Dentons US LLP

07/10/2024 | News release | Distributed by Public on 07/10/2024 04:14

Are we heading towards a civil penalties regime for privacy breaches in New Zealand

July 10, 2024

On the back of the Office of the Australian Information Commissioner's (OAIC) filing of civil penalty proceedings against Medibank, New Zealand Deputy Privacy Commissioner, Liz MacPherson has commented in the Office of the Privacy Commissioner's newsletter on 27 June 2024 (Newsletter), on New Zealand's comparative lack of a civil penalty regime for interferences with the privacy of individuals.

Australian position in the context of Medibank

The OAIC's legal action against Medibank was the result of Medibank's failure to protect sensitive medical records relating to 9.7 million Australians, which were consequently accessed by threat actors in 2022 and released on the dark web.

In Australia, the Australian Information Commissioner may apply to the Federal Court for a civil penalty order where an organisation has allegedly engaged in serious or repeated interferences with privacy in contravention of section 13G of the Australian Privacy Act (Privacy Act 1988 (Cth)).The OAIC alleges that Medibank seriously interfered with the privacy of the affected Australians by failing to take reasonable steps to protect their information from misuse and unauthorised access or disclosure.

The OAIC's filing of proceedings are notable because for breaches at the time of the Medibank data breach (pre-December 2022), the Federal Court can issue fines of up to AUD2.2 million per interference. If the Federal Court issues the maximum penalty per interference in respect of Medibank this could amount to a fine of AUD21.5 trillion.

The maximum civil penalties the Federal Court can impose in respect of privacy breaches that occurred post the December 2022 amendments to the Australian Privacy Act can be up to the greater of:

  • AUD50 million;
  • three times the value of the benefit obtained directly or indirectly and that is reasonably attributable to the conduct; and
  • if the value of that benefit cannot be determined - 30% of the adjusted turnover of the body corporate during the 'breach turnover period'.

New Zealand position

With the background of the potential imposition of significant civil penalties against Medibank, in New Zealand the Office of the Privacy Commissioner has taken the opportunity to highlight the absence of a civil penalty regime under the New Zealand Privacy Act (Privacy Act 2020), and the lack of incentives for New Zealand agencies in respect of their actions (or lack of actions) to protect personal information. The Deputy Privacy Commissioner noted in the Newsletter that New Zealand "is an outlier compared to all the economies we usually compare ourselves with" and, that "a civil penalty regime is a critical tool missing" from the Office of the Privacy Commissioner's regulatory toolkit. Having briefed the Incoming Minister of Justice in December of 2023 that significant change was needed to address privacy harms and secure benefits in New Zealand (Briefing), the Office of the Privacy Commissioner highlighted that "the time is right to give the regulator the tools it needs to reinforce good privacy protective and competition positive behaviour" as part of broader regulatory reform package.

Presently, an agency that, without reasonable excuse, fails to notify the New Zealand Privacy Commissioner (Privacy Commissioner) of a notifiable privacy breach commits an offence and is liable on conviction to a fine not exceeding NZD10,000. The Privacy Commissioner may issue agencies with a 'compliance notice' at any time, including concurrently with the use of any other means for dealing with the breach if the Privacy Commissioner considers that the agency has breached the New Zealand Privacy Act. If the agency fails to comply with a compliance notice the Privacy Commissioner may take enforcement proceedings in the Human Rights Review Tribunal (Tribunal).

Non-compliance with an 'Information Privacy Principle' under the New Zealand Privacy Act could also result in an individual making a complaint to the Privacy Commissioner for an 'interference with their privacy'. In the event of such a complaint the Privacy Commissioner may (or may not) elect to investigate the complaint and will typically attempt to facilitate a voluntary resolution between the parties.

If the Privacy Commissioner is satisfied that there has been an 'interference with the privacy of an individual', and the Privacy Commissioner is unable to otherwise resolve the matter, the Privacy Commissioner may refer the complaint for prosecution before the Tribunal. The affected individual may also bring damages claims to the Tribunal provided the Privacy Commissioner has conducted an investigation following the individual's initial complaint. Damages awards in the Tribunal are, on average, relatively low - the Tribunal may award up to NZD350,000 but most awards tend to be in the tens of thousands with the highest to date for a privacy breach being approximately NZD168,000.

Potential civil penalties regime

There are no civil penalties under the New Zealand Privacy Act, and as noted above, although the Privacy Commissioner can refer a privacy complaint to the Tribunal for prosecution even then, the level of fines is miniscule compared to other jurisdictions.

The introduction of a civil penalty regime is one of the main points the Office of the Privacy Commissioner raised in its Briefing. The Office of the Privacy Commissioner recommends that a civil penalty regime for major non-compliance should be introduced (alongside new privacy rights for New Zealanders as part of broader reform).

What should businesses take from all this?

We can only speculate on what a potential civil penalty regime may look like in New Zealand however historic discussions on this topic and recent legislative activity may be hinting at what is to come.

For example; the previous Privacy Commissioner, John Edwards, had recommended to the Government that a civil penalty of up to NZD100,000 for individuals and up to NZD1 million for public and private sector organisations, for serious breaches should be adopted (aligning with the previous Australian position, which is far behind the current level of fines). As we previously highlighted, the Consumer and Product Data Bill ('CPDB') contemplates a potential fine of up to NZD2.5m. This level of fines dwarf the maximum fine available under the New Zealand Privacy Act, and even the Fair Trading Act 1986 (as the CPDB seems to be designed primarily to open up competition in a sector aligning more with the Commerce Act 1986).

New Zealand's privacy regime was recently granted 'adequacy status' from the European Commission. This status is important to enable the free flow of personal data in support of New Zealand's international trade agenda. The Office of the Privacy Commissioner stated in its Briefing that countries are increasingly expecting that the personal information of their citizens will only be sent to countries with the legislation in place to provide an equivalent level of privacy protection. If New Zealand's privacy regime becomes increasingly misaligned with other jurisdictions (including the EU) we may lose our prized adequacy status thereby significantly increasing the compliance burden on New Zealand businesses processing personal data on behalf of EU-based customers.

We can help you get it right

If you'd like further advice on your organisation's privacy compliance, our privacy experts Hayley Miller, Campbell Featherstone, Ashleigh Ooi and Güneş Haksever are on hand to assist in advising agencies regarding their compliance, regulator investigations, and privacy breaches, and enforcement actions under New Zealand's present privacy regime. We are watching the regulatory environment closely and advising our clients to carve their compliance path with confidence.

This legal update has been written by Monica Sayani, a solicitor, and Güneş Haksever, a senior associate in our Technology, Media and Telecommunications team.