After consultation last year, the Government has confirmed it will strengthen privacy laws to require people to be notified when their data is transferred or sold.

Under the current Privacy Act, entities (including government agencies) that collect information from you need your permission, but there is no rule for what happens if that data is then passed on to a third party.

The Ministry of Justice consulted on fixing this loophole last year and a paper taken to Cabinet by Justice Minister Kiri Allan in April shows the Government will move forward with the amendments. The paper was released on the Ministry of Justice website at the start of June.

* Companies to disclose when your data is sold
‘Jurisdictional risk’ if Parliament data stored in Australia

Information-sharing between entities is not always malicious, Koi Tū research fellow Andrew Chen told Newsroom when the consultation was first announced.

The Ministry for Social Development might want to share information with Inland Revenue to ensure someone is receiving the correct Working for Families tax credit, for example.

But there are also murkier reasons – maybe legal, but maybe not savoury. Facebook, for example, could be sharing information with a data broker who might then sell it on to advertisers.

The changes authorised by Cabinet in April would require the third party receiving the data to notify the person whose data it is. There are a range of exceptions, including for national security or where the information is otherwise publicly available.

“It is good that they are going to do something about this,” Chen said on Thursday. “I think there’s probably still some debate about the detail of the changes. What they’ve gone with is that the collecting agency has to do the notification – I can see why that makes sense. I submitted that the disclosing agency should be the one that has to do the notification given that they have the data and they probably have a notification system in place already.”

The way the Government has structured the rule will prevent people from being able to opt out of a data transfer, because the collector will already have it by the time the notification goes out.

In addition, the entities will be able to contract out of the notification process via their terms and conditions.

“I feel like that is what’s going to happen in most cases, so for most people their experience may not change that much,” Chen said. “There’s still a question of how effective a terms and conditions approach is at actually having informed consent.”

Documents released to Newsroom under the Official Information Act show the changes were prompted by a review of New Zealand’s compliance with European Union privacy laws. Under the world-leading General Data Protection Regulation, New Zealand is currently considered adequate, meaning Kiwi businesses can freely transfer EU data for processing.

The Ministry of Foreign Affairs and Trade told ministers the adequacy status “confers a significant benefit”. Anecdotally, officials reported, New Zealand businesses have a strong competitive advantage over companies in non-adequate countries. Only a handful of other countries are considered adequate and major digital competitors such as the United States and Australia aren’t among them.

Submissions on the proposals were mixed, with the real-estate sector warning they could interfere with the ability to share data about recent house sales. These concerns weren’t mentioned in the Cabinet paper.

Allan told Newsroom in a statement that the legislation would be introduced before Parliament rises for the election and the changes would be in force by early 2025.

Marc Daalder is a senior political reporter based in Wellington who covers climate change, health, energy and violent extremism. Twitter/Bluesky: @marcdaalder

Leave a comment