Video transcript: Privacy law reform: Time for an update

Transcript for a video of a presentation about updates to New Zealand's privacy laws filmed at the 2018 Audit New Zealand client update.

Title: Privacy law reform: Time for an update, John Edwards, Privacy Commissioner

John Edwards

As that very kind introduction noted, I was appointed in 2014 and since then almost every time I’ve got up to speak at a podium I’ve said, “We’re gonna have a new Privacy Act.” It’s been a long time coming. It is now in the Parliament; it was introduced last week. So, I thought I would take a few moments to just give you a briefing on that.

So, where have we come from? Twenty-five years. Just think back to what life was like 25 years ago. We didn’t have any social media and now I seem to be stoushing with Facebook in public every day. We didn’t know what a “data breach” was. We did have cell phones. You know, we didn’t have data-based businesses and now very much of the economy runs on data, and very much of the government’s aspirations for how public services are to be delivered is built on data. We have an increasing movement to value data, to put personal information in your balance sheet, for example. How do you account for it? How do you make sure that that asset is properly accounted for and therefore protected? These are things I think which are increasingly important and I think Audit New Zealand is doing some work on valuing information and ensuring appropriate stewardship of information.

We see constant predictions – usually from those with vested interests – of the death of privacy; they come on an almost weekly basis. Here, we have 1970 – “Privacy’s death foretold” – and 1997, and they come up every three or four weeks. I can happily report to you that privacy is not dead. It may seem a little wounded, but the struggle continues. In fact, privacy has become a focus of attention for consumers, for industry and for governments all around the world, so it’s not something we can ignore any more. Back in 1993, I set up a business of working in the legal advisory field providing guidance on privacy, and most of my colleagues in the legal profession said, “Why? You’re mad, nobody cares, it’s not a commercially viable thing, it doesn’t affect the bottom line.” Well we’ve seen that it now does affect the bottom line. When you take $87million off the value of Facebook’s shares in a few weeks because of the way in which a political marketing company has exploited user data, that is something to sit up and take notice of. When you see value flee from IPOs, from publicly listed companies, and when you see trust in governments undermined that is something that we do need to sit up and take notice of.

And various governments and officials and thinkers have reflected on these things over the last 25 years. We’ve had, in my own office, a statutory review of how the Act was operating in 1998, which was called Necessary and Desirable, and that made a number of recommendations to governments about modernising and improving the law in 1998. The Law Commission started to look at privacy in 2006, and in 2011 produced its voluminous report on a new Privacy Bill. In 2014, the government minister, then Judith Collins, made some response to the Law Commission’s report and made a number of commitments to privacy law reform, and I’ll run through some of those for you in a moment.

Those stalled for a number of reasons which were certainly outside my control and perhaps undesirable, but we have to deal with the political and administrative situation that we have, so we haven’t had law reform, we’ve had some “cherry-picking”, but we have yet to see the fundamental review of privacy that we have been promised for seven years.

So, in 2016, I took it on myself to review where we’d got to in the five years’ intervening. We’d seen in that time an enormous explosion of data-based businesses. The biggest taxi company in the world never fills the tank, right? The biggest accommodation provider never changes a sheet. These businesses – Uber, AirBNB – these are data businesses. They are marketing, collecting, and getting value out of data and that’s significantly changed the world economy, I think. So, we’ve made a number of recommendations and reported to government in late 2016, a report that was tabled in the House last year in January 2017.

What are you getting? Oh, yes, and big data. Big data is gonna solve everything – not quite – blockchain’s gonna save the rest. We have these huge aspirations, but what underpins, I think, extracting the value from data for both government and business is the maintenance of trust and confidence. And all the reforms that we’ve recommended, and the government has accepted, are intended to strengthen the framework for the maintenance of individuals’ trust and confidence in the stewardship of their data, both in industry and in government. So, the key changes that were accepted by the Minister of Justice and the Government in 2014 are these ones on the slide. We’re going to see mandatory data breach notification. What that means is if an agency loses control of data that could affect individuals in a way that could harm them, there will be an obligation on that agency to notify my office.

