SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image

Government under pressure to align with EU's data harvesting standards for businesses

This story was originally published on and is republished with permission.
Tue, 11th Oct 2022
FYI, this story is more than a year old

New Zealand is under pressure to yield to new European Union demands over how companies harvest people's data.

Cabinet papers show the government has signalled it will bring the country into line with an EU standard to force companies to tell people if they have indirectly gathered their personal data, such as from publicly available Internet sites.

At the same time, Britain wants out of the same framework - saying it wraps businesses in red tape.

The EU denies it is applying pressure here.

But Cabinet committee papers have an overriding focus on lining up with the EU.

Auckland commercial lawyer Nick Valentine warns that might well impose expensive compliance on to businesses.

"The government's bowing to pressure from the European Commission, hastily rushing through a change, to fix what the European Commission has obviously identified as a deficiency with our privacy law," Valentine said.

The data team head at law firm DLA Piper, he has analysed the Justice Ministry's three options to comply - and likes none of them.

"We're looking at incredibly difficult, expensive mechanisms needed to comply with potential new legislation, which might ultimately lead to some organisations refusing to process New Zealand data ... in terms of offering their products or services to New Zealanders," he told RNZ.

"It's bad for businesses, and bad for consumers who will either lose the benefit of some data processing activities, or suffer notification fatigue from constant privacy notices being sent to them," he wrote.

But the government says just the opposite.

If the country loses "adequacy - its status as being "on par" with the EU General Data Privacy Regulation (GDPR) - then firms dealing with Europe would face "more onerous safeguards" over data, warns the proactively released Cabinet papers.

The Privacy Commissioner and Privacy Foundation back the change.

Without it, many people would not know their personal data was harvested, said the foundation.

"The right to object and the right to erasure should be available for every New Zealander," it said.

The Justice Ministry yesterday told RNZ Cabinet has agreed "in principle to amend the [Privacy] Act to strengthen the level of transparency where an individual's personal information is collected indirectly by third parties".

It has just closed a consultation aimed at aligning law here with "international norms" and would advise the Minister, it said.

"This is important for ensuring New Zealand's rules are in step with major trading partners."

Nick Valentine said the ministry's consultation was unusually short and poorly publicised.

"You'd have to be monitoring the Ministry of Justice or Parliament websites to even find out about [it].

"This consultation seems to have been launched almost a little bit by stealth... The Ministry of Justice is sort of implying that it's a bit of a tweak."

No pressure, says EU
At the EU, its Ambassador to New Zealand Nina Obermaier rejected talk of their applying pressure.

"What we are looking at is a mutually beneficial agreement ensuring that personal data can flow freely and that privacy of the data is protected," she said.

"We've set up a robust framework and we believe that New Zealand is very much up there at the same level, so I don't think there's any pressure being exercised."

The Cabinet papers show the Justice Minister is briefing the EU on where things are at.

If the Privacy Act needs changing, that will be next year; it was last amended just two years ago, but rapid tech demands are often forcing law changes globally.

Britain wants out
Nick Valentine pointed out Australia was not aligned with the GDPR, and argued the business benefits of alignment were not proven.

Britain's new government has gone the other way, suggesting it remove itself to arm's length - like New Zealand's position.

"We will be replacing GDPR with our own business and consumer-friendly, British data protection system," said Culture Secretary Michelle Donelan.

"We will look to those countries who achieve data adequacy without having GDPR, like Israel, Japan, South Korea, Canada and New Zealand."

Nina Obermaier told RNZ the UK was free to choose.

The EU review of New Zealand's data protections was a routine, ongoing one, she said.

Auckland University associate law professor Gehan Gunasekara said there were loopholes that needed to be closed - such as that collecting publicly available, personal information was allowed, and only if you tried to use it did the Privacy Act kick in.

"There's like a black hole where we don't really know who's collecting information and who's on-selling it," said the former chair of the Privacy Foundation.

A new rule on indirect data collection "would tighten those loopholes, it would just make it harder for the buying and selling of personal information".

"I suspect a lot of organisations will be caught out" by a law change.

Whether publicly available datasets would be excluded, was a big question, he said.

Rather than the EU changes, it would be more useful to align with Australia's much tighter rules on transparency, Gunasekara said.

Follow us on: