Application of Australian Privacy Law to NZ Businesses
Thursday, July 5, 2018
Frith Tweedie, Digital Law Leader at EY Law New Zealand, discusses the application of Australian Privacy Law to New Zealand businesses which store personal information in an Australian “cloud” and the Australian Notifiable Data Breaches Scheme.
Storing data in an Australian “cloud”? Australian privacy laws may apply!
Kiwi businesses storing personal information in an Australian “cloud” or data centre could find themselves subject to Australian privacy law, including rules requiring notification of data breaches. Failure to notify could, in a worst-case scenario, trigger fines of up to A$2.1 million and damages of A$10,000 to A$15,000 per successful claimant.
As cloud storage becomes mainstream, New Zealand businesses are taking advantage of the proximity and lower latency of Australian data centres. Banks and government agencies in particular tend to take comfort from the perception that regulatory similarities make Australia a less risky prospect when it comes to offshoring personal information.
However, it’s not widely recognised that Kiwi organisations storing personal information in an Australian-based cloud could find themselves subject to Australian privacy law, including the Notifiable Data Breaches (NDB) Scheme that came into effect earlier this year. New Zealand is set to enact similar data breach notification rules in 2019.
What are the new Aussie rules?
From 22 Feb 2018 “eligible data breaches” must be notified to the Australian privacy regulator and all affected individuals. As well as fines and potential damages resulting from non-compliance, class actions may also result. A successful class action of 1,000 individuals could easily lead to fines and damages in excess of A$12 million.
An eligible data breach is one that a reasonable person would consider likely to result in serious harm to any of the affected individuals. “Serious harm” is not defined in Australian privacy law, so this will require an objective assessment of the type of information, the individual(s) impacted and the surrounding context. Serious harm could involve physical, psychological, reputational and/or financial harm.
Unlike the 72 hour notification time frame under Europe’s General Data Protection Regulation (“GDPR”) , the Australian rules do not specify a specific time frame other than “as soon as practicable” after becoming aware of an eligible data breach or having reasonable grounds to believe a breach has occurred. The current draft of the New Zealand’s Privacy Bill is likely to require notification on a similar “as soon as practicable” basis, except with fines of up to only $10,000 for failure to notify.
Why Australian law applies
Australian privacy law will apply to any New Zealand organisation with an “Australian link” that stores personal information in an Australian data centre.
An “Australian link” is established by various factors, including incorporation in Australia, being part of a partnership formed in Australia or where the organisation “carries on business” in Australia and collects or holds personal information in Australia (for example in “the cloud”).
“Carrying on business” for the purposes of Australian privacy law involves conducting some form of commercial activity there, whether or not you are established in Australia. That could be an organisation based in New Zealand having people or agents in Australia, advertising in Australia, having a website that offers goods or services to Australians, the inclusion of Australia in website drop-down menus, regularly acting on Australian business or purchase orders or being the registered proprietor of Australian trade marks.
So if your organisation stores personal information collected in New Zealand or about New Zealand residents in an Australian data centre and you “carry on business” in Australia, that personal information will be covered by the new Australian NDB Scheme – and the various fines and damages triggered by non-compliance.
Not just cyber-attacks and not just in Australia
As well as cyber-attacks, an eligible data breach could be triggered by the loss or misuse of personal information. This could be as simple as an employee leaving a laptop containing customer details in a public place, sending customer details to the wrong person or accessing their colleague’s employment details without authorisation.
Where there is an “Australian link” and the relevant data was collected in Australia or stored in an Australian cloud, data breach notification requirements will apply even if the unauthorised access occurs in New Zealand.
I might be caught – what should I do?
A. Determine whether the NDB Scheme applies
1. Are you storing personal information in the cloud using an Australian data centre or do you collect personal information in Australia?
2. Do have an Australian presence or do you “carry on business” in Australia in a way likely to constitute an “Australian link”?
