Notes from the Asia-Pacific region, 9 Dec. 2022

Kia ora koutou,

This is my final notes from the Asia-Pacific region for 2022, so I thought it might be a good time to look back on the year that was and ahead to the year that’s coming.

It was a big year for privacy. As Australia and New Zealand was released from the clutches of the COVID-19 pandemic, our regulators and lawmakers increased their activities in the privacy space. Some of these activities responded to major breaches in the region, while others were a long time coming, relating to complementary regulatory activities we have been expecting for some time. A few of the highlights (or lowlights) of the year include:

• Law reform very much dominated the privacy discourse in Australia, culminating in the passing of the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022. Among other things, this bill will amend the Australian Privacy Act 1988 to introduce significant new financial penalties for serious or repeated breaches of the act. The new three-factor scheme will allow for the imposition of fines up to the greater of AU $50 million, three times the value the agency obtained from misusing the data, or 30% of quarterly adjusted turnover.
• This significant development in Australian privacy law followed several major data breaches in Australia, including the Optus breach that exposed up to 10 million customer accounts and had far-reaching consequences for other organizations in the region, and the Medibank breach, which the Office of the Australian Information Commissioner opened an investigation on 1 Dec.
• The New Zealand Office of the Privacy Commissioner made significant strides in relation to the regulation of biometric technologies. Following the publication of a 2021 position paper on biometrics, the OPC released a consultation paper in August seeking views on what action may be needed to address the increasing use of biometric technology in New Zealand.
• New Zealand’s Ministry of Justice proposed broadening the Privacy Act’s notification requirements to apply to the indirect collection of personal information. Currently, the act only requires an agency to provide privacy notice to individuals when collecting personal information from them directly. Submissions — such as those made by the privacy commissioner — appear to favor an amendment to existing information privacy principle 3, rather than the insertion of a new privacy principle.
• Last but not least, the IAPP hosted the ANZ Summit 2022 in Sydney. It was a sell-out event, with an excellent lineup of topics and speakers. Highlights included keynotes from Australian Privacy Commissioner Angelene Falk and New Zealand Privacy Commissioner Michael Webster, and a focus on indigenous privacy perspectives led by keynote Microsoft Global co-Chair of Indigenous Dan Te Whenua Walker and continued by a panel of experts who discussed work being done in New Zealand to use tikanga Māori and other frameworks to better respect indigenous data perspectives. The IAPP has committed to continuing its support of this pioneering indigenous data focus, and you can expect to hear more from us on this topic in coming months.

2023 is promising to be just as eventful, with several major changes likely to be finalized and implemented in the coming year. Key things to look out for include:

• There’s more to come regarding privacy law reform in Australia, with a second tranche of amendments expected on substantive changes to other parts of the Privacy Act, including employee and small business exemptions, and civil penalties for Privacy Act breaches that may not meet the serious and repeated threshold but nonetheless cause real harm to the people affected.
• We should see a bill passed in New Zealand implementing a new consumer data right. This will be New Zealand’s version of the data portability right. Readiness work has already begun in the banking and financial technology sectors in anticipation of the law’s eventual implementation.
• The OPC will decide on the best way to regulate facial recognition and other types of biometric technologies. Whatever regulatory response is favored, the OPC has made clear it will seek to preserve the benefits of the technology while protecting against privacy risks, and to ensure the compliance burden is proportionate to the scale of the risk.
• We should see an amendment to the New Zealand Privacy Act implementing the privacy notification changes proposed by the Ministry of Justice, summarized above. This change could require a major rethink from organizations about the ways they gather personal information, particularly to inform marketing activities.  
• Finally, both the Australian and NZ data protection authorities gave us a clear signal during the ANZ Summit about what to expect from them in the coming year, with Commissioner Falk focusing clearly on using her new enforcement powers to more effectively investigate and address serious privacy breaches, and Commissioner Webster focusing on developing a new privacy risk management system to help organizations ensure privacy is a core focus of their business.

This summary makes clear that we all deserve a rest. It’s time for privacy professionals to take stock over the holiday period and rebuild their resilience for the year to come. I wish all IAPP members a calm, safe and restorative break, and look forward to seeing you all again in the new year.

Ngā mihi.