Source: New Zealand Privacy Commissioner – Blog
Investigators Hamish Flanagan and Sammy joined the Office of the Privacy Commissioner (OPC) earlier this year, bringing with them a wealth of expertise from their work with Privacy Commissioners from different corners of the world.
Hamish worked as an Adjudicator at the Office of the Privacy Commissioner for British Columbia and the Information Commissioner for Ontario for over six years, while Sammy spent a year at the Office of the Privacy Commissioner for Personal Data in Hong Kong.
We talked to them about their experiences working in other jurisdictions and the key differences in each country’s approach to privacy law.
OPC Senior Investigator Hamish, who worked under the then British Colombia Privacy Commissioner Elizabeth Denham, says it’s great seeing connections between offices around the world. “It really is so important given the global nature of data flows and the subsequent privacy issues that emerge because of that,” he says.
Hamish says a major difference between Canada and New Zealand is that in addition to the privacy watchdog role, Canada’s provincial privacy commissioners also have jurisdiction over access to information—New Zealand’s equivalent of the Official Information Act, which is administered by the Ombudsman. “Administering that function requires a large amount of additional resource for the Canadian provincial offices,” he says.
Although Hamish and Sammy agree that privacy laws are broadly similar in Canada, Hong Kong and New Zealand, there are some key differences.
OPC Investigator Sammy says there are fewer complaints around access requests in Hong Kong, as most complaints are made about collections, disclosure and direct marketing. “The Privacy Commissioner also has more power to prosecute by referring cases to the Police,” she says.
By contrast, Hamish says enforcement powers, which are similar to the new access directions in the Privacy Act 2020, were a routine and resource-intensive part of the function of the Canadian provincial offices.
But perhaps the most striking difference of all three offices, is that there is no requirement in Hong Kong to establish the ‘harm’ factor, which means any privacy breach is a breach. “This means there is official interference with privacy if an agency breaches any of the privacy principles,” says Sammy. “It tends to mean that agencies in Hong Kong treat privacy matters more seriously than in other parts of the world.”
Hamish feels that New Zealand has historically suffered from a “she’ll be right” attitude to privacy, and a feeling that it might get in the way of Kiwi pragmatism. “I think the Privacy Act 2020 and the greater attention to privacy that it will bring will really move New Zealand’s privacy awareness forward,” he says.