Privacy Commissioner calls for urgent privacy law reform after Uber hack

Privacy law reform is urgently needed, Privacy Commissioner John Edwards warns in his briefing to new Justice Minister Andrew Little, made public this afternoon (echoing a call by this publication earlier this week).

As this stand, New Zealand is falling behind the rest of the world, Mr Edwards says.

His warning follows Uber belatedly confessing to a worldwide data breach.

On Wednesday night, the ride-sharing company has informed his office stolen data included the user names, emails and phone numbers of around 100,000 New Zealand customers. Uber told him its initial assessment was that no credit card information was taken.

Many countries have now introduced mandatory data breach disclosure laws.

Mr Edwards wants an update to the Privacy Act (1993) to follow suit, with fines of up $200,000 for individuals and $1 million for companies.

He says under the current law, he probably couldn't sanction Uber unless it actively tried to obstruct his investigation.

An overhaul of the Act has been on the cards since a sweeping Law Commission review in 2011, with Justice Ministers Judith Collins and then Any Adams signalling change but not following through.

The good news for the Privacy Commissioner is that if the coalition does pick up the ball, it won't have far to run.

NBR queried Andrew Little's office and was told by spokesman Mike Jaspers that, "The Justice Ministry advises that drafting of a privacy bill is well advanced, but it’s not imminent, so we’re not in a position to give any indication of a date."

Mr Edwards says most existing privacy laws around the world have been reformed in the last three years or are currently being reviewed and updated.

Internationally, the most influential is the European Union (EU) General Data Protection Regulation (GDPR) that comes into force in May 2018 and affects Europe and many of New Zealand’s trading partners. The GDPR standards lift the baseline internationally in response to the challenges to consumers and data protection in the global digital economy.

Here, the 2011 Law Commission’s comprehensive review made numerous recommendations for changes to the Privacy Act. These proposed changes were to enable the law to better keep pace with the rapid changes over the past 20 years to information and communications technology. The Government at the time accepted the majority of those recommendations.

Mr Edwards noted a new Privacy Bill was currently being drafted. His office has been closely engaged with officials throughout this process. The key changes in the draft legislation included:

• modernising the Privacy Act;
• empowering the Privacy Commissioner to issue a compliance notice in the event of a breach of the Act;
• empowering the Privacy Commissioner to issue a determination when a person has requested access to personal information under principle 6 and has been refused; and
• the introduction of mandatory reporting of serious data breaches, to bring New Zealand into line with international best practice.

In a subsequent review of the operation of the Privacy Act in 2016, the Privacy Commissioner provided a report to the previous Minister of Justice, recommending additional reforms, including the power to fine non-compliant agencies.

Mr Edwards says New Zealand has a competitive trade advantage because the EU has formally recognised that our privacy law meets current EU standards. This EU adequacy status allows the unrestricted transfer of European data for processing. “The current risk for New Zealand is that our Privacy Act has fallen behind international standards and the case for reforming it is clear and very evident.”

All content copyright NBR. Do not reproduce in any form without permission, even if you have a paid subscription.