In 2018, a new unprecedented data privacy law took the EU and, by association, the rest of the world by storm. The GDPR (General Data Protection Regulation) in its own words is described as "the toughest privacy and security law in the world," and it's safe to say the impact it has had on the global tech and business sectors has been significant over the past four years.
With more and more NZ companies subject to data and security breaches, it also begs the question as to whether there needs to be more focus on our own data privacy laws and if we can look to other countries for guidance.
With the pandemic in 2020 initiating an increased online presence in all areas, companies have had even more reason to strengthen their data security systems and protocols as regulations continue to come with heavier penalties and consequences should they be breached.
Another significant factor is that the laws also cover affiliate companies, meaning that they don't only affect the EU market but also those international companies under EU jurisdiction.
Pre-pandemic, Google was famously hit with a substantial GDPR fine of EUR €50 million in 2019, when it failed to make its consumer data processing statements easily accessible to users. It also came under fire for data mining its users for targeted advertising campaigns without seeking consent, a trend becoming more apparent as companies look for new ways to expand their market growth.
More recently, in 2020, British Airways was targeted by hackers who breached their security and led customers to a fraudulent site that compromised the personal and financial information of about 400,000 people.
These substantial law changes have come at a cost too. According to legaljobs.io, it was reported that 27% of companies spent over half a million dollars to become GDPR compliant, and there has been over EUR €359 million in major fines already issued. This number is expected to grow, with some companies apparently struggling to keep up with the ever-changing online climate.
Rob Ellis of tech company Thales spoke to the BBC in May 2021, telling them that "When GDPR was first drafted, the legislation did not necessarily account for the adoption of new technologies and rapid migration to the cloud brought on by the pandemic.
"In this remote working era, businesses needed to digitally transform almost overnight just to keep the lights on, without necessarily incorporating security in the design of new systems and processes."
So if companies are struggling internationally to implement processes, how does this fare in the NZ market?
If New Zealand businesses have dealings with or are based in the EU, then they must adhere to the rules set out in the GDPR 2018 while also following the NZ Privacy Act 2020 guidelines. That's a lot of information coming from many different places, but thankfully the NZ government's digital website specifies that it is likely for there to be a significant crossover between the two.
With two different sets of rules and a myriad of new technologies and systems to navigate, it's clear that businesses must now be more vigilant than ever to keep up.
University of Auckland commercial law professor, Gehan Gunasekara, says that companies would be wise to make sure they know the European laws well, and if companies invest in smart solutions and education relating to GDPR, then they will be better protected in the long term.
"If you meet the European requirements, then 99.9% of the time you're most likely to also meet the New Zealand requirements. There are some subtle differences between the two regimes, but for most businesses, that doesn't really become an issue."
He says the most difficult situations come with doing business in and with Europe, and this is where companies have to carefully consider all the steps necessary to comply with the GDPR.
"Let's say, for example, you're a tourism operator and you want to bring Europeans to New Zealand or are offering flights to Europe, then you have to comply with the GDPR.
"It's now more than just about being transparent, and a bit more than consent. There is the idea that if you get specific explicit consent, everything is okay, but that's not the way the GDPR works. It is kind of the way that New Zealand's privacy law works because most things can be agreed to by consent under New Zealand law, but in the GDPR consent is not solid grounds on which you can base processing of personal data."
He says that the European GDPR is based on the legitimacy of interest, and companies have to explicitly outline how they're going to keep their data safe.
"You've got to show you have a legitimate interest and you've got to show that the individual's interest's don't override it. You've also got to show you're taking necessary steps to protect the data. Even if an individual signs some kind of waiver or consent, under GDPR, that's not going to get you off the hook."
Another issue Gunasekara brings up is education. He believes that even if companies equip the best tools and systems, humans are the key to regulating GDPR compliance and should be a key investment.
"The Privacy Commissioner in New Zealand can only give limited assistance as far as the Europeans laws are concerned."
Recently this year, Gunasekara and his team at the University of Auckland launched a program specifically targeted at companies and workers wanting to upskill in the areas of GDPR and data protection.
"We have a brand new online programme called the master of information governance that was launched this year. The idea is to train and upskill people who are privacy officers, information officers and governance officers.
"The advantage is if an organisation were to send its staff to a programme like that, then those staff can train other staff within the organisation and so there's a cascade effect."
When discussing our data privacy regulations compared to the rest of the world, he believes we are in the middle of the road when it comes to developed countries.
"There are many countries around the world that have yet to get privacy regulation. I mean, China is the latest one that has actually now passed quite a strict personal information protection law. Almost every week, there's another country passing a privacy law.
"We think we're weak in comparison to the GDPR, but even in relation to Australia for example, where small businesses are not covered, New Zealand has a good one size fits all law that's relatively easy to understand."
When asked what businesses should do to be prepared for GDPR compliance, along with education, Gunasekara emphasised the need for a company-wide approach, with all employees doing their part to protect data.
"There is really no excuse for business not to get up to speed with it, and it can't be something that can be just dedicated to some compliance officer or privacy officer. It requires an all business approach. This needs to be grasped at board and CEO level and there are cost implications, but the costs of privacy failures would be higher.
With new privacy laws popping up by the day, and a large majority of businesses worldwide being subject to data breaches regularly, it's clear that data privacy isn't something companies should sweep under the rug. GDPR and privacy laws are there to protect businesses and consumers, not hinder them, so it's in their best interest to make sure they are up to speed.
Do we need a brand new, state-regulated GDPR that is NZ specific? Perhaps it's too early to tell. With so many of these new laws around the world being in their infancy, the full effect hasn't come to light.
With noticeable fines and a focus on enhancing secure technology, we've seen many companies stung and others learn from their mistakes, so this may be an early indicator of change. However, it is clear that the European GDPR is a landmark initiative that New Zealand and the rest of the world should be keeping closely on their radar.
