Big changes are coming to how companies that operate in Europe collect data. Dave Parry says failure to adopt practices that safeguard privacy could risk New Zealand’s reputation.
Over the past couple of weeks, you may have noticed that Facebook, Twitter, Gmail and all your other favourite internet sites have had a pop up mentioning new privacy rules. This isn’t a coincidence – they’re getting ready to comply with a new law which will set a precedent for our online privacy.
On Friday, the European Union’s General Data Protection Regulation comes into effect. Its primary target is to protect the privacy of citizens of the EU. But at its core is a requirement that everyone who stores the data of EU citizens complies – that applies to every country around the world.
The changes require consent for information to be given in an easily accessible form using clear and plain language, not legal jargon. Companies must also allow people to have their data deleted – the “right to be forgotten” – and have just three days to notify of a data breach. A particular threat to the likes of Facebook is the right to data portability. This means you can ask for a company to give you all the data it has on you in a digital form so you can shift it to a different social network. The law also requires businesses to have a representative in the EU.
It covers anything that can be used to directly or indirectly identify a person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.
If you break the rules, you risk fines of 4% of annual turnover, or 20 million Euro.
We’ve known about this law coming into force for two years now, but I highly doubt many New Zealand businesses are aware of the extent it will change how they operate. New Zealand’s own Privacy Act was cutting-edge in 1993, but looks distinctly old-fashioned now.
It’s safe to say our big businesses will be compliant. The likes of Fonterra, Air New Zealand and other big trading companies will have had their legal and IT teams on it since the legislation passed in 2016.
But the law applies to every business. That means the bed and breakfast in Te Anau, the Manuka honey retailer in Coromandel, and the cheese maker in Southland. These small businesses, that might only have a handful of employees, probably don’t even collate this information. But now they’ll have to. Essentially, if you have customers in the EU, you must comply, and that’s the catch: how do you know they’re in the EU? You won’t always know, and that’s why the internet giants are changing their laws for everybody.
The other big players that will be affected by the law changes are schools and universities where we have a growing number of international students. I expect this will be one of the areas that won’t be compliant come Friday. A lot of our schools’ IT departments are teachers who do it on the side, or one or two dedicated people. Overhauling how you’ve collected and stored data and information – if in fact, you have – will take longer than a few days.
Most of you reading this will be smart enough to know that we don’t actually have to pay fines from other countries. They can ask our government to pass on the fine, but the reality is our government has better things to do than collect fines for another country. It’s also unlikely that they will come after small Kiwi businesses when they can keep an eye on the likes of Google and Amazon.
But over time, if local companies aren’t complying it’ll start to create a reputation which could hit us hardest. Travellers are often warned by their governments not to travel to countries with active wars or major health crises, and we could see a similar type advisory issued to travellers regarding privacy. For example, the EU might say: “Be warned that if you travel to New Zealand, your privacy can not be guaranteed.” An advisory like that could be devastating for our tourism industry. And that’s why we have to act.
New Zealanders as a whole are pretty relaxed about privacy compared to those in other first world countries. Most people don’t understand just how much intel there is on them based on internet and phone usage, location tracking and CCTV surveillance. While ignorance has been bliss, the world is changing and that requires an attitude shift from us.
Give it a few months, a year even, and our government will likely follow suit. There’s a review of the Privacy Act going on at the moment and it’s likely we’ll adopt the same rules as the EU. It’ll be done for ease, but the outcome will mean that we all have better control about what people know about us.
The Spinoff’s business section is enabled by our friends at Kiwibank. Kiwibank backs small to medium businesses, social enterprises and Kiwis who innovate to make good things happen.
The Bulletin is The Spinoff’s acclaimed daily digest of New Zealand’s most important stories, delivered directly to your inbox each morning.