Contents
Privacy and data protection is an evolving area of law as regulators try to keep up with fast-developing technologies, the rapid accumulation of data and increasingly sophisticated cyber-criminals.
It is important to stay on top of these developments. The risk for organisations getting it wrong can be very high – both when the organisation is a victim and when the organisation fails to maintain expected standards of confidentiality and data integrity.
In this edition of Data Points we summarise the latest New Zealand and international privacy and data protection news.
CONTENTS
New Zealand
Australia
International
Biometrics Code planned
The Office of the Privacy Commissioner (OPC) is consulting on new rules to regulate the use of biometric information collected by facial recognition technology, retinal scans and voice recognition.
The consultations will inform a biometrics code exposure draft, expected to be available for release early next year.
See the OPC announcement
Proposed new privacy principle to strengthen transparency
The Privacy Amendment Bill 2023, introduced to Parliament on 6 September, will establish a new privacy principle (IPP3A) to increase transparency about the indirect collection and use of personal information.
If passed, the Bill would require agencies that collect personal information from sources other than the person to whom the information pertains to provide privacy notifications to the relevant person.
The Bill is supported by the Office of the Privacy Commissioner and will bring New Zealand into line with like jurisdictions, including Australia. We expect that the Bill will be progressed by the new Government.
Injunction granted in relation to Te Whatu Ora COVID vaccination data breach
Te Whatu Ora Health New Zealand has secured an urgent injunction through the Employment Relations Authority against a former employee who has published, and has been talking about, COVID vaccination data held by the agency. The scope of the former employee’s activities is still being investigated.
Official guidance on AI and privacy
The Office of the Privacy Commissioner has issued a 12-page guidance document on how privacy law and the privacy principles apply to the use of AI tools.
Children and Young People’s Privacy Project
The Office of the Privacy Commissioner is considering whether current privacy protections applying to children and adolescents are sufficient. To drive its considerations, it is conducting an on-line survey of professionals and organisations that work with young people.
The dangers of complacency
The Office of the Privacy Commissioner has warned employers of the risks of complacency after an agency attracted a complaint from a woman, who had formerly had dealings with that agency, for having a picture of her in a position which could be seen by the public. No current staff member at the agency knew why the photo was still up and it had been there for several years.
Privacy breaches
- The public release by a Wellington City Council (WCC) officer under the Local Government Official Information and Public Meetings Act of unredacted and tightly-held Waka Kotahi crash data on local Wellington roads was found by a WCC-commissioned independent review to have created a “serious harm” breach that was caused by human error and was preventable.
- The Office of the Privacy Commissioner has been notified of a breach created when members of a South Auckland residents’ group, Stop Polluting Manukau Harbour, invited Watercare representatives to their homes to discuss privately their views on a new wastewater treatment plant only to have their addresses published on Auckland City Council’s website and their positions misrepresented. The Council has removed the information and apologised.
- The accidental release by Oranga Tamariki to a member of the public of a non-password protected document containing the personal information of more than 30 children, including allegations of abuse, has been criticised as “unspeakably bad practice”.
Are passports passé?
A trial on the Finnish border of a cross-border Digital Travel Credentials (DTC) system has led Stuff to speculate that the days of the paper passport may be nearing an end.
CCTV in school toilet blocks
The Office of the Privacy Commissioner has warned school Board of Trustees and principles to ensure they have conducted privacy impact assessments if they wish to install Closed Circuit Television (CCTV) in school toilet blocks to deter bad behaviour.
OPC advice
Employment Court hears test case on permanent name suppression
A full bench of the Employment Court has heard an application for permanent name suppression from a restaurant worker who reached a confidential settlement agreement with his former employer, details of which were later circulating through the industry. The worker’s argument is that publication will affect his reputation and that the fact that he has been in a dispute will reduce his job chances. The court reserved its decision.
