Is our Privacy Bill a match for the EU's GDPR?

Photo: Getty Images

Next week the European Union's new privacy regulation, the General Data Protection Regulation (GDPR), comes into effect after a two-year transition period. It couldn't be more timely, after the Facebook-Cambridge Analytica controversy, which forced Mark Zuckerberg to front US Congress last month.

The EU isn't the only territory addressing ever-increasing privacy concerns; New Zealand has a new privacy law on the way too. The Privacy Bill was introduced in March of this year and is currently wending its way through Parliament. Public submissions on the bill close next Thursday, at which point a Select Committee will decide on the next step.

The Privacy Bill repeals and replaces the twenty-five year old Privacy Act 1993. That act was born in a comparatively innocent, pre-Web time - when digital privacy for citizens wasn't such a concern. The stated purpose of the new Privacy Bill is "to promote people's confidence that their personal information is secure and will be treated properly."

I asked New Zealand's Privacy Commissioner, John Edwards, what features he'd like to see in the new Privacy Bill.

He is looking for the Privacy Bill to give New Zealand "meaningful enforcement powers, such as an ability to seek fines for serious non-compliance." He hopes the new bill will make it mandatory to notify authorities of a privacy breach.

Edwards also wants the new bill to include "steps to address the increasing automation of processes that can affect access or entitlement to goods and services" - including the ability to question algorithmic transparency and the right to object to automated decisions.

It's not just privacy breaches and opaque algorithms we need to worry about. Over the past several years, there's been an increase in data analytics companies trying to use our personal data for commercial - or worse - means.

Just look at what Cambridge Analytica managed to do with Facebook data. There's also been an increase in cyber crime recently, including numerous global Internet companies getting hacked. The biggest case yet was the Yahoo data breach of 2013-14, which impacted over 3 billion Yahoo users.

Indeed, global technology companies have been put on notice by the European Union's GDPR. While Facebook is a US company, the GDPR will apply to all companies that process the personal data of people residing in the European Union. The GDPR includes sweeping changes to how companies like Facebook can collect and use personal data. For example, people in the EU will be able to request that Facebook hand over any personal data it has collected about them, plus they can order Facebook to delete such data (the so-called "right to be forgotten").

Facebook and other large tech companies have to take this seriously, since the EU is threatening to impose penalties of up to 4 percent of global annual revenue for violations. The EU has proven in the past that it's willing (and able) to hand down huge sanctions to US technology behemoths. Apple was ordered to cough up €13 billion in taxes to the Irish government in 2016, while more recently the EU fined Google a record €2.4 billion for breaching antitrust law.

Facebook is scrambling to safeguard itself from those types of sanctions. It has published a special webpage promising to comply with the GDPR, and furthermore has said it will make the privacy controls and settings Europe will get under GDPR available to the rest of the world.

What about New Zealand businesses; do they have to comply with the GDPR too? Privacy Commissioner John Edwards thinks it's not clearcut.

"Having European customers is not enough to bring a NZ business under the GDPR," he said. Instead, he thinks EU officials will look for indicators like "a presence in Europe, targeting EU countries with European languages on your website, [and] offering sales in EU currencies."

Edwards hopes to get more clarity as the GDPR matures. "Remember," he said, "at this stage only 5 EU countries have compliant laws, so we are hardly going to be a priority for enforcement action."

Regardless, one action that local businesses can take now is to make sure their compliance with NZ law is sufficient. "That should take you a long way toward compliance with the GDPR," Edwards told me.

All that said, our Privacy Bill does not go to the lengths the GDPR does to strengthen individual privacy. Although New Zealanders are entitled under local law to access their personal information held by Facebook, the Privacy Bill as yet has no provision to punish Facebook should it refuse to hand over that data.

Even if the NZ government challenges Facebook on this, how likely is it that Facebook will take any notice? Our tiny population makes us a minor irritant to multinational companies. Whereas the European Union has over 500 million inhabitants, so it has significant leverage.

I asked John Edwards if New Zealand should perhaps consider creating a privacy alliance with global partners, much like the Five Eyes cyber security alliance we're a part of.

"The idea of an international alliance is an interesting one," Edwards replied. "I think international law is lacking in this space. There has been talk of a Digital Geneva Convention, and there are some treaties and other instruments under discussion. It is inevitable that the international community will have to agree some standards at some stage in this space. If you can do it for intellectual property (a la the Berne Convention) why not privacy and data protection?"

Why not, indeed. But until we get such an alliance, it's good to see the New Zealand government taking proactive action to improve our privacy law.