Topics in this month’s member briefing covers:
- New Zealand Privacy Act Update
- Proposed Updates to Singapore’s Personal Data Protection Act
- ACCC Digital Platforms Services Inquiry Interim Report Oct 2020
New Zealand Privacy Act Update
New Zealand’s long awaited new Privacy Act will take finally effect from 1 December 2020.
The new NZ Act will replace the 1993 Act. It is an update refresh that will bring the data privacy statutes in Australia and New Zealand closer into alignment. The NZ Act will not significantly reduce the gap between those statutes and the EU GDPR or California’s CCPA. The notice and consent framework remains largely unchanged. The NZ Act does not adopt the more significant rework of the Australian Privacy Act as recommended by the Australian Competition and Consumer Commission (ACCC) in its June 2019 Digital Platforms Inquiry, or as many privacy academics and consumer groups are promoting for the forthcoming review by the Australian Attorney-General of the Australian Act.
One important change in the new NZ Act is that it clearly applies to any actions taken by an overseas organisation in the course of carrying on business in New Zealand, regardless of where the information was collected or held and where the person to whom the information relates is located. An organisation would be treated as carrying on business in New Zealand whether or not it has a physical place of business in NZ, charges NZ consumers for services, or makes a profit from doing business in NZ. Many Australian based businesses transacting with Kiwis will fall within this new definition, even if they do not have a taxable permanent establishment in NZ.
The NZ Act will also strengthen cross-border protections. “Agencies” (the name Kiwis use used for any organisation that handles personal information, like Australia’s “APP entities” but with no exemption for small businesses) will have to take reasonable steps to ensure that personal information sent overseas is protected by comparable privacy standards. When a New Zealand agency engages an overseas service provider, the service provider will itself have to comply with New Zealand privacy laws. However, transfer of personal information to an offshore data processor (such as a cloud storage provider) will not constitute an overseas disclosure, if the agency continues to direct the offshore processor’s handling of that personal information and therefore control how that personal information may be used. This is an important exception given that none of the major public cloud service providers have datacentres in New Zealand (though Microsoft has recently announced plans for an Azure datacentre in New Zealand).
The Act introduces mandatory data breach notification in NZ, broadly similar to the recent Australian requirements to report privacy breaches. If an agency has a privacy breach that causes serious harm or is likely to do so, that entity must notify the people affected and the NZ Privacy Commissioner.
One area of significant change is new provisions to promote early intervention and risk management by agencies and beefed-up enforcement powers of the Commissioner. The Commissioner will have strengthened information gathering powers. The penalty for non-compliance will be increased from NZ$2,000 to 10,000. The Commissioner will be able to issue compliance notices that require an agency to do something, or stop doing something. It will be an offence to mislead an agency in a way that affects someone else’s information, and to destroy documents containing personal information if a request has been made for it.
Some NZ critics of the new Act note that the NZ Privacy Commissioner will not have the ability to hand out the substantial fines we have been seeing for privacy breaches in the UK, EU and USA. NZ Commissioner John Edwards had strongly argued for higher penalties, but the NZ Parliament did not agree. Commissioner Edwards later said: “We have a fairly high trust environment [in New Zealand], so the reputational harm of a commissioner declaring a company as non-compliant should be an incentive. That’s what we will work with—that’s the assumption that we will test. Our powers of persuasion, our ability to make findings and to issue compliance notices should be able to give New Zealanders the confidence they need to deal in the digital economy”.
What do Australian businesses need to do now?
Publishers, ad agencies/ad tech/data partners and advertisers handling personal information about NZ residents should check contracts with outsourced service providers and contractors to ensure that privacy obligations substantially the same as the new NZ requirements are included in those contacts, together with an ongoing, practical ability to review acts and practices of the contracting party to verify their compliance.
Employees handling personal information about NZ residents should be made aware of requirements for mandatory data beach notification.
Privacy policies and training materials should be reviewed and updated to included updated references to NZ law.
Proposed Updates to Singapore’s Personal Data Protection Act
By contrast, Singapore is now proposing amendments to Singapore’s Personal Data Protection Act 2012 (PDPA) that will close some of the gap between PDPA and the EU GDPR and California’s CCPA. The amendments are not yet enacted, but proposed to be in operation by end 2020.
Like NZ and Australia, the Singapore amendments would bring in compulsory data breach reporting to the Personal Data Protection Commission (Commission).
New provisions insert into the DPDA ‘legitimate interests’ style provisions which may be utilised by regulated entities to simplify their privacy policies and privacy notices to consumers.
There will be an increase in the financial penalty that the Commission can impose on any organisation that infringes the PDPA. Previously, there was a maximum cap of SGD 1 million. The Bill proposes to raise that cap to 10 per cent of an organisation’s gross annual turnover (AGT) in Singapore if its AGT in Singapore exceeds SGD 10 million, or SGD 1 million otherwise, whichever is higher.
