Parliament is considering sweeping changes to our 25 year-old privacy laws — but some fear they will only add to the long backlog of cases before the Human Rights Review Tribunal, Thomas Coughlan reports.
The Human Rights Review Tribunal wants more resourcing before changes to New Zealand’s 1993 Privacy Act come into force.
The Tribunal’s troubles are well known. Even after being allowed to take on additional staff, it still only employs 1.6 full-time equivalent case managers.
Tribunal chairman Rodger Haines calculated that even if the Tribunal employed six staff, it would take five years to clear the backlog of current cases, while staying on top of the 70 or so new cases that land on its desk each year.
Understandably, when appearing before the Justice Select Committee today, Haines was keen to impress upon the MPs the importance of adding resource to the Tribunal before beefing up its already overwhelming workload.
The new bill, when it becomes law, will ask the Tribunal to enforce the ability of people to access their private information as well as compliance orders given by the Privacy Commissioner.
Haines’ submission made six recommendations on the bill, four of which related to how the Tribunal should be better resourced or ways it might expedite cases.
He said the legislation created up to ten new avenues of work.
“The whole range of decision-making by the Privacy Commissioner can be subject to challenge before the Tribunal,” he said.
He said the penalties made available under the Act will create an incentive to appeal.
“I can imagine there would at least be the potential for a substantial influx of work because the breach of an order will be punishable by a fine not exceeding $10,000 — there is a real incentive for agencies to test the commissioner, to test the issuing of a compliance notice,” he said.
Bringing a 25 year-old law into the digital age
New Zealand’s Privacy Act is twenty-five years old. When it was passed into law, the World Wide Web was just four years old.
Updating the legislation has been a long and bruising process. The current legislation is based on a 2011 review undertaken by the Law Commission, which was drawn up as legislation in 2013, but never introduced to Parliament.
Justice Minister Andrew Little introduced the legislation, which had its first reading in April and is currently before the Justice Select Committee.
Major changes to the current regime would see the mandatory reporting of privacy breaches that “pose a risk of harm to people”, and give the Privacy Commissioner the ability to issue compliance notices.
When Europe thinks we’re “adequate”, that’s a good thing
Internet NZ said it was important for New Zealand to update its privacy protections to maintain its current “adequacy” status within the European Union.
This means that businesses based in New Zealand can trade in the EU more easily because our privacy laws standards are seen to be broadly adequate with those in the EU.
“It enables organisations to work in a streamlined way with information on people in the EU,” said James Ting-Edwards, Internet NZ’s Senior Policy Advisor.
The status was granted to New Zealand in 2012 under EU’s 1995 Data Directive. That directive has since been upgraded to the landmark General Data Protection Regulation, which came into force this year.
The GDPR has already had a big effect in New Zealand — many internet users will have noticed websites and mailing lists asking them to resubscribe or reenter details on websites that are either from Europe or accessible in Europe.
GDPR mandates that within four years of the regulation’s implementation in May 2018, the European Commission must review its previous adequacy decisions to see whether they meet the new, higher standard.
This means the race is on for New Zealand to brings its laws into line so our businesses can continue to enjoy the ease of access and low compliance costs of European “adequacy”.
This would require work beyond what the reforms currently set out.
“It’s great the committee is hearing the Privacy Bill, but we will also need some quite important action in the next couple of years to consider what New Zealand will have to do to maintain adequacy and meet that deadline — we can’t wait,” Ting-Edwards said.
Internet NZ’s written submission notes one area the GDPR speaks to which is not covered by the Privacy Bill is the transparency of automated decision-making — or decision-making by algorithm. An example is a job application system that makes decisions about a job applicant’s aptitude based on details from their CV.
Not far enough
Privacy Commissioner John Edwards, who submitted on the bill, also wants it to go further. He has also looked to Europe for guidance.
He noted the current cap for penalties is $10,000, but this is only for failing to report a breach of privacy, like a hack. There are currently no fines for failing to prevent the breach occurring in the first place.
Individuals can seek compensation for a privacy breach, although that would require them taking their place in the queue of appeals at the Human Rights Review Tribunal, but the commissioner does not have the ability to fine for breaches.
“If there is a small amount of harm done to a large amount of people, there is no practical consequence under the law,” Edwards told Newsroom.
This is in stark contrast to the enormous fines imposed by the EU under the GDPR. It can fine €20 million or 4 percent of a firm’s global revenue, whichever is greater.