Introduction
On 25 May 2018 the EU’s existing data protection (ie privacy) legislation will be replaced by the General Data Protection Regulation (GDPR). The GDPR aims to protect the privacy of EU citizens by giving them more control over how, when and why their personal data is used. You can get a full copy of it by clicking the button below.
General Data Protection Regulation
The GDPR also has extra-territorial application meaning that it will have serious implications for most of the world, including New Zealand. This newsletter considers the implications for New Zealand businesses that are not present in the EU.
What you need to do
If the GDPR applies to your business you will need to:
- Review your privacy policy to ensure it is in plain language and that every purpose for which you use personal information (including secondary purposes) is clearly set out;
- Ensure there is a process that enables the individual to affirmatively consent to any purposes for use of personal information where the GDPR requires consent to be obtained;
- If you have another party storing or processing personal information on your behalf, ensure you have a written contract with that party that meets the requirements of the GDPR;
- If personal information will be transferred to another country after you have collected it, have processes to ensure that the individual is aware of that transfer, the risks involved and explicitly consents to that transfer; and
- Ensure you have documentation in place that demonstrates compliance with the GDPR.
There may also be other obligations under the GDPR depending on the nature of your business activities in relation to the EU, such as needing to appoint a representative in the EU.
This newsletter briefly discusses these and other key points that apply to New Zealand businesses under the GDPR. It is our summary of what we consider are the key points and we have not covered everything under the GDPR. We have also limited our summary to matters that are additional to or differ from obligations under the New Zealand Privacy Act 1993. We do not discuss matters that are the same or fairly similar to obligations under the Privacy Act.
Who is affected
While the GDPR applies to businesses present in the EU, it also applies to any New Zealand business (that is not present in the EU) that:
- Offers goods or services to persons who are in the EU (eg through its website); or
- Monitors the behaviour of persons who are in the EU as far as their behaviour takes place in the EU (ie recording of anything such a person does while in the EU).
In assessing whether or not the business is offering goods or services to persons who are in the EU, the preamble to the GDPR explains that the GDPR will not apply due to the mere accessibility of the website in the EU.
Thus, if the New Zealand business’ website is targeted at non-EU countries then the GDPR will not apply. However, if it is set up to enable EU persons to order goods and services then the GDPR will apply.
An EU representative may be needed
Unless the processing involving the EU activities undertaken by the New Zealand business is “occasional”, a term that is not defined in the GDPR, does not involve large scale processing of certain special categories of data (like health data) or processing criminal information, and the processing is unlikely to result in a risk to the rights and freedoms of individuals, the New Zealand business must designate a representative in the EU.
What is “personal data”?
The GDPR applies to the personal data of EU persons. Personal data is defined in a pretty similar way to personal information under the Privacy Act, essentially any information that makes an individual identifiable in any way. However, the definition goes on to explain certain things that make an individual identifiable, whether directly or indirectly. These include identifiers like your name, location data and an online identifier, and characteristics like physical, mental and cultural identity.
Complying with the GDPR
The GDPR uses different language to the Privacy Act. The key terms are “processing”, which includes collecting, storing, using, disclosing and transferring; a “data controller”, which is the business deciding to collect the personal data; and a “data processor”, which is the business that undertakes processing activities on behalf of the data controller.
A number of the exceptions in the Privacy Act to how personal information is collected and may be used or disclosed differ under the GDPR. One in particular is that processing personal data is permitted under the GDPR if it is necessary of the purposes of the legitimate interests of the data controller or a third party, except where such interests are overridden by the interests/rights/freedoms of the individual. Legitimate interests may include direct marketing.
In addition to Privacy Act compliance steps, the GDPR requires businesses that are covered by it to meet the following key additional obligations:
- Prior to data collection
- You must explain in plain language the reason for any data collection, and how long you will store the data (or the criteria used to determine that period). The individual must be provided with all information regarding the collection and possible processing of their data, even when being collected from someone other than the individual concerned. If processing is to be on the basis of the legitimate interests of the data controller, those legitimate interests must be explained to the individual at the time the personal data is collected.
- You must obtain consent to processing an individual’s personal data unless an exception applies (eg processing for the legitimate interests of the data controller). Consent must be a freely given affirmative action, for example by signature or ticking a box. It must be outlined what exactly the individual is consenting to. It must also be as easy for consent to be withdrawn as it is for it to be given.
