In this Privacy Tracker series, we review laws from across the globe and compare them with the EU General Data Protection Regulation. The aim is to help you to avoid operational duplication as you move toward GDPR compliance. In this installment, Nicola Hermansson, EY NZ data privacy leader, and William Fussey, EY Law privacy solicitor, compare key provisions of the New Zealand Privacy Act 1993 with the EU’s GDPR.
New Zealand’s Privacy Act is designed as a framework to promote the free flow of information across borders as well as the privacy of individuals’ personal information.
Privacy is respected through a series of flexible requirements encapsulated by 12 Privacy Principles, a significant majority of which correlate reasonably well with Articles in the GDPR. However there are a number of important concepts in the GDPR that are absent in New Zealand’s Privacy Act. Where there is no correlation, New Zealand organizations could potentially be exposed.
We expect law reform in New Zealand. Many of the GDPR requirements are likely to become part of our law, especially if New Zealand wishes to retain its adequacy status. In addition, many New Zealand organizations will need to comply with the GDPR when it comes into effect in May 2018, given the extra-territorial nature of the GDPR in relation to some processing of personal information. New Zealand organizations should be taking action now, both to comply with the GDPR and to get ahead of probable change.
There is no distinction between data controllers and processors in the Privacy Act. Instead, with some limited exceptions, it applies to all agencies in New Zealand — that is, any person or body of people, whether in the public or private sector.
We will consider each principle in turn and how it relates to the GDPR. We will then look at the aspects of the GDPR currently missing from New Zealand’s legislative landscape.
An important influence in New Zealand’s privacy environment is its EU “adequacy” status which has been in place since 2012. Arising from a formal European Commission ruling, this means New Zealand has an adequate level of protection to meet European standards.
This facilitates data transfers from the EU to New Zealand by permitting personal data to be transferred without special additional measures. Adequacy gives confidence to New Zealand’s trading partners that New Zealand is a safe place to process data. It gives New Zealand a competitive advantage in attracting custom and increasing economic activity, and has helped reduce compliance challenges.
But New Zealand’s data protection legislation must incorporate key principles from the GDPR to ensure that adequacy status is maintained.
Information Privacy Principles
Principle 1: Purpose of collection of personal information
Principle 1 requires that personal information is not collected by any agency unless the information is collected for a lawful purpose connected with a function or activity of the agency, and the collection of the information is necessary for that purpose. Article 5 of the GDPR similarly stresses the need for the personal data to be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
Principle 2: Source of personal information
Principle 2 requires that when an agency collects personal information, it must be collected directly from the individual concerned unless one of the exceptions applies. Exceptions include the belief, on reasonable grounds, that the information is publicly available, that the individual concerned authorises collection of the information, that non-compliance would not prejudice the interests of the individual concerned, that non-compliance is necessary for the maintenance or enforcement of law and order, that compliance is not reasonably practicable in the circumstances, or that the information will not be used in a form in which the individual concerned is identified.
The GDPR does not contain a similar specific principle; however Article 14 does require the data controller to provide the data subject with particular information when personal data has not been obtained directly from the data subject.
Principle 3: collection of information from subject
Principle 3 states that where an agency collects personal information directly from the individual concerned, the agency shall take steps that are reasonable in the circumstances to ensure the individual is aware of the following: the information is being collected; the purpose of collection and the intended recipients of the information; the name and address of the agency or agencies that collect and hold the information; any law under which collection of the information is authorised or required and whether the supply of information is voluntary or mandatory; the consequences of not providing the requested information; and the rights of access to, and correction of, personal information provided by these principles. There are several exceptions setting out situations where an agency does not need to comply with the Principle, similar to those in Principle 2.
Similarly, Articles 12-14 of the GDPR says specific information should be provided in writing from the data controller to the data subject in a concise, transparent, intelligible and easily accessible form. Information includes the identity and contact details of the data controller and any data protection officer, the purposes and legal basis of the processing, any recipients of the personal information, the period for which the data will be stored, and whether the provision of personal information is a statutory or contractual requirement. Data subjects should also be informed of the consequences of failure to provide the data and the various rights they may have. Where the controller intends to further process personal data for a purpose other than that for which it was collected, the new purpose must be provided to the data subject prior to the processing. There are similar requirements regarding the information that must be given to the data subject when the data is collected directly from them.
