On his third day as New Zealand’s Privacy Commissioner in 2014, John Edwards was asked during a committee hearing about his approach to the role.
“I said I want to make privacy easy,” Edwards said. “I want to make privacy easy for agencies to implement, I want to make it easy for consumers to access privacy-friendly options, and I want to make it easy for people to have access to remedies when things are wrong. That became my mantra and I think it fits.”
Currently serving his second term, Edwards will step down as New Zealand’s privacy commissioner 31 Dec. to take on the role of U.K. Information Commissioner. In a wide-ranging conversation with IAPP New Zealand Country Leader Daimhin Warner, CIPP/E, as part of the IAPP ANZ Summit Online 2021, Edwards reflected on his tenure as it comes to an end, the work over the past seven years, including leading a reform of New Zealand’s Privacy Act, the growth of privacy awareness in the country, and more.
With Edwards’ departure, Warner said New Zealand is “losing a true figurehead for privacy.” He described Edwards as “steadfastly approachable, reasonable and often inspirational,” and someone who generates “real and valuable debates about difficult issues.” And, importantly, Warner said, Edwards has been “a leader for privacy communities in New Zealand and beyond. Punching well above his weight globally and setting a benchmark for effective privacy enforcement.”
Edwards said his years as New Zealand’s privacy commissioner exceeded his expectations.
“Any organization has its own self-identity, its own momentum, its own inertia. What I’ve learned in that time is you have to try and harness all of that and influence that trajectory as best you can. As long as you have an internal value set and are able to articulate that to the team, they will come along with you, and that’s what happened here,” he said. “The Office of the Privacy Commissioner has a manner and a place in the institutional landscape that I think I underestimated in the beginning. I think I’ve benefitted from that as much or more as it has benefitted from my leadership.”
‘A new era’ for the Privacy Act
As privacy commissioner, Edwards led updates to New Zealand’s Privacy Act, featuring new breach reporting obligations, criminal penalties and provisions on international data transfers. Warner said it was the “most significant” reform of the legislation since its introduction in 1993.
Beginning as privacy commissioner “on the heels" of the Snowden revelations, Edwards said one of his proudest accomplishments has been ensuring intelligence and security agencies are subject to the Privacy Act 2020 and “making them responsible for a legal commitment to proportionality, to lawfulness, to principles under which data protection operates all around the world.”
As the Privacy Act 2020 nears its first year in effect, Edwards said its still “at a fairly early stage” to judge the impact its made on privacy compliance or maturity. He said the Office of the Privacy Commissioner has a compliance and enforcement team in place, and the office has issued guidance and its first compliance notice against Reserve Bank in September following a cyberattack, which he said helped to show “a precedent of how we can use this tool.”
“But there’s a long lead time for these things and I can’t predict when we’ll have the first prosecution for failure to comply with the compliance notice,” he said. “Once we start to exercise that muscle and it starts to become more routine for us and agencies start to see the consequences of noncompliance then I think we will have entered a new era for the Privacy Act.”
Edwards said data breach reporting obligations have been a success in terms of engagement and intelligence building.
“I think we are getting a lot of intelligence, but I think there’s a lot more knowledge and wisdom to be gained from that intelligence and for that to be communicated back out to the sector,” he said. “People tend to think of breaches still pretty much from a technical sense, that there’s been an unpatched vulnerability on a server or someone put some script into a web form and wormed their way into the system, but what I think many of the breach notifications tell us is that there are very human and cultural vulnerabilities that would really benefit from some focus and investment.”
‘A growing consciousness of the importance of privacy’
Over the past seven years, Edwards said he has seen a change in the attitude towards privacy across New Zealand’s government. It’s not been as a result of his work or political views, he said, but due to an “institutional and social move” from privacy being viewed as a compliance issue to more of a precedent for achieving public policy objectives.
“I think that process began long before the pandemic, but the pandemic has really turbocharged that understanding. The government has to demonstrate a commitment to privacy in order to win the trust and confidence of the public engage with its initiatives and to go along with those,” he said. “The social contract has become more complicit and express. That has made my job a whole lot easier, in fact.”
While a more “cohesive” attitude towards privacy is forming across New Zealand’s government, Edwards said there is still a “fractured approach” when it comes to digital technologies, data sharing and the adoption of new technologies.
“I think there is a growing consciousness of the importance of privacy, but I think there’s still a way to go,” Edwards said. “Getting staff, getting a culture, not of compliance but of respect of that need to take privacy seriously as a condition precedent for maintaining the trust and confidence of the citizenry, we’ve still got a way to go there.”
Words of wisdom
A spokesman for Minister of Justice Kris Faafoi said the appointment of New Zealand’s next privacy commissioner is likely to be made in early 2022. Asked what he would say to New Zealand’s incoming privacy commissioner, Edwards turned to advice he said former Prime Minister Bill English gave current Prime Minister Jacinda Ardern.
“He told her to take the job very seriously but not to take yourself too seriously. I think that’s quite a nice bit of advice,” Edwards said.
“For me, the guiding light has always been to focus on the individual human and understanding how real people can be affected by misuse of personal information … That family down the road that’s struggling, that person who has a unique experience of gifts and challenges, who’s been hurt and has tried to do the best to overcome struggles, who has tried to look after their family or others in their life and just wants to be treated with dignity to which they are entitled without being reduced to a set of attributes and data points. If you can focus on that humanity, that’s a pretty good compass point.”
Photo by Sulthan Auliya on Unsplash