Data Points August 2023

Privacy and data protection is an evolving area of law as regulators try to keep up with fast-developing technologies, the rapid accumulation of data and increasingly sophisticated cyber-criminals.

It is important to stay on top of these developments. The risk for organisations getting it wrong can be very high – both when the organisation is a victim and when the organisation fails to maintain expected standards of confidentiality and data integrity.

In this edition of Data Points we summarise the latest New Zealand and international privacy and data protection news, including recent large-scale data breaches and work underway to manage risks posed by artificial intelligence.

New Zealand

International

New Zealand

One step closer to a consumer data right

The Ministry of Business, Innovation and Employment (MBIE) has recently closed its public consultation on an exposure draft of the Customer and Product Data Bill, released in June. If passed, the new law would establish a consumer data right for Aotearoa, giving individuals greater rights of access and control over their customer data.

See:
1. Chapman Tripp’s Brief Counsel: Customer and Product Bill a game changer;
2. MBIE statement;
3. Exposure draft of Bill;
4. MBIE discussion document and summary.

Privacy Act amendment - individuals must be notified when their information is shared

Cabinet has given the go-ahead to strengthen the Privacy Act 2020 by requiring that individuals be notified when a third party indirectly collects their personal information. The Government’s intention is to introduce legislation to the House prior to the election in October.
Read article
View cabinet paper.

Latitude Financial data breach update

Latitude Financial’s data breach in March this year is New Zealand’s largest data breach to date by a malicious actor. The breach compromised an estimated 14 million customer records across New Zealand and Australia.

Our Office of the Privacy Commissioner and Australia’s Office of the Information Commissioner have joined forces to investigate the breach.

See:
1. Article on Latitude’s challenges in notifying affected individuals.
2. Office of the Privacy Commissioner and Australia’s Office of the Information Commissioner commencing their first joint regulatory investigation. Read more.
3. Latitude Finance has offered to cover the cost of replacing driver’s licences to people whose data was stolen. If Latitude paid to replace all compromised licences, the cost would be more than $4 million. Read article.
4. Two Australian law firms are seeking current and former Australian and New Zealand customers to register for a class action relating to this breach: Latitude Financial Privacy Breach Investigation (gordonlegal.com.au); Kiwis urged to join possible Latitude legal action over data hack (1news.co.nz)

See also Chapman Tripp’s comments on data breach class actions in its recent Trends & Insights publication on class actions in New Zealand.

Wellington City Council's recent data breaches

Wellington City Council is being probed following a “serious harm data breach”, in which details of over 1,800 car crashes involving over 4,200 people were inadvertently disclosed.
Read article.

Managing the privacy risks posed by artificial intelligence

The constant evolution and development of artificial intelligence (AI) and similar technologies creates fertile ground for the misuse of personal information and other breaches of privacy rights. Regulators around the world have been turning their attention to how these risks can be mitigated.

The Office of the Privacy Commissioner released guidance setting out the privacy risks posed by AI and a list of factors the Office expects organisations using AI tools to take into account.

See:
1. Office of the Privacy Commissioner’s expectations on organisations using AI models.
2. Privacy regulators want to work together more to address AI risks. Read the article and statement from the Office of the Privacy Commissioner.

Protecting the personal information of children – time to strengthen our laws?

The Office of the Privacy Commissioner is looking to investigate whether the Privacy Act 2020 needs updating to strengthen the protections afforded to children's personal information.
Read article.

Biometrics

The Office of the Privacy Commissioner is seeking feedback on a proposed code of practice relating to the collection and use of biometric information. The consultation period closes on 27 August 2023.

See: Office of the Privacy Commissioner’s discussion document.

Meanwhile, Consumer NZ has voiced its concern over digital billboards using biometric data of passers-by to provide targeted advertising.

Te Whatu Ora Southern privacy breach impacting vulnerable children

Te Whatu Ora Southern has apologised to the individuals affected after a staffer sent an incorrectly addressed email which compromised the personal information of vulnerable children.

Te Whatu Ora Southern is working with the Office of the Privacy Commissioner to review and improve its email-sending processes.
Read article.

Data transfer agreement EU-US

The EU has approved the EU-US Data Privacy Framework, meaning that EU and US companies can now transfer data freely between the two jurisdictions. Privacy activist Max Schrems has indicated he will challenge the validity of the agreement, as he did (successfully) the predecessor agreements.
Read article.

Two decisions worth noting from the EU’s top court

In Case One, the EU Court of Justice found that it is not enough to prove a GDPR infringement to get compensation, it is also necessary to demonstrate personal harm. However, in relation to non-material damage, there is no threshold of seriousness that needs to be met. This lowering of the standard has led one expert to suggest that now “even minor anxiety or upset might justify a compensation claim”.

In Case Two, the Court clarified that an individual’s right under the GDPR to access a copy of their data intended that they obtain “a faithful and intelligible reproduction” of that data rather than a summary.
Read article.
View judgments:
Case C-300/21 (4 May 2023)
Case C-487/21 (4 May 2023)

Second class action win to Google in the UK

The English High Court has again rejected a class action brought on behalf of 1.6 million individuals whose medical records were passed to Google’s DeepMind AI firm. The Court found that, even with a claim limited to the “irreducible minimum harm”, there were no common circumstances among the complainants for a class to be created. The decision means that Google has now beaten two class action attempts against it for breach of privacy rights.
Read article.
View judgment.

Reporting on rumours

Recent allegations about presenters at the BBC and GB News have cast into sharp relief the role and limits of privacy rights for people accused of serious misconduct. The cases also illustrate how social media can lead to mainstream reporting.
Read article 1, article 2 and article 3.