Cart

What we’ll see in ’23 – The year ahead in privacy

type
Article
author
By Dentons Kensington Swan
date
9 Feb 2023
read time
5 min to read
close up of eye

The dust has well and truly settled on the year that was 2022 – a busy one for privacy professionals the world over. As we launch into 2023 (to be fair, it’s already February, but we needed a break!), it’s time to look ahead to what we think will be the key trends and things to watch in the next 12 months in privacy and data protection in Aotearoa New Zealand and further afield.

Enforcement action: The new privacy commissioner, Michael Webster, is likely to have his work cut out for him. After taking up the mantle on 5 July 2022 (replacing the more ‘vocal’ John Edwards, whose Twitter presence has shifted focus to the UK since he took up the appointment as UK Information Commissioner in December 2021), Mr Webster is likely to have an even busier 12 month spell in the hot seat as pressure mounts on his office to take more action on the compliance front.

Cyber incidents: More than any year previously, 2022 was a big year for high-profile cyber incidents. We reported in October on the Optus cyber security wake-up call – a massive Australian cyber incident affecting around 10 million customer account records across the ditch. The ink was barely dry on that report when Australian health insurer Medibank suffered a similar breach, affecting a similar number of customer records. Closer to home, the Privacy Commissioner commenced its compliance investigation against Mercury IT, a provider of IT services across the country, which was subject to a ransomware attack in November affecting a number of its customers. The Privacy Commissioner also warned about the importance of handling data breaches with care and urgency, following a breach at Archives New Zealand that resulted in sensitive health information being made publicly accessible. Expect more of the same in 2023 as the success of last year’s attacks inspires a new wave of ‘bad actors’. As we reported on in November 2022, the annual review of the UK National Cyber Security Centre is a sobering read – but there are steps you can take to position yourself to respond to the inevitable. Start by checking out this great conversation with our senior Dentons Canada data protection lawyer, Chantal Bernier (a former Privacy Commissioner of Canada) where she discusses the steps you should be taking in response to an incident.

Consumer data rights: On 10 November 2022, the New Zealand-first consumer data right framework for the banking sector was announced. On 19 December, the Minister of Commerce and Consumer Affairs, David Clark, sought agreement from the Government on the high-level elements of the consumer data right (CDR) legislation. The Minister recommends that banking should be the first sector to implement a consumer data right framework (also known as ‘open banking’) and the CDR should be administered by MBIE. Other sectors, including financial services, telecommunications, insurance, energy, and health, may be considered in the future. Of most interest is the proposed penalties – for the most egregious ‘tier 4’ breaches, the proposal is for imprisonment of up to 5 years and/or a fine of up to $1,000,000 for individuals, and the greater of $5,000,000 or either (a) three times the value of any commercial gain; or (b) 10% of the turnover in the periods in which the breach occurred if commercial gain cannot be ascertained for companies. These proposed fines sit somewhat uncomfortably alongside the ‘wet bus ticket’-sized fines under the Privacy Act – but perhaps indicate a willingness on the part of the government to take things a bit more seriously when it comes to the mishandling of data.

Advance Australia fair?: Speaking of fines, we had a ‘crikey!’ moment late last year when the proposed revised maximum penalties for breaches of Australian privacy law were announced. Those in the gun will need to scramble in their moneyboxes and behind the couch for loose change – and then some – as the maximum civil penalties (being the penalties the Office of the Australian Information Commissioner (‘OAIC’) may seek via court order) against organisations for ‘serious and repeated interferences with privacy’ have been elevated to the greater of:

  • AU$50 million
  • if the court can determine the value of the benefit that the organisation and any related organisation obtained from the contravention, three times the value of that benefit
  • if the court cannot determine the value of that benefit, 30% of the adjusted turnover of the organisation during the breach turnover period for the contravention.

We look forward to someone (not one of our clients though…) being the first recipient of a hefty fine under the new regime across the Tasman. We’ve checked, and apparently ‘Tell him he’s dreaming’ isn’t a viable response to a court order issued under the new law... Check in here with what our Australian colleagues have to say – including on the extraterritorial application of the law; and for more on what it might mean for businesses on this side of the ditch, have a look at what we had to say back in late 2021 when the exposure draft of the bill first came out.

