June

The General Data Protection Regulation (GDPR) will overhaul data protection throughout the European Union when it comes into effect May 25.  A large number of Australian businesses could be affected, therefore, it is important to become familiar with significant elements of the GDPR.

The GDPR is similar to certain principles under the Privacy Act 1988 (Cth) (Privacy Act), but it gives more power to individuals regarding the use of their personal information. Individuals have rights regarding data portability, the right to be forgotten, the right to restrict processing and the right not to be subject to decisions based solely on automated processing.

Australian businesses who must be in compliance are those that have an establishment in the EU, offer goods or services in the EU or monitor the behavior of individuals in the EU. Those not in compliance could face hefty penalties.

The Hong Kong Office of the Privacy Commissioner for Personal Data recently published compliance guidance on the upcoming General Data Protection Regulation (GDPR), which examines the extra-territorial effect on Hong Kong companies.  This includes those that have establishments in the European Union (EU), those that offer goods and services in the EU and those that monitor the behavior of individuals in the EU.

Of particular importance is the compliance guidance examination of the accountability principle in the form of a data protection officer (DPO) and ongoing data privacy management tools under the GDPR, which are not explicitly provided for under the Personal Data (Privacy) Ordinance (PDPO), but will become a mandatory requirement under the GDPR.

New Zealand's Privacy Commissioner has introduced stronger privacy laws and stronger powers for its staff, citing the fact that the Internet, new technologies and social media platforms have transformed the way personal information is used, stored and transmitted.

The bill repeals and replaces the 25-year-old Privacy Act to take account of the changes and bring in new ways to enforce privacy principles. The main changes include mandatory reporting of privacy breaches that pose a risk of harm to people must be notified to the Privacy Commissioner and to affected individuals, the Privacy Commissioner will be able to issue compliance notices that require an agency to do something, or stop doing something, to comply with privacy law.

New Zealand agencies will be required to take reasonable steps to ensure that personal information disclosed overseas will be subject to acceptable privacy standards, and more.