Whats Going on in the World of Privacy?
Aftershocks from the arrival of the General Data Protection Regulation (GDPR) are still being felt around the world as countries are faced with the question of whether their own privacy laws are up to scratch.
While changes to our privacy framework are still to be finalised, we are keeping a watchful eye on the goings-on overseas that may directly impact New Zealand or could appear on our own Government’s privacy agenda. We watch this space.
One jurisdiction that has scrubbed up its data protection laws to a ‘gold plate’ (read EU) standard is the US state of California. The California Consumer Privacy Act of 2018 (CCPA) was published in June this year and will become operative from 1 January 2020. Like the GDPR, the CCPA has extra-territorial effect, applying to businesses receiving personal information from Californian residents, when those residents are in the State or when their data is received or processed within the State.
For those businesses which operate both in California and Europe, the CCPA is a patchwork of GDPR rights, variations of GDPR rights, and brand new rights that do not expressly feature in the GDPR. These differences, particularly the more subtle ones, will be a significant challenge for businesses operating in both jurisdictions to grapple with during the much needed lead-in time for the CCPA.
Currently on Australia’s privacy agenda is the controversial government use of facial recognition technology. The Identity Matching Services Bill is being considered by the Parliamentary Intelligence and Security Committee after it had its second reading in the Australian Parliament.
The purpose of the Bill is to create a centralised nationwide database of people’s physical characteristics and identities, which collates data from states and territories and integrates facial recognition technology. While the Department of Home Affairs have said the system is “not intended for mass surveillance”, the apparent lack of safeguards on the use of the data, combined with the sheer volume of personal data is understandably giving rise to significant concerns across the Tasman.
This is in addition to the revamped, mandatory breach reporting laws that were introduced in February this year and brought with it sanctions of up to AUD1.8million.
Soon to be officially out of the EU, the UK has made an official commitment to embrace the GDPR as its own data protection framework, in an effort to ensure adequacy status. The UK government has issued a proposal for a special partnership between the UK and EU aimed at maintaining free flow of personal data. The European Commission will need to be convinced that the UK’s proposals are compatible with the rights under EU law before this is confirmed.
In the EU, the data protection shake-up has not stopped with the GDPR.
After nearly two years in operation, the EU-US Privacy Shield is up for review after the European Parliament called on the European Commission to suspend the Shield due to an alleged failure by the US to provide enough data protection for EU citizens.
Further change is also on the horizon in the form of the proposed e-Privacy Regulation. The Regulation will sit alongside the GDPR, with specific implications for businesses using electronic communications data, including voice chat, video communications and instant messaging. The Regulation was originally scheduled to come into effect with the GDPR, however delays have meant that it is still progressing through the legislative process.
These international developments in privacy law, together with the high standards set out in the GDPR, leave us asking the question – does our Privacy Bill go far enough? When the Select Committee reports back on the Bill in November, it will be interesting to see whether the GDPR and any of these recent developments have influenced its response and recommendations.