Now, there’s not a hell of a lot in this new Bill that is gonna change the compliance costs structure of the Privacy Act. It’s gonna be business-as-usual pretty much, unless you’re in breach. When the Law Commission reviewed the Privacy Act, it found that the fundamentals remain sound, and the information privacy principles which governed the lifecycle of personal information in a technology-neutral way remain fit for purpose. So that’s good. You’re not gonna have to radically re-engineer your policies and processes. One thing you are gonna have to get ready for is breach notification. And I think it is gonna be worthwhile your reading the Bill that was introduced last week, that we expect to have its first reading today after the dinner break in Parliament, and having a look at the provisions which relate to breach reporting, because I don’t think the drafters or the Ministry of Justice have got it right yet. You as agencies charged with complying with this law need to have some certainty about what you are required to report, and when.

Now, what we’ve seen, this is a difficult area. Should we have a really easy-to-implement, hard-line, arbitrary, numerical approach such as my colleagues in Singapore have? If over 500 accounts are implicated, you have to tell the Privacy Commissioner. Well, if you get an email with 500 email addresses in the ‘cc’ field that should have been in the ‘bcc’ field, you may not care about it. It could be Audit New Zealand just telling you that there’s another fantastic seminar, and it doesn’t really matter that is in that string. So, it’s not particularly sensitive information, that 500. But if you get five records from an addiction counselling service left on the top of a taxi, that may be so significant and important that it warrants reporting to my office. It’s important because the Ministry of Justice is thinking about penalties – there’s gonna be possibly a $10,000 fine for not reporting. Now, you’re gonna have to report to me. I don’t want you over-reporting; I don’t want you erring on the side of staying out of trouble and telling me every time somebody accidentally leaves a document on the photocopier that could have been seen by someone.

So, I urge that you do engage with the law reform process, that you inform yourself about the implementation requirements that this Bill imposes on you, particularly around breach notification and tell Parliament what you think. In doing so, bear in mind the public policy imperative. What are we trying to do? What’s the public good? The phrase that I was taught at university – “where’s the mischief that this legislation is trying to resolve?” The mischief is people may be able to take some steps to protect themselves if they are aware that their data has been compromised. So, what triggers the obligation to notify? My office has no powers to enforce the Privacy Act at the moment. This initiative, the Privacy Bill, will give me a power to issue compliance notices to say, “I don’t think you’re complying with the law; comply with the law.” And those will be then enforced through a sort of quasi-judicial process. There will be new criminal offences for impersonating an individual. Again, I think some of these ideas are starting to look a bit dated already. This is 2011 thinking. I have said – not in public, don’t tell the Minister of Justice I’m saying this – but it looks like we’re gonna see a Privacy Act fit for 2013.

Now, I’d like you to go into Parliament and say, “Let’s make it fit for 2019; what do we need for this?” We see these criminal offences from impersonating an individual, binding decisions on access will be something, if you don’t give somebody access to their personal information, rather than waiting three years to work their way through the Human Rights Review Tribunal I’ll be able to issue notices requiring that you disclose the information.

So, those are the principal new policy initiatives that will be in this law. The other thing that you will notice when you download it from the Parliament website and flick through it is that it’ll look a bit different. In addition to these new policy initiatives, the Parliamentary Counsel drafters have been given a mandate to modernise the law. So, if it looks too different, if the law that’s introduced doesn’t match your systems, I think you should talk to Parliament about that as well. Say, “actually, we knew what it said before, we’ve built our systems around it can you please just leave it as something that we recognise.” That’s something that I think is actually an important, soft compliance cost even though it’s only a one-off thing. If you don’t need to re-engineer your systems I don’t think you should have to.

