Five Privacy trends to watch in 2021
The long-awaited amendment in the New Zealand Privacy Bill, which proposes amendment in the Privacy Act 1993, finally got a green flag in the parliament in June this year. The said amendments come into effect on 1st December 2020, and are expected to bring about some of the most significant changes in the New Zealand Privacy Law till date.
These changes come at an exciting time, when the global data protection landscape is witnessing significant disruption. With ever-growing cyber threats and stringent media attention on data breaches, cybersecurity and data protection are getting major attention from businesses across the globe.
Seeing how the changes introduced as a part of this data protection act can transform the New Zealand data privacy law, it becomes imperative to understand them in detail.
Significant Reforms Listed in the Updated NZ Data Privacy Law
International Data Flow
The New Zealand Privacy Act 2020 proposed update restricts disclosure of personal data outside of New Zealand, without prior authorization from relevant individuals. In case of any offshore data transfer, the disclosing party must ensure that the information is protected by safeguards comparable to New Zealand’s privacy laws.
Some ways organisations can become compliant with this update include –
- imposing contractual data protection obligations on the recipient comparable to the protections in the Privacy Act; or
- ensuring the recipient is subject to laws of another jurisdiction that provide comparable protection to the Privacy Act (countries can be ‘whitelisted’ in regulations, which will have a similar effect to a GDPR adequacy decision)
However, this update comes with an exception – if the personal information is transferred to an offshore data processor, it does not constitute an overseas disclosure.
Mandatory Data Breach Reporting
This is an international best practice that has been incorporated into the New Zealand data privacy law. According to the new update, if there is a data breach that causes or can cause serious harm to involved individuals, the responsible organisation must inform the Privacy Commissioner and the affected individuals. The act also lists some guidelines to assess the harm done by a breach –
- any action taken to reduce the risk of harm following the breach;
- whether the personal information is sensitive in nature;
- the nature of the harm that may be caused to affected individuals;
- who obtained (or could obtain) the personal information as a result of the breach (if known); and
- whether the personal information is protected by a security measure.
Again, there is an exception to this amendment. The update lists a few circumstances where companies may delay notifying the individuals or not notify them at all in case of a breach. Here is what an instance stated by the Justice Committee following its review of an earlier draft of the amendments said – if an organisation’s security systems were shown to be vulnerable as a result of a privacy breach, notification could risk wider exploitation of the vulnerability, and should be delayed to prevent the risk of more harm (though the Privacy Commissioner would still need to be notified).
It was, however, made clear by the Committee protection of its reputation is not a reason good enough to delay notifying the affected parties.
It has been explicitly stated in the Privacy Act that it is applicable to any actions that an overseas organisation will take while conducting business in New Zealand, irrespective of where the information was collected or where the data subject is from. The definition of an organisation carrying business in New Zealand is if it earns money in exchange for goods or services, or makes profit from its business there.
Fines and Penalties: New Zealand Privacy Act 2020
The 2020 update of the NZ Privacy Act states that if an organisation fails to comply with the law or misleads another organisation/individual in a way that affects personal information, it can be levied with a fine of up to $10,000. While some may argue that this financial penalty isn’t enough, it is the potential damage to the reputation of the organisation that can be a cause of concern for those who are non-compliant. This can be better understood in the words of John Edwards, New Zealand’s privacy commissioner – “We have a fairly high trust environment [in New Zealand], so the reputational harm of a commissioner declaring a company as non-compliant should be an incentive. That’s what we will work with—that’s the assumption that we will test. Our powers of persuasion, our ability to make findings and to issue compliance notices should be able to give New Zealanders the confidence they need to deal in the digital economy.”
For help related to Privacy Data Risks, Please reach out via Secuvy’s Demo Page or email us at email@example.com
California Consumer Privacy Act (CCPA) came into implementation from Jan 1st 2020. In this blog post, we will talk about history of CCPA and How is CCPA Applicable to your Business.
What is CCPA?
CCPA applies to any global business, including any for-profit entity that collects consumers personal data, which does business in California, and satisfies at least one of the following thresholds:
- Have $25 million or more in annual revenue; or
- Possess the personal data of more than 50,000 “consumers, households, or devices” or
- Earn more than half of its annual revenue selling consumers’ personal data
For 2 years (2016-2018) Alastair Mactaggart, a real estate developer, created and led a ballot initiative for a privacy law that led to CCPA (Assembly Bill (AB) 375). On June 28th, 2018, the governor of California signed AB 375 into effect, establishing the most extensive consumer privacy legislation ever passed in the United States
|June 28th, 2018||AB 375 signed into law|
|September 23rd, 2018||Senate Bill No. 1121 signed into law, modifying CCPA|
|October 10th, 2019||California Attorney General released the proposed text for CCPA regulation|
|October 11th, 2019||California Governor Signs CCPA Amendments into Law|
|January 1st, 2020||CCPA goes into effect|
|July 1st, 2020||Enforcement begins|
California Residents Rights under CCPA
CCPA grants California residents, who are consumers, specific rights regarding their personal information businesses maintain. If you are a California resident, you have the right to request that a business inform you about its processing activities with respect to your personal information, to delete your personal information and to opt-out of the sale of your personal information.
Companies preparing for CCPA or are planning to implement must remember that a privacy program needs to adapt and change accordingly to applicable privacy law. If you are looking to build a privacy program it’s not too late to start preparing for CCPA compliance. To request a CCPA privacy software demo email us at firstname.lastname@example.org or visit Secuvy.ai