If the data controller intends to transfer personal data to a third country, the data subject should also be informed as to whether that third country has adequacy status with the EU or not. Any transfers to countries with EU adequacy do not need authorisation. In contrast, where adequacy is absent, a variety of appropriate safeguards must be demonstrated before the data transfer can take place.
Principle 4: manner of collection of personal information
Principle 4 prevents personal information being collected by an agency through unlawful means or by means that in the circumstances are unfair or intrude to an unreasonable extent upon the personal affairs of the individual concerned.
The GDPR does not have an equivalent article. However it contains special categories of personal data which have their own set of criteria for processing. Special categories include sensitive data such as
racial or ethnic origins, political opinions, genetic data, biometric data for the purpose of uniquely identifying a natural person, or data concerning health.
At least one criterion must be met before processing of special categories of personal data can commence. Criteria include: the explicit consent of the data subject; processing being necessary for the purposes of carrying out employment, social security or social protection law obligations; and protecting the vital interests of the data subject. Processing can also be done in the course of legitimate activities; if personal data has been made public by the data subject, or if it is necessary for legal claims, the public interest or various medical related matters.
In New Zealand, the handling of sensitive data is generally dealt with in terms of Privacy Principle 4 as the extent to which personal information is sensitive may alter the interpretation of whether the means of collection will unreasonably intrude on the personal affairs of an individual.
Principle 5: storage and security of personal information
Principle 5 requires agencies holding personal information to ensure the information is protected by such security safeguards as it is reasonable to take in the circumstances against loss, access, use, modification, unauthorized disclosure and other misuse. And if it is necessary for the information to be given to a person in connection with the provision of a service to the agency, everything reasonable must be done by the agency to prevent unauthorized use or disclosure.
Article 32 of the GDPR similarly requires the data controller and processor to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. However it provides more comprehensive detail about how to achieve the reasonable security safeguards. These are: pseudonymisation and encryption of personal data; ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services; restoring the availability and access to personal data in the event of a physical or technical incident; and having a process for regularly evaluating the effectiveness of security measures.
Principle 6: access to personal information
Principle 6 mandates that where an agency holds readily retrievable personal information, the individual concerned shall be entitled to obtain from the agency confirmation of whether or not the agency holds such personal information and to have access to that information. In providing such access the individual shall be advised that they may request the correction of that information.
Article 15 of the GDPR contains an equivalent right of access where the data subject can obtain confirmation as to whether his or her personal data is being processed as well as access to the data. The data subject can also obtain information about the purpose of processing, categories of personal data, recipients of the personal data and how long the data is likely to be stored.
Principle 7: correction of personal information
Principle 7 allows individuals to request correction of their information from an agency that holds it. If a correction is sought but not made, the individual can ask for this be noted in a statement attached to the information. However if an agency receives a request to correct personal information, it must take such steps to correct the information as are reasonable in the circumstances, having regard to the purposes for which the information may lawfully be used. If the agency is not willing to correct the information, it should (if requested) take necessary steps to attach to the information, any statement of the correction sought. Any person or agency to whom personal information has been
disclosed should be informed of any correction made or sought by the individual to whom the personal information relates.
Article 16 of the GDPR similarly contains a right of rectification, stating that the data subject shall have the right to obtain from the controller, without undue delay, the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject also has the right to have incomplete personal data completed, including by means of providing a supplementary statement.
Principle 8: accuracy, etc., of personal information to be checked before use
Principle 8 stipulates that any agency holding personal information should not use it without taking such steps as are reasonable in the circumstances to ensure the information is accurate, up to date, complete, relevant and not misleading. Article 5 of the GDPR also requires that personal data be accurate and, where necessary, kept up to date.
Principle 9: agency not to keep personal information for longer than necessary
Principle 9 provides that an agency holding personal information shall not keep it for longer than is required for the purposes for which the information may lawfully be used. Similarly, Article 5 of the GDPR requires personal data to be kept in a form permitting identification of data subjects for no longer than is necessary for the purpose, although it may be retained for longer for archiving purposes.
