2018 is going to be an interesting year for privacy, both in NZ and internationally. There are three main reasons.
Australia – Mandatory Reporting of Data Breaches
This came into effect on the 22 February 2018. If you have a business entity in Australia with an annual turnover of over $3m then you will fall under the Privacy Act and the new Notifiable Data Breaches amendment. If you suffer a data breach that “is likely to result in serious harm to any of the individuals to whom the information relates”, then you must notify the Australian Privacy Commissioner and the affected individuals as soon as practicably possible. The amendment defines a data breach, serious harm, and also qualifies what remedial steps a business could take to remove the risk to individuals, which would mean that they no longer had to notify the breach.
Europe – General Data Protection Regulation
This comes into effect on the 25 May 2018. It provides protection for people residing in the EU. Businesses in NZ will fall into the scope of GDPR if they
- have a business entity in the EU
- provide services (paid or free) to people residing in the EU
- market to people residing in the EU (including profiling them using web technologies)
It does not apply if someone from the EU is able to access your website – you have to be targeting your services to them. And it does not apply to EU citizens residing outside of the EU – so no need to ask your clients about their citizenship in order to comply with GDPR. Travel and tourism companies are likely to need to comply, as will Internet startups who market their services to the EU. As the law is new, it will take a while for any ambiguities to be ironed out.
New Zealand – Update to the Privacy Act
After a couple of reviews over the past two decades, our Privacy Act is finally getting an update. Submissions close on the 24 May 2018. Currently included in the draft Bill is mandatory reporting of data breaches, and it’s likely that other requirements will be strengthened to keep our laws close to the level provided by GDRP (though perhaps not as stringent). NZ currently has “adequacy” status with the EU, which means that personal information can be transferred to NZ without businesses having to take additional measures. We will want to maintain this status (only 12 countries have this).
If you’d like to discuss this area in more detail, please get in touch.