Children’s data and privacy: Deputy Commissioner highlights NZ’s light penalties

Unlike some overseas jurisdictions, there is no specific provision in New Zealand for parental consent for social media signup if a child is under 13. Image / Getty Creative

The Office of Privacy Commissioner Michael Webster will soon begin an assessment of whether our privacy legislation is fit-for-purpose to protect children’s data, his deputy Liz MacPherson told the Herald. At the same time, she highlighted that our privacy watchdog does not have the threat of significant fines in its arsenal, unlike its overseas counterparts.

MacPherson’s comments followed social media firms being whacked by a series of fines globally - one of which was driven by Webster’s predecessor.

John Edwards got some bite after he moved to the UK in late 2021 - where then Prime Minister Boris Johnson had named him the new “privacy czar” (or, more officially, the head of Britain’s Information Commissioner’s Office or ICO).

The former Wellingtonian hit international headlines recently as the ICO hit TikTok with a £12.7 million (about $26m) fine - for illegally allowing under-13s to sign-up without parental consent and then, in Edwards’ view, taking insufficient steps to identify and remove more than 1.4 million under-age accounts.

The April penalty was reduced from £27m after representations from TikTok, but was still a UK record, and enough to make social media firms sit up and take notice.

In May, Amazon agreed to pay a civil penalty of US$25m (about $41m) after it was charged with breaching the Children’s Online Privacy Protection Act (COPPA) for collecting children’s conversations through its Alexa voice assistant, without parental consent.

NEW: We have fined TikTok £12.7 million for misusing children’s data.
Read more: https://t.co/7EKpjQed8r pic.twitter.com/c0HsTC2x3z

— ICO - Information Commissioner's Office (@ICOnews) April 4, 2023

In September last year, Meta was fined €405m for charges related to Instagram’s handling of children’s data under the EU’s General Data Protection Regulation (GDPR). Meta said it would appeal the fine.

There have also been a number of substantial fines related to general privacy. In August 2022, the Australian Federal Court ordered Google to pay an A$60m fine for making misleading representations to consumers about the collection and use of their personal location data. It said many Android phone users had not been aware that turning off location-tracking was a two-step process (Google streamlined it after the period covered by the charges, which was from January 2017 to December 2018).

Edwards had wanted to take the same big-penalty approach in New Zealand, where he was Privacy Commissioner for seven years from 2014.

In the run-up to a 2020 update of our Privacy Act, Edwards submitted his office should shift from ticking-off letters and fines of $2000 for individuals and $10,000 for companies that breach the Act to $100,000 fines for individuals and up to $1m for companies.

He lost out. The Privacy Act 2020 introduced a number of key reforms, including mandatory data breach disclosure (so Latitude had no choice but to tell customers their driver licence and passport details had been swiped). But it stuck with token fines and ticking-off letters.

Unlike some overseas jurisdictions, there is no specific provision for parental consent for social media signup if a child is under 13.

But, “the Privacy Act 2020 includes a specific requirement to collect information from young people in ways that are fair and not unreasonably intrusive, having regard to their age,” Deputy Privacy Commissioner Liz MacPherson told the Herald.

Last August, California lawmakers passed a law that would require many online services to increase protections for children. Britain passed a similar measure in 2021.

Significant financial penalties overseas ... but not here

“Recent developments overseas show other countries are strengthening their protections with respect to children in a range of areas. In New Zealand, we need to consider whether to strengthen protections in law around children’s privacy online and ensure we can handle uniquely digital concerns such as people’s ‘right to erasure’ - also known as the ‘right to be forgotten’,” MacPherson said.

“Many overseas jurisdictions have also had the ability to impose significant financial penalties on companies in breach of privacy law, whereas we in New Zealand do not have a comparable penalty regime currently.

“It is important to have effective tools to incentivise good privacy practice, especially when it comes to children and young people, and our office is monitoring the need to strengthen our privacy penalty regime here.

“Other protections include codes focused on issues specifically impacting children such as market practices, targeting of harmful content and use of young people’s personal information.”

Fit for purpose?

Work will soon begin that could lead to a recommendation to strengthen our privacy legislation.

“In the short term, the Office [of the Privacy Commissioner] will begin engaging with communities in Aotearoa to give children, young people, and their whānau an opportunity to have their say on issues around the collection and processing of children’s personal data in their daily lives - including in the online environment - to hear about their concerns, and what protections they would like to see,” MacPherson said.

“This engagement will help us consider whether current privacy protection regulatory frameworks for children and young people are fit-for-purpose or whether new regulatory responses are required.”

Issues such as the right to erasure and the desirability of a “children and young person’s code” will be discussed, MacPherson said.

Privacy advocates need to be wary the wheels can turn slowly. The 2020 overhaul of the Privacy Act was the culmination of a process that began with a 2011 review by the Law Commission.

Today, we have the Government’s much-anticipated online content discussion paper, which was released on June 1, with its proposal for a new super regulator who would police social media and traditional media. With censorship and harmful content roles in its remit, the super regulator could stray into a key area in children’s privacy: the social media platforms’ lack of any concrete age verification.

However, it’s hard to get a clear picture. As Shayne Currie noted in his Media Insider column: “In some parts, the document raises ambiguous and contradictory points.” A public consultation phase will kick the can down the road, beyond the election.

Chris Keall is an Auckland-based member of the Herald’s business team. He joined the Herald in 2018 and is technology editor and a senior business writer.