There would also be new offences to hold individual persons within regulated entities accountable for egregious (outstandingly bad) mishandling of personal data on behalf of an organisation or public agency. These offences include any unauthorised disclosure of personal data carried out knowingly or recklessly; any unauthorised use of personal data carried out knowingly or recklessly that results in any person’s wrongful gain or loss; and (c) any unauthorised re-identification of anonymised data that is carried out knowingly or recklessly.
What do Australian businesses need to do now?
Although the draft provisions have not yet been enacted, it is likely that they will be enacted in substantially the same form and end into effect quite quickly.
Employees handling personal information about residents in Singapore should be made aware of requirements for mandatory data beach notification.
Having regard to the substantial new penalties, data privacy policies, processes, practices and training materials should be reviewed and updated.
Privacy policies and privacy notices should be reviewed and updated to reflect changed disclosure requirements.
Having regard to the substantial new penalties and exposure to liability of individuals, publishers, ad agencies/ad tech/data partners and advertisers handling personal information about residents in Singapore should review internal governance processes and practices. There should be clear allocation of roles and responsibilities of individuals and understanding of those individuals as to who is responsible for what.
ACCC Digital Platforms Services Inquiry Interim Report Oct 2020
On 23 October 2020 the ACCC released its “Digital Platforms Services Inquiry – September 2020 interim report”.
This report is the first of the ACCC Digital Platforms Branch’s rolling six monthly reports following funding in February 2020 to “to monitor digital platform services and their impacts on competition and consumers” over a period of five years.
This first report focusses upon online private messaging services and associated capture and use of consumer data by platforms services for other purposes, including marketing.
The second report will be on app marketplaces.
The ACCC is continuing to conduct its Digital Advertising Services Inquiry, with an interim report to be provided to the Treasurer by 31 December 2020 and then released in Q1 2021.
ACCC market research quoted in this first report showed, as you would expect, that use of online private messaging services has grown significantly during the COVID-19 pandemic. Facebook Messenger had an estimated 14.7 million monthly active users in Australia in June 2020, and WhatsApp had an estimated 8 million monthly active users. The ACCC estimated that Apple’s iMessage had an estimated range of 6 million to 12 million daily active users in Australia. The ACCC quoted a recent ACMA consumer survey finding that 33 per cent of online Australian adults had used Apple FaceTime in the six months prior to June 2020. The ACCC said that “Based on information provided to the ACCC, for a typical AU$100 spent by advertisers on online advertising in 2019, $53 went to Google, $28 to Facebook15 and $19 to all other websites and ad tech”.
The ACCC’s substantive conclusions were that “many digital platforms, including online private messaging providers and suppliers of advertising services, are able to extensively track users’ activities online and on mobile apps through the use of cookies, software development kits and other technologies.” “Large platforms and advertising service providers are able to receive a range of user information from Android apps.” The ACCC examined terms and policies of online private messaging services, and stated its conclusion that “most included broad statements allowing for the collection of extensive information about users, but provide little clarity about how a user’s data would be collected, used, or shared with others.” The ACCC also noted its concern “that emerging technologies, such as voice activated devices and augmented and virtual reality services, will likely provide the platforms with even greater ability to collect data on consumers”.
Clearly the ACCC will use these rolling six monthly reports to increase public focus upon digital data handling between platforms and suppliers of advertising services, and as a mechanism to promote to Government the ACCC’s views as to an appropriate regulatory response. To quote from the first report:
“Most consumers are unclear on what they are consenting to and express concern over tracking online. Recent research indicates that less than 10 per cent of consumers have a very good understanding of how their personal information is used once they give consent and more than 4 in 5 consider it to be a misuse for an organisation to ask for information that is not relevant to the purpose of the transaction or to monitor and record their online activities without their knowledge.
The ACCC notes that similar findings in the Digital Platforms Inquiry Final Report led to the ACCC’s recommendation for changes to privacy law and the Australian Consumer Law to ensure consumers can exercise choice and control that align with their privacy preferences. The ACCC continues to support these recommendations and notes the Government Response and Implementation Roadmap for the Digital Platforms Inquiry generally supported or in principle supported these recommendations.”
What do Australian businesses need to do now?
The ACCC will be rolling out reports that potentially affect how Australian publishers, ad agencies/ad tech/data partners and advertisers handling personal information about individuals almost every quarter.
Those reports may partly reflect international trends, but it is also to be expected that the ACCC will try set its own path on how the ACCC requires the digital advertising sector to change processes and practices of handling of consumer data.
The digital ad sector needs to keep across these developments, and consider how to address emerging expectations of Australian regulators as to appropriate processes and practices for handling of consumer data. The Australian requirements may well significantly diverge from European or North American regulation, so it is not safe to assume that EU GDPR or Californian CCPA compliant processes and practices will meet developing Australian requirements.
Peter Leonard, Principal, Data Synergies and Professor of Practice, UNSW Business School
25 October 2020