The Marketing Association’s compliance advisor, Keith Norris, recently alerted us to some changes the Justice Department is proposing to the Privacy Act 2020. Here is his follow up message to marketers in NZ.
These changes, if implemented by the Government, would mean that businesses and organisations would have to advise individuals every time they collect any information from a third party. At first sight the changes seem fairly innocuous, logical even, but for marketers, charities and data service providers alike, it could create some expensive and administratively complex problems.
Think, for instance, about personal information on property ownership, which is publicly available through LINZ or local authorities. Is it really necessary for every real estate agent, valuer, banker, lender, builder, electrician etc. to notify the property owner every time they access this information? It’s already public information, so what is the point?
And what about the ‘Do Not Mail/ Do Not Call’ service run by the Marketing Association to protect around 200,000 consumers from unwanted marketing communications? If the proposed changes are implemented, it would mean that every time a responsible organisation accessed the service, they would have to notify the individuals! So, instead of saving the consumer from unwanted communications it would bombard them with official notifications. Several times a month!
Many businesses employ a third-party data service provider to look after their customer information. Will these organisations have to advise the customer every time their details are passed from one to the other?
To government bureaucrats these examples are simply ‘unintended consequences’, but to us, they represent another system change and another expense on our marketing or IT budget.
Privacy advocates may well support the proposed notification changes because, at face value, the changes keep us as individuals advised about who holds our personal details. But we suspect that is not the reason at all. We believe the underlying reason is to maintain New Zealand’s privacy law ‘adequacy’ status with the European union’s GDPR requirements.
Is GDPR really the gold standard in privacy legislation we need to aspire to in New Zealand? Johannes Caspar, who served as the Data Protection Commissioner of Hamburg, Germany, for approximately 12 years, stated in June 2021 that “the basic model of the procedure set up by GDPR just can’t work.” GDPR has ‘massive flaws’ and suffers from endless ‘infighting,’ says Caspar, seen as one of the EU’s toughest data watchdogs.
Since the introduction of the GDPR, privacy budgets for organisations across a variety of sectors, including the health, finance, and education sectors and within government itself, have been increasing at a startling pace. Privacy professionals from across the EU and five other countries, including Canada and the United States, reported an average 29% increase in their privacy budgets between 2020 and 2021, due to increased costs related to GDPR implementation, with 60% believing their company’s privacy budget was still insufficient.16*
Do we really want to align our legislation to an expensive and unworkable system like GDPR? We’ll keep you informed about the progress of these proposals and seek your help to ensure that we don’t make the same mistakes in New Zealand.
*16 IAPP-EY Annual Privacy Governance Report 2021, The International Association of Privacy Professionals (IAPP), 2021.