Changes to New Zealand privacy law: The Aussies don’t get to have all the fun. Changes are looming to New Zealand privacy law: even though the Privacy Act 2020 is only in its infancy, the Ministry of Justice is considering potential changes to the notification rules for collecting personal information, which would require an individual to be notified when an agency collects their personal information indirectly through a third party. In our submission in response to the Ministry’s consultation, we took the view  that the change was unlikely to provide a tangible benefit for consumers and would likely impose undue compliance costs on agencies, but that it was a price worth paying if it enabled New Zealand to maintain its ‘status of adequacy’ as far as the European Commission is concerned. Our adequacy will remain in the spotlight this year, as the European Commission continues its ongoing assessment of Aotearoa’s legislative and regulatory framework. We think our adequacy is great and the benefits are significant (even if not always obvious), so anything that can be done to maintain adequacy is generally to be encouraged. As we reported on in September last year, the Privacy Commissioner is also looking into what can be done to further regulate the use of biometric technologies such as facial recognition, and plans to engage with interested parties to discuss the potential contents and implementation of a Code of Practice in the future.

Bring it home: While we are big fans of the adequacy of New Zealand privacy laws, the same cannot always be said of the privacy and data protection regimes of other jurisdictions. It seems like a lot of people agree with us: as we discussed back in March last year, data sovereignty is becoming more and more relevant for New Zealand-based organisations – especially those entrusted with sensitive health information. The good news is that more options for local cloud solutions are due to come online in the next 12-24 months, which should give organisations better tools to manage the risks associated with storing their data. That said, all organisations will need to be alive to the extraterritorial reach of overseas laws, and the impact that has on the ‘true’ data sovereignty compared with ‘home grown’ New Zealand-based solutions.

Trans-Atlantic Data Privacy Framework (formerly known as the ‘Privacy Shield’ (formerly known as the ‘Safe Harbor’)): To put into perspective the benefits of New Zealand’s ‘adequacy status’, third time will hopefully be a charm for trans-Atlantic data sharing arrangements, as the US and EU adopted the ‘Trans-Atlantic Data Privacy Framework’ to replace the ‘Privacy Shield’ (declared invalid by the European Court of Justice in 2020), which itself replaced the ‘Safe Harbor’ (declared invalid by the European Court of Justice in 2015). The transfer of data between the EU and the US remains fraught with difficulty, in part due to the powers of US intelligence agencies to access data held in the US – or even by US subsidiaries abroad. We had a bit to say on this in October last year, and are lucky to be able to work our Dentons colleagues in the Global Privacy and Cybersecurity team who have the greatest insights into what it means for cross-border data sharing.

A human most definitely wrote this insight: But the same might not be the case next year, as AI technologies continue their path towards reforming the way in which content and advice is created, and also how decisions are made. The EU is – as is often the case – a step ahead when it comes to the regulation of new technologies such as AI, and as you can see from this piece from our colleagues in Dentons Europe, a new legislative regime is on the horizon. We’d expect Aotearoa to follow suit in due course, and indeed it might be that it will be our new AI Assistant reporting on developments in New Zealand when advising you what’s in store for ’24 (watch this space…). 

 

Dentons Kensington Swan logo

About the authors

Campbell Featherstone is a Partner at Dentons Kensington Swan and is a commercial, technology and privacy lawyer. He provides advice on procurement, privacy and data protection, IT agreements (including SaaS, agile and waterfall software development, and traditional licensing), IP licensing and consumer and marketing law compliance.

Hayley Miller is a Partner at Dentons Kensington Swan and is a commercial lawyer with a particular focus on technology and innovation. She has developed a multi-disciplinary practice which is often at the intersection of technology, privacy and consumer law.

Hayden Wilson is Chair and Partner at Dentons Kensington Swan. He leads the Wellington litigation team, specialising in public, regulatory and commercial litigation. Hayden plays a key role in the firm’s relationships with government agencies. Hayden is a member of the Global Board of Dentons. 

Gunes Haksever is a Senior Associate at Dentons Kensington Swan and is a commercial media and technology lawyer admitted to Istanbul Bar Association in Turkey. He provides advice on content development, media acquisitions, content licensing (entertainment and sports), infrastructure and IT acquisitions (software, hardware and services including XaaS), outsourcing, large scale and complex outsourcing projects, procurement and media law compliance.

Ashleigh Ooi is an Associate at Dentons Kensington Swan and is a  commercial lawyer with expertise in technology, media, intellectual property and privacy. Having started her career in litigation and dispute resolution, she knows the value of “getting it right” at the start of a commercial arrangement or product journey.

Related content