Written by 11:58 am European Union

European Commission flexes extraterritorial muscles to force changes to the Privacy Act

The Ministry of Justice has announced that the Government is considering amendments to the data subject collection notification requirements under the Privacy Act 2020. As part of this process, the Ministry has requested feedback from stakeholders and the public on the proposed changes by 30 September 2022.

This consultation follows the European Union’s review of New Zealand’s status as an ‘adequate country’ under the EU’s primary data protection regulation, GDPR. During the review, the European Commission raised concerns about New Zealand’s lack of transparency around indirect collection of personal information. The Government is eager to close this gap, as it perceives our adequacy status as providing significant benefits to New Zealand, including lower costs for businesses trading with the EU, a reputation for being a country with a strong commitment to protecting privacy, and allowing New Zealand businesses to streamline data transfers with other non-EU countries through mutual recognition of privacy regimes.

Cabinet has already agreed in principle to amend the Privacy Act to strengthen the level of transparency around indirect collection of personal information. So the question is not whether a change will be made, but what it will look like.

This is an example of the European Commission using the broad extraterritorial scope of its stringent data protection regulation to force changes in non-EU member states.

The current notification framework

Currently, Information Privacy Principle (IPP) 3 requires organisations collecting personal information directly from the relevant individual to take reasonable steps to ensure that the individual is notified of certain key details about the collection, including the fact of the collection, the purposes for which the information will be used and the intended recipients. IPP 2 requires organisations to collect personal information directly from the relevant individual, but there are a number of exceptions to this rule, including if the information is publicly available, or when it is not reasonably practicable in the circumstances to collect the personal information directly from the individual. The notice requirements under IPP 3 do not apply where an organisation collects personal information indirectly (ie from a third party rather than the relevant individual), so an organisation that collects personal information indirectly in accordance with one of the exceptions to IPP 2 also does not have to notify the individual of the collection under IPP 3.

The Government wants to implement changes to ensure that individuals are informed about the processing of their personal information, regardless of how the information is collected. With this change, the Government aims to promote transparency around the processing of personal information and allow individuals to make more informed decisions about their privacy.

The MoJ’s Engagement Document sets out three options for introducing these changes:

  • amending IPP 3 to introduce a notice requirement for all organisations, regardless of how the information is collected;
  • amending one of the other IPPs, for example, amending IPP 2 to narrow the exceptions that allow organisations to collect personal information indirectly, or amending IPP 11 to require an organisation disclosing personal information to a third party, to notify the individual of the disclosure;
  • introducing a new IPP dealing with notification of indirect collection.

But what value would this change really add?

Extending IPP 3

While greater transparency and accountability in relation to privacy is a noble goal, it is difficult to imagine how extending IPP 3 would operate in practice and, more importantly, how it would actually result in a meaningful change to an individual’s autonomy over their personal information.

A simple extension of IPP 3 would seemingly require organisations to take reasonable steps to ensure that an individual, which in some cases the organisation may not have a direct relationship with, is aware of key information about the collection of their personal information by that organisation. Given that, in practice, notice requirements in New Zealand are often satisfied by way of an online privacy policy, this change would only result in a longer privacy notice that individuals are even less likely to read. Some organisations may not even have a way of engaging with the individual to provide the information required under IPP 3 (for example, an ad-tech platform may have some personal information about an individual, such as their age, country of residence, gender and transaction history, but no email address they can use to communicate with the individual).

In any event, expanding the notification obligation under IPP 3 would not provide individuals with any meaningful additional control over their personal information. If an individual has no means to object to this collection or use of their information, does this really allow them to make more informed decisions about their privacy?

Without more meaningful changes, the extension of IPP 3 to cover indirect collections is likely to present an administrative burden for New Zealand businesses (and international companies who are caught by the extraterritorial scope of the Privacy Act), with little (if any) benefit to individuals.

Amending another IPP

IPP 2

Unfortunately, the Engagement Document does not give any detail around the proposed narrowing of the exceptions under IPP 2. Narrowing these exceptions could have a more substantial impact on the processing of personal information in New Zealand, but could also introduce significant barriers to routine data processing activities. For example, removing the exception that allows indirect collection where direct collection is not reasonably practicable would, by definition, mean organisations must either find an impracticable workaround or not process the personal information. This could have a significant detrimental impact on individuals, as almost all technology we use every day relies on data exchanges between multiple providers’ platforms to function (eg e-commerce platforms, connected cars and streaming services).

There may be much public debate about whether that would be a positive or negative result but regardless, this type of change would have far reaching effects and would need to be very carefully considered by the Government, with a much more robust consultation process than the one at hand.

IPP 11

An amendment to IPP 11 requiring an agency to give notice to an individual when it discloses their personal information to a third party avoids the ‘impracticality’ issues above, as the onus would be on the organisation that has a direct relationship with the individual to tell that individual about all the other parties that will get access to their personal information. However, this could be an administrative nightmare for organisations (eg needing to update privacy notices every time there is a change in service providers to whom the organisation discloses personal information) and result in privacy notices becoming (even more) unwieldy and difficult to understand for consumers.

A new IPP

It is difficult to conceptualise a new IPP that would achieve the limited goals of these proposed changes without either replicating the first two options proposed by the Ministry of Justice or requiring more substantive changes to the Privacy Act 2020, reaching well beyond the Government’s objectives of transparency and accountability.

As we have noted in relation to the first two proposed options, without undertaking a broader review of New Zealand’s privacy laws (something the Government is unlikely to consider given the relatively recent enactment of the Privacy Act 2020 after years of delays), the administrative burden on businesses in New Zealand to implement such a narrow change is likely to outweigh the benefit to individuals.

How can you contribute?

The Ministry of Justice is seeking feedback from agencies, both domestic and foreign, as well as individuals whose information may be collected indirectly. The Engagement Document sets out seven questions that respondents should provide comment on. Responses can be emailed to [email protected] or posted to Electoral and Constitutional, Ministry of Justice, PO Box 180, Wellington 6140, New Zealand. The deadline for submissions is 5 pm, 30 September 2022. If you would like to make a submission, please get in touch with one of our experienced privacy lawyers to assist with drafting a response.

Source link

Close