- It is prohibited to collect and process certain special categories of data, such as health information, unless the individual provides an explicit consent or another exception applies. You would also likely need to establish an EU representative in such a case.
- When you have the data
- Personal data must be free to be deleted on request in certain cases, such as where it is no longer necessary in relation to the purposes for its collection.
- A data controller must implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is in accordance with the GDPR, including appropriate data protection policies. There must also be a level of security appropriate to the risk applied in relation to processing, such as using pseudonymisation and encryption.
- A data protection officer must be appointed in some cases, such as where the data controller undertakes regular and systematic monitoring of individuals on a large scale.
- Data processing systems must be private by design. A data protection impact assessment (ie a privacy impact assessment) must be carried out if a type of processing is likely to result in a high risk to the rights and freedoms of individuals. There may also be a need to consult with the relevant EU supervisory authority in relation to the assessment.
- The data should only be processed by a third party data processor with direct authorisation from the data controller and a compliant GDPR contract between them. The data controller and data processor must keep records of their processing activities and the purpose for such.
- The individual may object to the processing of their data being carried out in certain circumstances, including where it is being processed for the purposes of the legitimate interests of the data controller.
- The personal data must also be portable in a machine-readable structure so the individual can take a copy anywhere.
- The individual must not be subject to automated decision-making systems, where the use of this would significantly affect him/her.
- If you want to transfer the data
A data controller may transfer personal data to a third country in certain circumstances. The simplest situation is if the country has EU adequacy status. If the country does not have adequacy status the data can only be transferred in accordance with standard approved clauses, with approval of the relevant competent supervisory authority in the EU, if the explicit consent of the individual whose data it is has been provided, or some other limited exception applies.
Where explicit consent is to be sought the individual must also be informed of the possible privacy risks of the transfer.
Notification of a personal data breach
If there is a breach of security that leads to an accidental or unlawful data loss/destruction, access, disclosure or alteration, there is a mandatory breach notification required, unless the breach is unlikely to result in a risk to the rights and freedoms of individuals. The relevant supervisory authority in the EU must be advised as soon as possible and within 72 hours of the breach and must be provided with details of the breach.
While there are some exceptions, individuals must be notified in transparent plain language where the breach is likely to result in a high risk to their rights and freedoms.
Risks with non-compliance
Organisations found to be in breach of the GDPR can be liable for a fine up to the larger of €10 million or 2% of the total worldwide annual turnover for that business in the case of certain infringements and up to €20 million or 4% of the total worldwide annual turnover for more significant matters. Penalties can also be imposed by EU member states.
There is also civil liability for non-compliance, ie a right to receive compensation for an infringement of the GDPR.
The supervisory authorities also have numerous investigative and corrective powers, eg to carry out data protection audits and issue reprimands and compliance orders.
The next step
Now is the time for New Zealand businesses to review their privacy policies and the protection mechanisms they have in place to ensure they will comply with the GDPR when it comes into force in May. Personal data protection must be in the forefront of your minds to avoid damage to reputation from a data breach, not to mention the hefty fines that could be imposed in such a case.
An EU Data Protection Board will be established by the GDPR. Its role is currently performed by the working party that facilitated the GDPR. It will have numerous duties, including providing guidelines, recommendations and best practices for complying with the GDPR. For more guidance you should look to the material it issues. One document that the working party has released so far is specific to the Asia Pacific region and provides further general information on the GDPR requirements. It can be accessed by clicking the button below. However, it is quite technical.
EU GDPR Asia-Pacific guidelines
Please also be aware that the UK is implementing a new Data Protection Act to align with the GDPR. Its new legislation will likely apply when the UK leaves the EU, meaning many of the requirements under the GDPR outlined in this newsletter will likely apply where your business involves the UK.
Disclaimer: Please be aware that we are not EU qualified lawyers. For definitive advice on the GDPR you should speak to an EU qualified lawyer.
Business Law team
If you have any queries in respect of the above, or any other Business Law issues, please contact a member of Lane Neave’s Business Law team:
Gerard Dale, Claire Evans, Graeme Crombie, Evelyn Jones, Anna Ryan, Joelle Grace, Peter Orpin, Ellen Sewell, Matt Tolan, Carlo Wan, Kristina Sutherland, Jacob Nutt, Whitney Moore, Alex Stone, Ben Cooper, Lisa Catto