Complementing this, the GDPR also contains a right to erasure (more commonly known as the right to be forgotten). This requires the data controller to erase personal data without undue delay in a number of situations such as when it is no longer necessary for the purpose of collection and when the data subject withdraws consent or objects to the processing. There are exceptions to the right to be forgotten, including where processing is necessary for exercising the right of freedom of expression and information, compliance with a legal obligation, public interest in the area of public health, archiving in the public interest, or establishing, exercising or defending legal claims. The GDPR also contains a right to request that a data controller restrict processing of an individual’s personal data.
Principle 10: limits on use of personal information
Principle 10 prevents an agency holding personal information for one purpose from using it for another purpose unless the agency believes on reasonable grounds that one of the exceptions applies. Exceptions include: the information is publicly available, use of the information is authorised by the individual concerned, non-compliance would not prejudice the interests of the individual concerned, non-compliance is necessary to prevent or lessen a serious threat, the purpose for which the information is used is directly related to the purpose in connection with which the information was obtained, or the information will not be used in a form in which the individual concerned is identified.
Limits on use of personal information is also dealt with in Articles 5 and 6 of the GDPR, requiring that personal data shall not be further processed in a manner that is incompatible with the specified, explicit and legitimate purposes. Further processing is compatible when it is based on the data subject’s consent, authorized by law, or the data controller has ascertained compatibility taking into account several factors. These factors include: whether there is a link between the purposes for which the data has been collected and the purposes of the intended processing, the context of the data collection, the nature of the personal data, possible consequences of further processing and the existence of appropriate safeguards.
Principle 11: Limits on disclosure of personal information
Principle 11 states that an agency holding personal information shall not disclose the information to a person or agency unless one of the exceptions applies. Exceptions include that the disclosure of the information is directly related to one of the purposes in connection with which the information was obtained; the information is publicly available and it would not be unfair or unreasonable to disclose it; disclosure is to or authorized by the individual concerned; non-compliance would not prejudice the interests of the individual concerned; non-compliance is necessary to prevent or lessen a serious threat; disclosure is necessary to facilitate the sale or other disposition of a business as a going concern; or the information will not be used in a form in which the individual concerned is identified.
The GDPR uses the term “processing” to refer to both use and disclosure of personal information, rather than in the Privacy Act, where disclosure is a sub-set of use. Consequently, the limitations on the further processing of personal data detailed under Principle 11 also apply to the disclosure of personal information.
Principle 12: Unique identifiers
Principle 12 puts some rules around unique identifiers. These stipulate that an agency shall not assign a unique identifier to an individual unless the assignment of that identifier is necessary to enable the agency to carry out any one or more of its functions efficiently or the disclosure is for one of the purposes in connection with which the unique identifier was assigned. An agency also shall not assign to an individual a unique identifier that has been assigned to that individual by another agency and an agency that assigns unique identifiers to individuals shall take all reasonable steps to ensure that unique identifiers are assigned only to individuals whose identity is clearly established.
In the GDPR, Recital 30 states that: natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, particularly when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.
Further comparisons
Beyond the Privacy Principles there are further important differences between the GDPR and New Zealand’s privacy law. We detail some of these below.
Mandatory data breach notification
Although the Privacy Commissioner encourages agencies to disclose significant breaches and seek advice about how best to manage a breach, there are currently no mandatory data breach notification requirements in New Zealand. Mandatory data breach notification is likely to be an important feature of any reform of the Privacy Act.
In contrast, the GDPR contains mandatory data breach notification requirements. Article 33 requires that in the case of a personal data breach, the controller shall, as soon as possible within 72 hours of becoming aware of it, notify the breach to the supervisory authority. Such notification should provide the nature of the personal data breach, the number of people concerned, the name and contact details of the data protection officer, the likely consequences of the data breach, and any measures (to be) taken to address the breach and mitigate any adverse effects.
Data portability
Article 20 of the GDPR contains a right to data portability. This means that data subjects are entitled to receive the personal information they have provided in a structured, commonly used and machine- readable format and transmit the information to a competing business. The right to data portability therefore enables data subjects to have more control over their data. There is no equivalent right currently operating in New Zealand.
