​New Zealand policymakers push to raise bar on data-breach notifications

Companies carrying out business in New Zealand must notify the country’s privacy watchdog of data breaches if a breach has caused “serious harm or is likely to do so,” a new parliamentary report says.

In the report from the parliament’s Justice Committee, released today, policymakers recommended updating national privacy laws to avoid over-notification of data breaches, in a move that aligns New Zealand policy with Australian measures.

“Breaches should only be notifiable if they cause serious harm,” says the 238-page report, which had been delayed since November.

“We consider that the threshold for ‘harm’ is too low,” lawmakers said, adding that “it could result in over-notification to the Privacy Commissioner and to individuals.”

Facebook had urged New Zealand policymakers in a written submission to align the country's laws on mandatory notification requirements for data breaches with that of other countries, including Australia.

"Excessive notification of minor breaches may dilute [the bill’s] value overall," Facebook's submission said.

The new wording on notification thresholds is a response to concerns that featured frequently across the 182 written submissions to the parliamentary committee. Observers had been left wondering whether this report would push for closer alignment with other legislative systems, or see New Zealand carving out its own path on data-privacy.

The report now says the bill must provide “more certainty to agencies to better align the bill with overseas jurisdictions which have a higher threshold for when privacy breaches should be notified.”

“Our proposed definition describes a breach that it is reasonable to believe has caused serious harm or is likely to do so,” the draft bill says.

The new wording would closely link the bill to Australia’s Notifiable Data Breaches rules, which also use “likely to result in serious harm” as a threshold for when a data breach should be notified. But in Australia, that wording is still leading to some confusion over notification, experts say.

The New Zealand report adds that deciding if a breach could cause serious harm will be contingent on certain factors. Those factors are: actions an agency has taken to reduce harm; the sensitivity of information; the nature of the harm; who might have access to the information; and whether the information is protected by security measures.

New Zealand Privacy Commissioner John Edwards, who will be charged with overseeing notifications, said “the committee has listened to submitters and the reported back Bill [should address] some of the most pressing aspects of the modern digital economy.”

Speaking with MLex following the publication of the report, Laura Littlewood, an Auckland-based partner at New Zealand law firm Bell Gully, said the overall theme of the changes was alignment with Australian policy, including the introduction of defense provisions, allowing companies to respond to potential allegations by the Privacy Commissioner if the watchdog thought they should have notified it of data breaches.

When it comes to who would be responsible for notifying authorities of data breaches, parliament members say “agencies that outsource their data storage or processing to another agency should be responsible for informing individuals of any notifiable breach.”

Regarding foreign companies, policymakers say three things. First, the changes would apply to any actions taken by “an overseas agency in the course of carrying on business in New Zealand.”

Second, “It would apply to all personal information collected or held by an overseas agency in the course of carrying on business in New Zealand.”

And third, “It would apply regardless of where the information was collected or held and where the person to whom the information relates is located.”

Proposed changes to penalties have remained as previously suggested at NZ$10,000 ($6,814). The penalty limit was low by international standards, Littlewood told MLex today, but she added that New Zealand had always had a market of “willing compliers” and that she didn’t think low penalties would mean that companies would ignore the new rules.

Also, the updated privacy laws shouldn’t apply to news media, the report says.

The parliamentary committee’s report and ongoing work on the bill is being overseen by Labour politician and New Zealand Justice Minister Andrew Little.

The country’s conservative National Party’s view on the bill was added to the end of the report. The party says there is “still a risk of over notification” in this new draft and “if this occurs, it would trivialize genuine privacy breaches and […] raise compliance costs.”

When asked about the bill’s compliance costs, Bell Gully’s Littlewood told MLex today: “Any mandatory data breach carries a risk of compliance cost and notification fatigue.” Littlewood said 262 data breaches had been reported in Australia in the last quarter of 2018, which might indicate the kind of reporting rates New Zealand could experience.

Today’s report is a step forward in what is still likely to be a long process for updates to New Zealand’s privacy laws. The rules will need to go through two more readings in parliament as well as be debated by the whole house before they can enter into law.