Just over a year in to his appointment, New Zealand Privacy Commissioner John Edwards is both confident in his role and executing his vision for the role of 21st-century privacy regulator.
That much was clear from his keynote address at the Singaporean Personal Data Protection Commission’s (PDPC's) third annual data protection seminar.
It was clear, particularly, that Edwards takes seriously his role as enforcer. He told the collected 600 or so privacy professionals that he is “getting tougher as a regulator. I’m taking a stronger line on enforcement. Privacy and data protection regulators need to take a strong line and remind organizations of their obligations under the act.”
As he was speaking in a jurisdiction with just under a year of experience with a fully implemented Personal Data Protection Act, it was hard not to read some advice for his fellow regulators into his remarks.
“Your act is a young one,” he told the audience, “having come into effect only last year,” while the New Zealand law is among the world’s oldest, and “the government has made a commitment to updating the law,” with a new act in the works and expected to be introduced later this year.
If our offices can make it easy to comply, you will.
This is necessary, he said, because the “new reality is that people do more and more of their daily business online. Digital information can now be copied and shared in an almost frictionless way. The new law will reflect that greater level of risk. The stakes are higher now because the potential for harm is exponentially greater.”
Thus, while he expects the new act to stay technology-neutral and be principles-based, he also expects more power. He expects the ability to issue compliance notices, to require an audit of practices and to make binding decisions. Further, he expects a streamlining of the complaints process and mandatory breach notification for certain sized breaches, which he called “a significant change in the data protection environment.”
This kind of enforcement power is critical, he said, to provide “great compulsion for organizations to comply with the law.”
He also pointed to companies like Apple and Facebook. “Both now offer,” Edwards said, “products and features directly responsive to calls for privacy options and security and encryption.”
Finally, he spoke to the regulator’s role in actually helping companies comply, the carrot as opposed to the stick. Just as he has been actively building out resources for businesses with guidance on “how to comply,” he complimented the PDPC for its early efforts in providing local resources.
“I’ve been very impressed by the PDPC in issuing online training programs,” he said, “something we’ve just launched this week at home. And he called their agreement with the Singapore Law Society an “innovative approach” to providing cost-effective advice for compliance to SMEs.
That’s “just the thing that a responsible regulator does to help businesses comply,” he said. “What is the single greatest determinant in compliance? It’s ease of compliance. If our offices can make it easy to comply, you will.”
If you want to comment on this post, you need to login.