both ways. If a New Zealand organisation sends data to an offshore party, it needs to make sure that party is in a location with equivalent privacy protections to NZ. If those protections don't exist in law at the destination, then they must be added via a private contract.
After Australia tightened its privacy law, there was a surge in reports. Budget 2020 gave the Privacy Commissioner's office here a $2.36m bump in annual funding to accommodate the anticipated increase in work (its 2019 allocation was around $5m).
School-up via the Privacy Commissioner's website
Edwards told the audience to get ready for the new Privacy Act now.
A business should have a plan for informing customers in the event of a data breach, and regularly test systems.
It should also school-up on the new legislation. Edwards recommends key staff in an organisation take the e-courses on the new law, which are available through the Privacy Commissioner website.
Privacy Act key reforms
• Mandatory notification of harmful privacy breaches. If organisations or businesses have a privacy breach that poses a risk of serious harm, they are required to notify the Privacy Commissioner and affected parties. This change brings New Zealand in line with international best practice.
• Introduction of compliance orders. The Commissioner may issue compliance notices to require compliance with the Privacy Act. Failure to follow a compliance notice could result a fine of up to $10,000.
• Binding access determinations. If an organisation or business refuses to make personal information available upon request, the Commissioner will have the power to demand release.
• Controls on the disclosure of information overseas. Before disclosing New Zealanders' personal information overseas, New Zealand organisations or businesses will need to ensure those overseas entities have similar levels of privacy protection to those in New Zealand.
• New criminal offences. It will be an offence to mislead an organisation or business in a way that affects someone's personal information or to destroy personal information if a request has been made for it. The maximum fine for these offences is $10,000.
• Explicit application to businesses whether or not they have a legal or physical presence in New Zealand. If an international digital platform is carrying on business in New Zealand, with the New Zealanders' personal information, there will be no question that they will be obliged to comply with New Zealand law regardless of where they, or their servers are based.
The act comes into effect on December 1.