Record fine for privacy breaches

Monday 20 January, 2020

A German company has recently been fined €14.5 million for breaching the General Data Protection Regulation (GDPR), the highest-ever GDPR fine imposed on a German company.  The GDPR is the core of Europe’s digital privacy legislation, not only covering information like names, addresses and photos, but also IP addresses and genetic and biometric data.  Under the GDPR, organisations must ensure that personal data is gathered legally, and under strict conditions.

The German company, Deutsche Wohnen, is a real estate company which used an archiving system to store tenants’ personal information. This personal information included salaries, tax information and bank statements. The Deutsche Wohnen’s archiving system did not allow the deletion of data that was no longer necessary, leading to a breach of the GDPR. The fine imposed was 1% of the company’s annual turnover of €1.4 billion.

Could this apply to you as a New Zealand business?

The GDPR applies to all organisations outside the European Union which offer goods or services to customers or businesses in the European Union.  As a result, any New Zealand business that deals with European Union citizens needs to understand the implications of the GDPR and should have a GDPR compliance strategy (including, among other things, a clear process for deleting personal information once it is no longer required).

What is happening in other jurisdictions?

Deletion of data and privacy breaches in the USA

California recently enacted the California Consumer Privacy Act (CCPA) which came into effect on 1 January 2020.  The CCPA applies to all companies who do business with Californian residents, provided that they meet one of the following:

• the company’s turnover is over $25 million;
• they receive or disclose personal information of 50,000 or more California residents, households or devices each year; or
• at least half of the annual revenue comes from selling consumers’ personal information (defined to include information that can be reasonably linked with a household). 

The CCPA therefore applies to any New Zealand company doing business with Californian citizens and meeting this criteria. 

Among other things, the CCPA gives Californians the right to require businesses to delete their information, so businesses are having to take steps to ensure that they know what information they are collecting and store it in a way that is easily accessible (or removable). The CCPA also gives consumers the right to take civil action against companies holding their personal information if the company suffers data breaches or loss of that information, and the attorney general the right to bring class actions. If the company is holding such information in violation of a request to delete, damages could be significant.

New privacy laws in India

India is in the process of enacting new privacy legislation which will place restrictions on how corporations can collect and use personal information.  Like the GDPR, India’s new rules would require tech companies to get consent before collecting and using personal data and would make it easier for people to demand that companies erase their data.  With fines of up to 4% of worldwide turnover, companies that operate in India will need to take these new rules very seriously.

What if my business doesn’t have any international customers? Should I still be worried?

In the current Privacy Bill, which amends the Privacy Act 1993, fines for privacy offences are limited to $10,000 (being a significantly lower financial risk than international privacy laws). However, the Bill introduces mandatory reporting of any privacy breaches that pose a risk of serious harm to an individual. In 2019, 222 agencies voluntarily reported privacy breaches to the Commissioner, of which 50% arose from email or website errors or hacking. The number of reported breaches is likely to increase significantly with mandatory reporting, and the Commissioner can issue compliance notices to agencies breaching the Privacy Act and must publish details about the compliance notice.

Digital privacy is a growing concern, both inside and outside New Zealand, and digital privacy laws are likely to only get stronger. Privacy law developments in Europe, California and India demonstrate a growing international trend towards stronger protection of consumer privacy, and New Zealand risks finding itself out of step with the rest of the world. Heightened media and public interest in privacy breaches, together with the obligation to disclose significant privacy breaches, mean that New Zealand businesses can expect to face growing scrutiny over privacy breaches.  This can lead to follow-on effects, such as reputational damage, customer reluctance to engage with the business, and falls in investor confidence.

Although there is no immediate likelihood of GDPR-style fines in New Zealand, we recommend that every New Zealand organisation should have a privacy officer and a plan on how it collects, stores, secures, and disposes of, personal information.

If you have any concerns about how your business or your service providers collect, and protect, personal information, please contact a member of our Corporate & Commercial team to discuss.