November 14, 2019

Every move you make, I’ll be watching you.

You may have seen the headlines over the last few weeks - Google has just paid US$2.1 billion to acquire Fitbit. Who would have thought that those kms you busted out this morning could be so lucrative!

With yet another major acquisition done and dusted for the tech giant, many are nervous about the potential implications for consumers, their data and privacy.

Both companies have been quick to confirm that users will remain in control of their data and that there will be transparency about what data will be collected and why. But some commentators remain sceptical in light of other recent events – including the claim that Google has acquired the medical data of up to 50 million Americans without their knowledge in a deal with Ascension (the second largest healthcare provider in the US), and the unrelated Australian Competition and Consumer Commission (ACCC) lawsuit, which alleges that Google misled consumers about how it was collecting, storing and using location data.

One thing is clear – the regulatory tide is changing. The ‘BigTech’ companies are much more than clever disruptors challenging the status quo, and regulators around the world are becoming increasingly suspicious of these giants and more activist and creative in their approach to protecting consumers.

The ACCC lawsuit against Google, which relies on its consumer law powers (rather than privacy law) is a good example of this. Another example is the new California Consumer Privacy Act (CCPA) effective in 2020, which is aimed at re-balancing the lucrative but murky ad-tech universe and providing consumers living in California with the right to access, delete and opt out of the sale of, their personal information.

Closer to home, the New Zealand Privacy Commissioner John Edwards has a no holds barred approach to tackling privacy. In a recent conference speech and article, he shared insight on his pragmatic approach to the vexed area of consent:  

If you are telling customers in the “click to consent” box that their information will be used to “enhance the services we can provide you”, and page 35 of the legalese-dense privacy policy says that all your transaction information will be available to US data brokers, I may well conclude that you have not discharged your obligation under information privacy principle 3 [collection of information] (and potentially IPP 4 for unfairness, in particular for children and other vulnerable consumers), and that you are therefore in breach of the Privacy Act.

He also tackled the topic of addressing the power asymmetry of the Big Tech companies, and concluded that:

Small countries like New Zealand need to ensure that they are internally unified against the threats presented by unscrupulous digital operators, so that whether the threat presents in a context of election integrity, harmful content, privacy or consumers’ rights, we are working as one, for the people we represent.
And even more importantly, we need to combine internationally to push back against the one-sided offering we get from the companies that profit from our populations’ data.

"Re-framing privacy issues as consumer law issues is a potentially game-changing development in the regulatory approach."

No items found.

New Zealand has a new Privacy Bill coming into effect in 2020. While it doesn’t have all the teeth of the GDPR in Europe or the CCPA in California, it will explicitly apply to all agencies doing business in New Zealand (whether they have a physical base here or not).

The Privacy Commissioner has expressed a desire to take advantage of this extra-territorial application, as well as a new power to issue compliance notices to agencies who breach the Act. Based on the Commissioner’s comments, these notices are particularly likely to be issued for:

> serious breaches that the agency is unwilling to address;

> systemic or repeat breaches where no progress is made; or

> situations which require a middle person in the enforcement process, using up additional time and resources.

Failure to comply means the Commissioner can take enforcement proceedings in the Human Rights Review Tribunal. The agency can only object to enforcement if it believes the notice has been fully complied with.

The major fines awarded overseas (like the recent £183 million issued against British Airways by the UK privacy regulator) are not available to the Commissioner under current privacy law or the new Privacy Bill. In fact, the largest amount awarded for a privacy matter in New Zealand was $168,000, which pales in comparison. However, the Commissioner is keen to work collaboratively with other New Zealand regulators to tackle privacy issues. The Commerce Commission, who are responsible for enforcing the Fair Trading Act 1986, are likely to be a key ally here as an action under the Fair Trading Act could result in fines of up to $600,000 per offence – with the highest fine to date hitting $1.885 million in 2018.

As we have seen from the ACCC action in Australia, re-framing privacy issues as consumer law issues is a potentially game-changing development in the regulatory approach – particularly in situations where an agency is found to have made misleading representations about what personal information is collected and how it is used.

Based on recent comments and the general trends worldwide,it’s clear that New Zealand’s Privacy Commissioner won’t be holding back when it comes to protecting the privacy of New Zealanders. Just like Google, he’ll be watching.

Article Link


Get in Touch