With the new Privacy Act in force, the firm looks into global regulators’ responses to violations
DLA Piper has called for New Zealand businesses to be mindful of the potential consequences of data breaches following the implementation of the new Privacy Act.
“We are only just into 2021 but already privacy and cybersecurity are back on the radar as essential issues facing New Zealand businesses, with the high-profile data breach affecting the Reserve Bank,” the firm said.
The Privacy Act 2020 came into force last December, and “places greater responsibilities on businesses and organisations that collect and use personal information,” said the Office of the Privacy Commissioner. Organisations are now required to report “privacy breaches that have or may cause serious harm.”
The regulation also establishes a new privacy principle that regulates the overseas transfer of personal information.
“Businesses and organisations are now responsible for ensuring that any personal information they send to organisations outside New Zealand is adequately protected,” the Office of the Privacy Commissioner said.
Moreover, the Privacy Commissioner is granted “stronger powers and more tools to ensure businesses and organisations comply,” the department said.
In line with these developments, DLA Piper analysed the findings of a recent global survey on how international regulators have responded to data breaches. According to the firm’s January 2021 General Data Protection Regulation (GDPR) Fines and Data Breach Survey – which looked at the 27 EU member states as well as the UK, Norway, Iceland and Liechtenstein – breach notifications soared by almost 20% in the year to 28 January 2020, from 101,403 breaches to 121,165.
“Businesses have been fined €272.5m (about $462m) for a wide range of infringements of Europe’s tough data protection laws,” the firm said. “€158.5m ($269m) of fines have been imposed in the last year alone, a nearly 40% increase on the previous 20-month period since the application of GDPR.”
While the NZ Privacy Commissioner has not been accorded power to issue the major fines the way regulators in the UK and Europe can, DLA Piper indicated that NZ businesses “should be watching keenly how breach notifications are dealt with in jurisdictions with more established data breach reporting regimes.”
“Regulators in the EU and UK have been testing the limits of their powers over the last 12 months. It will be interesting to see whether the Privacy Commissioner takes a similar hard-line approach in exercising his new powers under the Privacy Act 2020 (such as the issuing of compliance notices), and how New Zealand businesses will approach mandatory data breach reporting from here on in,” said Nick Valentine, who leads the firm’s NZ data protection team.