We are only just into 2021 but already privacy and cybersecurity are back on the radar as essential issues facing New
Zealand businesses, with the high-profile data breach affecting the Reserve Bank. A DLA Piper global survey makes
sobering reading:
Businesses have been fined EUR272.5 million (about NZD462m) for a wide range of infringements of Europe’s tough data
protection laws. The figure is taken from the law firm’s latest annual General Data Protection Regulation (GDPR) fines
and data breach report of the 27 European Union Member States plus the UK, Norway, Iceland and Liechtenstein. EUR158.5
million (NZD269m) of fines have been imposed in the last year alone, a nearly 40% increase on the previous 20 month
period since the application of GDPR.
Although New Zealand’s new Privacy Act 2020 does not give the Privacy Commissioner here the power to issue fines as
significant as those available to European and UK regulators, New Zealand's introduction of mandatory data breach
reporting means businesses are on notice. They should be watching keenly how breach notifications are dealt with in
jurisdictions with more established data breach reporting regimes. Salient statistics from DLA Piper's report include:Double digit growth for breach notifications for the second year running with 121,165 breaches notified since 28 January
2020 compared to 101,403 breaches notified in the previous year – a 19% increase.Per capita, Denmark tops the rankings for data breach notifications.Italy has imposed the highest aggregate fines, with France imposing the highest individual fine to date.
Nick Valentine, head of DLA Piper's New Zealand Data Protection team, says "Regulators in the EU and UK have been
testing the limits of their powers over the last 12 months. It will be interesting to see whether the Privacy
Commissioner takes a similar hard-line approach in exercising his new powers under the Privacy Act 2020 (such as the
issuing of compliance notices), and how New Zealand businesses will approach mandatory data breach reporting from here
on in."
N.B. Not all Member States of the European Economic Area make details of breach notification statistics publicly
available. Several have only provided incomplete statistics or statistics for part of the period covered by this report
so the figures have been rounded up and in some cases extrapolated to provide best approximations. Similarly not all
GDPR fines are publicly reported and some data only covered part of the period covered by this report.