Published on the 28/08/2019 | Written by Heather Wright
GDPR controls head down under…
GDPR style controls are increasingly coming into play locally, with New Zealand ramping up its privacy safeguards and Australia’s OAIC signalling new moves to keep up with rapidly changing privacy issues.
The local changes come as an international report into Digital Quality of Life notes that 62 out of 65 of the countries surveyed have laws or drafts of laws in place to protect individuals data, however, in some cases the apparent commitment is ‘illusory’. Both Australia and New Zealand, however, scored in the top tier for data privacy in that report.
Those laws are getting a top up and renewed focus in both countries with the Office of the Australian Information Commissioner (OAIC) last week signalling a shift in its regulation to keep up with ‘increasingly complex’ information and privacy issues, while New Zealand is gearing up to introduce a new Privacy Bill.
New Zealand’s new Privacy Bill, which will replace the outdated Privacy Act 1993, is finally starting to make some forward progress through parliament and brings with it several changes for Kiwi companies.
The Bill, which is expected to become law by the end of the year, will see NZ catch up on data breach notification requirements for any breaches with a risk of causing ‘harm’, along with requiring authorisation to allow personal information to be sent outside of New Zealand.
Failure to notify could result in fines of up to NZ$10,000.
The addition of data breach notification requirements – which have been in place in Australia since February 2018 – pulls New Zealand in line with the EU and its GDPR.
But it’s a change that could have significant ramifications for Kiwi companies which will need privacy breach procedures in place to ensure notifications are raised internally when breaches occur, assess whether ‘serious harm’ is likely and ensure formal notice is given in a timely fashion.
The bill will also bring New Zealand into line on requirements for companies to get permission from individuals before sharing personal information with foreign entities (including the likes of offshore-hosted SaaS companies such as Salesforce or Zoho) – complete with a requirement that the individual be ‘expressly’ informed that the recipient may not be required to protect the information in the same way as required by New Zealand law.
Meanwhile in Australia the OAIC, which received an AU$25 million boost in this year’s federal budget, says its new corporate plan signals a shift in the way the privacy watchdog operates and responds to the significant changes in the environment it regulates.
“While our core purpose – to promote and uphold privacy and information access rights – remains constant, the environment in which we regulate has undergone significant change,” Australian Information Commissioner and Privacy Commissioner Angelene Falk says in the report’s foreword.
“The plan responds to our changing environment and sets a clear vision: to increase public trust and confidence in the protection of personal information and access to government-held information.
The OAIC says that vision will be achieved by strengthening online privacy protections, influencing and upholding privacy and information rights frameworks, and supporting proactive provision of information by government.
“These priorities are underpinned by our contemporary and active approach to regulation for business, government and individuals…”
The OAIC says key activities for the year ahead include developing a code of practice for digital platforms to provide stronger online protections, and embedding and enforcing strong privacy safeguards in Australia’s new data portability regime, the Consumer Data Right.
The plan will see increased focus on ensuring Australia’s privacy and information rights frameworks are fit for the digital age, protecting individuals and holding organisations to account. Digital platforms are already coming under increased pressure in Australia with the ACCC inquiry into digital platforms calling for new codes of practice, greater regulatory oversight and reforms to Australia’s privacy laws.
The irony of Australia’s updated cybersecurity laws providing back door data access to any enforcement authority that asks is not something the OAIC report dwells on.