Consent
There are no specific conditions in the Privacy Act under which consent is required for data processing to take place. While the Privacy Act assumes, as a default, that information will be collected from the individual concerned, it does not specify the way in which consent to collect the information must be provided or differentiate between information collected from adults or children. In contrast, consent is intrinsically important in the GDPR, with the data subject required to signal agreement by a statement or a clear affirmative action. Such consent must be freely given, specific, explicit, informed and unambiguous. Recital 32 clarifies that an affirmative action signaling consent may include ticking a box on a website but silence, pre-ticked boxes or inactivity are presumed inadequate. In addition, a higher level of consent, described as explicit consent, is required for the processing of special categories of personal data. Article 8 includes specific provisions about consent to the processing of data concerning children.
Right to object
Article 21 contains the right to object to the processing of personal information. At this point, a data controller must either cease processing or provide compelling grounds to override the objection. There are no corresponding provisions in the Privacy Act. Instead, an individual would have the option of either refusing to provide the relevant information (where the information is being sought directly from the individual), or raising a complaint of interference with privacy with the agency or the Office of the Privacy Commissioner.
Automated processing
Article 22 of the GDPR restricts the use of automated decision-making tools where the decisions may have a legal effect and allows for an individual to seek human intervention or to contest the decision. The Privacy Act currently does not contain corresponding provisions but any use of information by automated software would need to comply with the Privacy Principles set out above.
Privacy by design
The GDPR in Article 25 makes privacy by design a legal obligation for data controllers and processors. This involves building privacy up-front into the design specifications and architecture of new systems and processes. Consequently, data protection must be integrated into standard operations and compliance should be documented. Privacy by design is not a legal requirement in the New Zealand privacy framework and is not referred to specifically in the Act.
Privacy impact assessment
Privacy Impact Assessments are mandated by Article 35 of the GDPR in situations where a type of processing is likely to result in a high risk to rights and freedoms of natural persons. These will evaluate the impact of the envisaged processing operations on the protection of personal data by considering necessity and proportionality in relation to purpose, as well as assessing rights to risks and freedoms of data subjects and measures to address those risks. Privacy Impact Assessments are sometimes performed in New Zealand but are viewed as a valuable tool for businesses rather than a legislative expectation.
Records of processing activities and accountability
The GDPR contains an obligation for each data controller and processor to maintain a record of processing activities, although there is an exemption for organizations with fewer than 250 employees, so long as the processing is unlikely to pose a risk to the rights and freedoms of data subjects, is not extensive and does not include special categories of personal data. New Zealand law does not include a requirement around the recording of processing activities or other specific requirements to be able to demonstrate compliance (although this would clearly be important from an evidentiary perspective if an agency were challenged).
Fines
The current maximum fine for a criminal offense in the Privacy Act is $10,000, although an enforcement remedy of compensation can be made through the Human Rights Review Tribunal. These awards are often more substantial. However, fines and remedies pale in comparison with the maximum fines established by the GDPR, namely €20 million, or 4 percent of total worldwide annual turnover. The New Zealand Privacy Commissioner has proposed new maximum penalties in New Zealand of $100,000 for individuals and $1 million for corporates. It remains to be seen whether future reforms of the Privacy Act will follow this recommendation.
Final comment
The New Zealand Privacy Act provides for flexible, principle-based legislation that has been operating well for more than 20 years. While there are fewer specific requirements than in the heavily prescribed rules of the GDPR, it is still able to encompass most of the new concepts and expectations introduced by the European legislation.
Successive New Zealand governments have considered updating the Privacy Act in light of new international developments and it is only a matter of time before reform comes to fruition. When it does, any differences between the Privacy Act and the GDPR are likely to be reduced even further.
organizations with robust and well implemented data management processes will be well placed in terms of GDPR compliance. However, there are a number of key gaps between the requirements of the Privacy Act and those of the GDPR. Whether or not the GDPR applies directly to an organization in New Zealand, the general themes set out in the GDPR will influence data management more widely, including within New Zealand. Accordingly, organizations should be looking to the requirements of the GDPR to establish best practice data management and to ready themselves for likely legislative change in New Zealand.
photo credit: Tākuta New Zealand Flag, Beehive via FLICKR (license)