New Zealand Privacy Act 2020: standout features, fines and global comparisons

Why the change?

The previous policy (Privacy Act 1993) failed to grasp the fundamental shifts in technology in the last 27 years (like cloud computing and social media), emerging information use-cases (such as digital marketing and eCommerce) and privacy legislation in other countries.

The amount of personal data produced and shared in 2020 wasn't anticipated in 1993. The concepts of digital advertising and instant messaging barely existed; the first SMS text message was sent in 1992. In 1993, the idea that collecting, enriching and selling people's web browsing preferences would become the world's largest tradeable commodity and that it could be used to influence national elections or weaponised through cyber attacks would have marked you out as a delusional futurist.

Fast forward to today, the value to society of having a robust treatment of personal information is wholly missing. Although an abstract concept, this is the ultimate end-game for privacy legislation.

2020 has highlighted some shortcomings too.

Health information systems are notoriously under-funded and often rely on legacy (and therefore potentially insecure) infrastructure. The middle of a global pandemic is not the time to be ignoring the protection of personal information used to deliver health services. Unfortunately, old mindsets and attitudes are also still prevailing here – and the media has shown us evidence of that.

‍

Why is information so valuable?

Information is the lifeblood of modern business. We often hear victims of cyber attacks asking "why us? We don't have anything of value to hackers!" All information has value, either through its cost of generation, denying you access to it (e.g. ransomware) or selling through its sale, either "legally" through targeted Facebook ads, or on the dark web.

Unlike commodities like gold or other equities, information can be sold multiple times to different people. It can be sold nearly instantly and doesn't need to be loaded onto a ship for delivery. And unlike other tradeable commodities like food, it does not go off or have a "use by" date.

The utility of information knows no limits either. We think that the local petrol station is just a place to fill up the car or buy a late-night pie, but the reality is that they probably have more data points on you than the government. And those personal data points can be enriched with other data sets, sold, sliced and diced to the highest bidder.

It is these characteristics of personal information that impact privacy that have experienced a paradigm shift since the old Privacy Act was enacted, yet we are not much better equipped to deal with them in the new Privacy Act.

‍

Privacy Act 2020: two standout features

The two standout features of the new Privacy Act are compulsory data breach notification and data sovereignty - which replicates similar legislation in Europe and Australia.

• Compulsory data breach notification requires organisations that have a data breach involving personal information to report it to the Privacy Commissioner.

This is a powerful tool in the journey towards improving our attitude to privacy as a right. By normalising this as a behaviour, it raises awareness of these issues as a nation whereas previously these matters were either ignored or actively covered up. Compulsory data breach notification is not just a blunt policy tool but is the leading edge of continuous improvement. The more that data breaches are reported, the more we can learn about how the breach occurred, which benefits everyone.

• Data sovereignty requirements in the new Act state that personal data cannot ordinarily be stored outside of New Zealand unless the privacy landscape in the hosting country is equivalent to that of New Zealand.

New Zealand has adopted cloud computing as a way to digitise our economy and drive greater efficiencies out of data. Since there are none of the big cloud players in New Zealand yet, we are reliant on hosting our data overseas, typically in datacentres in Australia or the USA. So, consider the case where the data to run a New Zealand business was being stored in a country that didn't have the highest standards of privacy protections regarding data stored there. It is conceivable that the government could force the cloud provider to open its datacentres and take the data of its clients because of a perceived "national security" requirement.

‍

And the fines?

While similar legislation overseas has both enforcement and highly deterrent levels of fines, the new Privacy Act here has neither.

Enforcement of privacy findings is still largely confined to tribunal as it was under the old Act, and the limit of fines does not exceed $10,000. This is a small deterrent for even a modest-sized business, especially when viewed with the levels of fines overseas.

Compare this with the UK or Australia, and the scene is quite different. The UK has enacted its implementation of EU GDPR in the Data Protection Act, and their Information Commissioner pulls no punches in the levels and frequency of fines. For example, British Airways recently had their privacy breach fine reduced to 20M pounds and even then, only after appeal.

In Australia, there are fines of up to AUS$1.8M for businesses and AUS$360k for individuals.

The intent to fine individuals should raise alarm bells for directors who are potentially liable for failing to follow obligations under privacy legislation and not just reckless trading under the Companies Act. Interestingly, the Australian Notifiable Data Breaches scheme requires notification not just of data breaches, but also unauthorised access to personal information, which appears to be an attempt to tidy up insider threat or poor access control as much as malicious external activity.

‍

The role of cyber security

There is a natural symbiosis between privacy and cyber security though they are distinct from each other. Better cyber security can enable better privacy, and fines we have seen overseas relating to privacy breaches are largely because of failures to take reasonable security precautions as much as any other privacy principle.

Pretending there is no threat and that we have no enemies is a folly. Notwithstanding that the world is in a constant state of cyber warfare; as soon as you go online or store data electronically then we expose ourselves to all kinds of threats that many of us cannot even imagine. And these threats don't care about our laws; they only care about stealing and monetising our data.

‍

Shocking hidden statistics

If the true cost of cyber attacks in New Zealand was ever calculated then we would all be horrified.

The Reserve Bank estimates that the cost of cyber attacks to the banking and insurance industries alone is between NZ$80-$134M annually. Meanwhile, CERT NZ has seen $14.2M of reported direct financial losses to New Zealand businesses in the first three quarters of 2020 alone. And that is only incidents where it was reported and where losses were tangible, such as scams and fraud. That figure will exclude the ransoms and extortions that were paid as well as business disruption costs and reputational damages.

If we stop people paying ransoms and increase our overall security posture through a sustainable cyber security industry, then we cease to become a viable target.

Australia, UK and Israel have invested heavily in growing their cyber security industries. In the case of Israel, cyber security is treated as the 3rd industrial revolution. The threat is not going away, so developing skills and technology to counter cyber threats is a growth market, ripe for exploitation at a global scale. As of 2018, cyber security exports alone generated US$6Bn for Israel, a country with similar levels of GDP per capita as New Zealand.

‍

Ideal outcomes with the new Act

The first few cases of compulsory data breach notification will be fascinating. I would not wish a privacy breach upon anyone; however, as sure as night follows day there will be more. It is hoped the first few cases in front of Privacy Commissioner are treated with empathy to the victims and a healthy dose of the dry wit we have come to expect from John Edwards in his assessment of privacy scoundrels.

There remains a moral issue if a business suffers a cyber attack involving personal information, and the business still fails to report it. Who should report this? Internal whistle-blowers? Third-party security responders working under NDAs?

‍

Summary

The deduction is clear: if our nation is largely dependent upon digitisation and data to function (and digital technologies are inherently vulnerable), then they should be protected. This isn't radical thinking; it's covered in lesson 1, day 1, at all military planning schools.

International data security legislators will be considering whether NZ has parity on the world stage when it comes to the protection of personal data. We currently have a helpful parity with the EU as we have inherited privacy equivalence from the old Privacy Act.

For how much longer, I don't know.