If you answer yes to both, then Australian privacy law and the NDB Scheme will apply to all personal information either collected or held at any time prior to a data breach in Australia.
B. Prepare for compliance with the NDB Scheme
You should determine the extent of the personal information caught by the NDB Scheme and then prepare a data breach response plan. In addition to being necessary for compliance, it will enable you to quickly and effectively manage any breach that occurs. It will also be good preparation for the introduction of data breach notification requirements into New Zealand law in July 2019.
A data breach response plan should detail breach response team members and responsibilities and breach response processes for various likely scenarios. The plan should be tested (for example by some form of data breach drill) and staff should be trained on how to deal with a breach.
C. Understand your risks before storing data in any cloud environment
1. Understand what data you have and where it is
Data inventories and maps identify what personal information is held across your organisation and where it is stored, including offshore and in the cloud. This will help you manage and contain a breach if (when!) one occurs, as well as delivering strategic and operational benefits.
2. Assess cloud risks
Understand your risks before offshoring personal information, including to Australia. This will also help you assess any reasonable alternatives. Determine in which jurisdictions your data will be stored and processed, including backups, whether your cloud service provider (CSP) allows you to specify preferred data centre locations and whether your CSP outsources any of its services or uses sub-contractors that introduce additional jurisdictional risks. If so, find out which jurisdictions are involved and assess as above.
3. Understand your privacy obligations
First of all you need to understand what your New Zealand privacy obligations are. Where the privacy laws of other jurisdictions impose higher standards than those of New Zealand (such as the GDPR or Australia’s NDB Scheme), establish whether those laws do in fact apply and whether you can rely on any exemptions.
If the other jurisdictions impose lower standards than New Zealand law, you need to understand their impact on the security and/or privacy of your data and conduct thorough due diligence on the proposed CSP. Once enacted, New Zealand’s Privacy Bill will only allow overseas disclosure of personal information to CSPs providing purely storage services (and nothing further) or with either individual authorisation, a reasonable belief that appropriate privacy protections will be in place or where the other country has been prescribed by New Zealand regulation as having comparable privacy laws.
4. Develop a Privacy Management Plan
A privacy management plan is a strategic planning document that describes how an organisation will address and manage its privacy (including cybersecurity) concerns. This document will help you embed good governance practices while also demonstrating to regulators that you take data security and privacy management seriously. It will also encourage a privacy aware culture, help establish robust processes, enable regular compliance checks and enhance your responses to issues.
- If you “carry on business” in Australia and store personal information in an Australian data centre then that data will be subject to new Australian data breach notification requirements, even where the information was collected in New Zealand and/or only relates to New Zealanders.
- Failure to comply with the NDB Scheme in the event of a data breach could subject your organisation to large fines and the potential for consumer complaints and damages.
- The upside is that compliance will help you minimise reputation damage, which is potentially far more damaging than a fine – see the detrimental effect in recent high profile data breaches on share price, business image and customer confidence. It will also help you prepare for the introduction of mandatory data breach requirements in New Zealand via the Privacy Bill in 2019.
Frith Tweedie has more than 16 years’ experience advising on privacy, technology, IP, online/e-commerce, consumer protection and entertainment law issues. She has extensive experience advising on privacy issues arising in a digital context, including the privacy implications of data analytics, data sharing, cloud storage and data monetisation initiatives.
Prior to joining EY Law to lead the Digital Law team, she was responsible for establishing a large privacy programme at a major telecommunications company in response to the European General Data Protection Regulation (“GDPR”). Frith also worked closely with a major bank’s digital teams on numerous data-driven initiatives requiring extensive privacy input. In her current role, Frith works closely with EY management consultants advising on and implementing a range of technology and digital solutions. Contact Frith at email@example.com
sign up to our updates
To keep informed of our upcoming seminars that are right for you
"Enlightening and informative, some very useful information"
Delegate - Education Law Conference, Auckland, March 2017
,Read more testimonials