Privacy Bill reform: ‘Time to raise your game’

Businesses cannot rely on the fact that the practice is explained somewhere in a privacy policy, especially if it’s buried in complex terms and legalese Allan Yeoman and Keri Johansson, Buddle Findlay

The Privacy Commissioner, John Edwards, has told businesses that it’s “time to raise your game” and improve the transparency of their privacy practices.

In a recent online blog post, the Commissioner sends a clear message that he expects businesses to do more to make sure customers are aware of how their information is being collected and used, especially when the Privacy Bill 2018 becomes law.

Currently, it’s common to tell customers how you handle personal information in a privacy policy. That policy is probably linked at the bottom of your website, and before customers buy your products, you might ask them to tick a box saying they agree to it.

In practice, probably very few people actually read the privacy policy before ticking “I agree” and if they did choose to read it, they’d probably need around 15 to 18 minutes’ time to spare, and at least a university reading level.

A privacy policy serves two key legal purposes:

1. It tells people what personal information you are collecting, why, and what you will do with it. This is because the Privacy Act says that agencies need to take “reasonable” steps to ensure people are aware of these things
2. In some situations, if you need broader rights to use or disclose personal information than would normally be legally allowed, a privacy policy can serve as “authorisation” of those broader rights. This is because the Privacy Act says that when you collect personal information from someone for one purpose, you can only use it for that purpose. There is an exception to this rule where you believe on “reasonable” grounds that the person authorises you to use or disclose their information for something else.

In both situations, you need to do what is “reasonable” in the circumstances. You need to take “reasonable” steps to ensure the person is aware of your privacy practices, and you need reasonable grounds to believe someone has authorised you to use or disclose their personal information for something other than the original purpose of collection.

The Commissioner’s post says that simply putting this information in a privacy policy and (without evidence that customers read and understand the policy), is not necessarily reasonable. This is most likely to come up where the privacy policy is complex, or says something unexpected or unfair.

For example, let’s say you provide an online service with a monthly subscription. Customers subscribe via your website with their contact and payment information. Even without reading your privacy policy, customers will expect you to use their personal information to provide them with the service, but they probably don’t expect you to sell their information to a United States data broker.

Similarly, if you’re a global household brand, they might expect you to share their details with other entities in your group, but they probably don’t expect you to be sharing it with other people.

Buddle Findlay

The Commissioner’s post suggests that in these unexpected situations, businesses cannot rely on the fact that the practice is explained somewhere in a privacy policy, especially if it’s buried in complex terms and legalese. He will be looking for evidence that it’s actually reasonable to believe that customers understand what is in the policy, and that authorisation from individuals is genuine and informed.

Buddle Findlay

Although the Commissioner’s blog post presents this as a change, we don’t think that it is really a shift in the law, or how it is interpreted. The obligations to be reasonable are already in the current Privacy Act, and it’s already difficult to enforce unexpected or onerous clauses in standard terms under New Zealand law, especially for consumer products and services.

However, we do think this means that the Commissioner will be paying closer attention to these issues, and intends to use his expanded powers under the Privacy Bill to improve transparency around privacy practices. For example, under the Bill, the Commissioner will be able to issue compliance notices, to require agencies to make changes where their privacy practices are not up to scratch.

We think now is a good time for all organisations to review their privacy policies and consider:

• Are they clear and easy to understand?

• Are they presented in a way that encourages people to read them?

• Is there anything unexpected in there that should be brought to people’s attention more prominently (e.g. via a separate tick box)?

• Can we increase customer control over their personal information in some other way (eg by letting them change their own privacy settings, or using other features of “privacy by design”)?

Answering these questions will go a long way towards meeting the “reasonable” criteria, and help businesses get ready for when the Bill becomes law in early 2020.

Allan Yeoman is a partner and Keri Johansson is a senior associate at Buddle Findlay.

Sign up for CIO newsletters for regular updates on CIO news, career tips, views and events. Follow CIO New Zealand on Twitter:@cio_nz

Send news tips and comments to divina_paredes@idg.co.nz @divinap