Dentons Kensington Swan: What's to come in '21

It has been a busy first few months of the year for privacy, with both the “bedding in” of New Zealand’s new privacy law regime and recent developments abroad that may have an impact on New Zealand businesses.

In a full-length article about What’s to come in ’21, we explore a selection of our ‘byte-sized’ picks for what to watch for in privacy this year – from data breaches to life after Brexit, the world of data continues to move rapidly, including in ways that affect businesses and individuals in Aotearoa.

We’ve got a snapshot of the key implications of this year’s developments, as well as a glimpse of what’s to come.

The ‘new’ new normal

The 2020 vernacular for privacy enthusiasts wasn’t limited to “social distancing” and “flattening the curve”: 2020 also saw the long-awaited commencement of the Privacy Act 2020, which introduced terms like “notifiable privacy breach,” “compliance notice,” and “IPP 12.”

Now, the focus has shifted to how the new requirements introduced by the Privacy Act will work in practice. Our experience so far is that some aspects of the new regime aren’t quite as straightforward as they may first appear and that there are a few “grey areas”– including the circumstances in which an overseas business will be caught by the scope of the Privacy Act.

We have been helping our clients come to grips with their obligations and manage their risks under the new Act, particularly when sending data offshore and in getting ahead of the curve when it comes to managing risks under the notifiable privacy breach regime.

Privacy isn’t just a hot topic in Aotearoa. On our radar is the UK’s “life after leave” as it implements its own data protection regulations and bids to retain its adequacy status under the GDPR to ensure the free-flow of data with countries in the European Economic Area. Aotearoa itself is due to convince the European Commission that we should retain our status of adequacy. Those doing business with EU based customers, or who are part of a multinational, should watch this space.

Coming up next in 2021

While 2020 has taught us that predicting what’s to come can be a fool’s errand, we’ll be keeping an eye on the following:

• COVID-19: The global pandemic continues to drive decisions around data, and we don’t see this slowing down, particularly as the world begins to tentatively re-open. Our Big Reset thought leadership piece in April 2020 predicted a focus on technology-based solutions, such the introduction of a digital immunity verification card to gain entry into certain premises. COVID-19 passports are now seen by the government as ‘almost inevitable’, so private premises also requiring vaccine verification doesn’t seem outside the realm of possibility.
• Enforcement: The Privacy Commissioner will be eager to flex his new powers under the Privacy Act in respect of those obligations that businesses have had 27 years to get used to – our expectation is that the first compliance notices will be aimed at “raising the bar” for a particular industry or standard.
• First Privacy Act decision? The nitty-gritty of the new privacy law regime may well be subject to further judicial scrutiny, particularly once the Privacy Commissioner begins to exercise his new compliance powers.
• First prescribed country? The Ministry of Justice is in the process of selecting the first countries to be “prescribed” under IPP 12 – which will facilitate the free flow of data. While we’re unlikely to see a decision this year, we may see an indication about which countries will be up first. Our office sweepstakes have Australia as an early favourite, with the EU also having reasonable odds – if for not a win then a strong placing.
• Blockchain: Perhaps Fleetwood Mac was onto something about the chain “keeping us together.” The Privacy Commissioner has reflected on whether or not blockchain can “revolutionise” privacy. In light of the rise of the NFT marketplace, we’ll be watching this space to see how the practical issues raised by a system based on the permanency of data will stack up against our 27-year-old privacy principles.

If you have questions about privacy in 2021 – and beyond – contact our privacy experts Hayley Miller, Hayden Wilson, Campbell Featherstone, or Gretchen Fraser.