Update on the first 6 months of the Privacy Act 2020
Welcome to New Zealand's Privacy Week 2021. The Privacy Act 2020 has now been in force for nearly six months. To celebrate Privacy Week, we were again fortunate enough to have the Privacy Commissioner, John Edwards, come and speak to our team and clients. Some of the key take-outs from the session were:
-
As expected, since the new Act brought in a mandatory breach notification regime, there has been a 97% increase in the number of reported breaches in the preceding six months. However, this is a much smaller increase than was experienced in Australia following the introduction of the mandatory breach notification scheme there.
-
The vast majority of breaches reported have not met the threshold for notification. The Privacy Commissioner acknowledged that overreporting is understandable as agencies act with an abundance of caution in the infancy of the breach notification scheme. However, the Commissioner encouraged agencies to rigorously assess breaches to avoid unnecessary anxiety and stress to affected individuals.
-
It will come as no surprise to anyone working in an office that a large percentage of breaches have been a result of email error. Other common causes include unauthorised sharing and access and website/IT errors. The Privacy Commissioner endorsed agencies reaching out where possible to the accidental recipients of emails and requesting that they delete the email and all personal information they had mistakenly received. Where this is done, and the agency is confident that the unauthorised recipient can be trusted to dispose of the information, agencies can be said to have successfully mitigated the risk of harm resulting from the privacy breach.
-
Most notifiable privacy breaches (65%) have resulted in emotional harm, with 30% in financial harm and 30% in reputational harm.
-
Key areas of interest in the privacy space remain COVID-19 and the rental sector.
Misleading collection of location data: not just a privacy issue
As a sign of what we are likely to see in New Zealand, the Australian Federal Court has recently released a decision on the use of personal location data collected through mobile devices where consumers have been misled. This is one of the first enforcement decisions of its kind worldwide and is another important reminder how personal data is collected must be communicated transparently to consumers.
The context of the Australian decision was the Australian Competition and Consumer Commission (ACCC) taking enforcement action against Google, accusing it of misleading customers by not making it clear how Google collected personal location data from Android mobile devices. The Court ruled that Google had misrepresented that the "Location History" setting was the only setting affecting whether personal location data was collected, stored or used. However, an additional setting, "Web & App Activity", also allowed the collection and use of location data. This setting was turned on by default, and Google did not sufficiently alert consumers that they needed to turn this off to prevent their location data from being collected.
Privacy concerns and the misuse of data have typically only been considered in New Zealand by the Office of the Privacy Commissioner. However, this new Australian decision will likely encourage New Zealand's Commerce Commission to consider whether privacy policies, user interfaces or terms and conditions mislead consumers about how their data will be used. The implications of this is a greater risk of a regulatory investigation, and possible prosecution and financial penalties, including under the Fair Trading Act 1986.
In light of the Australian decision, businesses (and "agencies") in New Zealand will want to think carefully about how they ensure consumers are made aware of how their data is collected – this can go beyond merely reviewing the standard privacy policy. Google drew attention to its collection methods in its terms and conditions, however, the Court was not convinced this was sufficient to clearly explain how the Web & App Activity setting operated, and to make sure that consumers understood how their data was collected. Any decision of the New Zealand courts will be highly context-specific, but it will be interesting to see what approach the New Zealand courts take when faced with the same issues, especially in the context of a regulatory prosecution and a higher burden of proof.