In 2016, as I said, we had a look and said, “Are we fit for purpose?” And we suggested that we needed a few more enforcement powers to match those of my colleagues in other parts of the world. In Europe, there is a new general data protection regulation coming into force on May the 25th. Now that wasn’t even on the horizon back in 2011 when the Law Commission reported. But we are now gonna be really out of step. I’m not gonna find any of you guys. You take the time to come here and inform yourselves, but what about the cowboys in your industry, the ones that don’t put the same attention into compliance, that are not honouring the commitment they have to their stakeholders, their customers, and others. You know, they are bringing down your industry and are taking advantage of the corners that they cut. I want to have some real tools to make those people who need some hard incentive to comply to do the right thing as well. I don’t think that’s you, so, don’t worry, I’m not coming after you to prosecute. But there are some cowboys out there and if you wanna see who they are you could have a look on our website and see the kinds of agencies that we name, for example, people who just lie to consumers outright. The Commerce Commission can get them into court – why can’t I? So, we’re asking for a similar power. It’s actually not commensurate with the powers that my colleagues in Europe have. I wouldn’t mind if it was. They can fine an agency four percent of their global revenue. Now, if I could do that and keep the money, we’d really have a privacy law that could make a difference.

We would like to see a power to have agencies demonstrate their compliance. What we’re seeing playing out now with Facebook and Cambridge Analytica shows that we cannot trust these agencies sometimes. This stuff, which is on the front pages of international media every single day for, like, two or three weeks, happened in 2014. So, had we had mandatory breach notification and a power to actually hold some feet to the fire and say, “Prove that you’ve fixed this,” we may not have seen the great undermining of confidence in those platforms, and they might not have seen the loss of value to their shareholders. Data portability is something also that we thought would be useful to look at – that is, an ability to take your data from one agency to another and have it in a machine-readable form, so you can switch services, take your data with you so you’re not locked in by one particular platform’s custody of your personal data. You remember back in the days of mobile phones how hard it was to switch services. You had a lot invested in that number and so the inertia for switching services was something that the telecommunications companies traded on and gauged us for their fees on. And they told us, “We can’t technically do it, it’s technically too hard,” and then we had a law change which said, “Well, you gotta do it,” and they found a way. And now we can take our number, we can switch from one service to the other and we can make consumer decisions that are in our best interests, and the company has to compete now to win that number from us. And we want the same for our data. I think there’s a really compelling kind of anti-monopolistic trust argument there.

I won’t bore you with the rest; I think you’re on a pretty tight time frame. We’ve invested in this, even though we’ve got this law reform and I want you to look at the law, it’d be great if we could have you engaged telling Parliament what you think of it, telling Parliament what you think there should be more of, what you think there should be less of. If you don’t support me having a power to fine people a million bucks, go and tell them that. If you think I should have the power to fine them ten million, go and tell them that. In the meantime, you’ve still gotta comply with the law that there is and we wanna help you to do that. We’ve developed a whole lot of tools to help you with that, one is this “Ask Us” tab on our website. It’s growing all the time; it pretends to be artificial intelligence, but it’s not really – there’s a guy out the back getting your questions and writing answers. So, it looks really smart when you’re the second person to ask, but it is a fantastic resource and it’s getting better every week. And if there’s not an answer to your question about how you meet your obligations under the Privacy Act, or what your rights are as a consumer, when you enter that question you can be guaranteed that if there’s not an answer now there will be in a week or two.

If you wanna know how to keep your organisation, how to prepare your organisation for the new environment, or for the heightened risk environment that we’re seeing, also jump on our website and enrol some of your staff, the key staff, in Privacy 101. It’s an online course, it’s free, it’ll take them maybe a couple of hours to get through. If you wanna have a wider awareness-raising tell your people, all of them, to do Privacy ABC. If they can read a newspaper, then they can get through that course. It’s not a legal thing, it’s not gonna get them all the answers, it’s not gonna make them an expert, but it’s gonna raise the level of awareness and insulate you a little about risk. It’s gonna tell them, I think at least, when they need to ask a few more questions.

Title: For more information and to download presentations, visit:

Watch the original video.