Law Association article
Police technologies
The New Zealand Police's use of advanced technologies is creating potential privacy issues. Recent examples include:
- A controversial genetic DNA investigative tool to solve two cold case murders. The Office of the Privacy Commissioner has now asked the police to pause future use of this tool pending legislative reform; and
- An AI tool to reduce risks to frontline staff. SearchX can instantly find connections between people, locations, criminal charges and other factors likely to increase the risk of harm to officers.
The Ministry of Social Development went live with Identity Check, using new facial recognition technology, on 20 November, although there are concerns that the level of racial bias in the technology remains untested.
Albanese Government’s first small step in privacy reform
The Albanese Government has delivered its response to a wholesale review of the Australian Privacy Act 1988 by the Commonwealth Attorney General’s Department. It has opted for a phased approach, committing at this stage to legislate for only 38 of the less controversial proposals, including:
- Creating a Children’s Online Privacy Code to apply to services likely to be accessed by children;
- Introducing new mid and low-tier civil penalties to allow for more calibrated regulatory enforcement, and
- Increasing the transparency around automated decision-making, including by requiring that privacy policies set out the types of personal information that will be used in substantially automated decisions that have a significant effect on an individual's rights.
However, the Government has agreed in principle to another 68 of the review’s 116 recommendations and will launch a consultation on these with a view to introducing further legislation in 2024.
These changes may include:
- Creating a 72-hour deadline for notification of a data breach;
- Introducing new individual rights (including enhanced control over personal information and a "right to be forgotten") and a statutory tort for serious invasion of privacy;
- Removing the current exemptions applying to small business and to employee records, and applying new safeguards to the journalism exemption, and
- Certain changes to how data collection and data breaches are managed.
Among the 10 proposed amendments that the Government has merely “noted” is a recommendation to provide individuals with “an unqualified opt-out of receiving targeted advertising”.
The effect of the reforms the Australian Government has agreed to implement will be to bring Australia closer to the EU’s General Data Protection Regulation (GDPR) and to EU privacy legislation in general (see the item below on the EU Digital Services Act).
We expect that the Australian decisions will also inform the direction of privacy policy in New Zealand.
Among the 10 proposed amendments that the Government has merely “noted” rather than accepting is a recommendation to provide individuals with “an unqualified opt-out of receiving targeted advertising”.
The effect of the reforms the Australian Government has agreed to implement will be to bring Australia closer to the EU’s General Data Protection Regulation (GDPR) and to EU privacy legislation in general (see the item below on the EU Digital Services Act).
We expect that the Australian decisions will also inform the direction of privacy policy in New Zealand.
Commentary from law firm Baker McKenzie; Australian Government fact sheet.
Better Consumer Data Right rules for business
Amendments to the Australian CDR regime came into force on 22 July 2023. The changes are geared toward improving the rules for businesses.
Commentary from law firm Baker McKenzie.
Europe
The EU Digital Services Act came into force on 25 August. The Act is part of a broad package of technology-related legislative reform in the EU, including the Digital Services Act, European Media Freedom Act, Data Governance Act, Data Act, Health Data Spaces Regulation, Digital Markets Act and Platform Workers Directive.
For a summary of the EU Digital Services Act, see this article.
California – you can check out
Residents of California will soon be able to sign a single form requiring that their personal information be deleted from the coffers of all data brokers in the State. The power is being conferred under the “Delete Act”.
Innovation
Amazon Web Services plans to launch a European Sovereign Cloud located in Europe and separate to the company’s other cloud operations. It will be targeted to companies in highly regulated industries and the public sector, assisting them to meet the EU’s strict data privacy laws and reflecting the EU’s ambitions to achieve “digital sovereignty”.
The UK Government is pushing police to double their use of retrospective facial recognition software and to deploy live facial recognition cameras more widely as part of a crime crackdown.
TikTok fined €345m (NZ$629,184,325m) for child privacy breaches
TikTok has been fined over NZ$629m for multiple breaches of GDPR rules in a prosecution taken by the Irish Data Protection Commission.
