0
Contact Us
Privacy, Data and Cyber-Security
Data is one of the most valuable assets of an organisation. Our specialists assist our clients to manage and protect it in a fast-evolving legal and technological landscape.
While data can be used to create powerful advantages, organisations need to understand and manage their obligations. Cyber-attacks and other data breaches can have a devastating effect on reputation and serious legal consequences.
Our specialist privacy and data lawyers advise private and public sector organisations on the collection, use and disclosure of personal information in accordance with privacy laws, including New Zealand’s Privacy Act 2020, and consumer protection and antispam laws.
In this rapidly evolving area of the law, our specialists are across all the latest developments, including artificial intelligence (AI) and advancing technologies.
We guide clients on their strategies around data governance and pursuing the opportunities that data use can create, while adhering to good data ethics.
Our specialists have particular expertise in crisis management, managing data breaches, and litigation arising out of cybersecurity and data disputes. We acted in the ground-breaking case that first recognised breach of privacy as actionable under New Zealand law. Since then, we’ve acted on leading New Zealand cases dealing with civil liability for interference with privacy and with balancing the competing values of privacy, open justice, and freedom of information.
We are active members of the International Association of Privacy Professionals (iapp) with several members of our team acting as chairs on the Auckland chapter KnowledgeNet.
Our services include:
- advising New Zealand and international businesses on privacy and related data protection matters, including Privacy Act and GDPR obligations, and using generative AI and facial recognition and other biometric technologies
- advising on trans-border data flows, particularly for multi-national clients seeking to store personal information of New Zealand customers or personnel offshore
- assisting clients to assess their privacy practices and procedures, undertake privacy impact assessments on new initiatives, undertake privacy audits and improve privacy practices
- preparing privacy policies in relation to customer, supplier and employee data
- assisting clients to undertake Privacy Act reviews and respond to Privacy Act requests; and with compliance notices and access determinations issued by the Privacy Commissioner
- assisting clients with Official Information Act and LGOIMA requests
- advising and acting on privacy-related disputes in the Human Rights Review Tribunal and the Courts
- assisting with managing and responding to data breaches and cyber-attacks, including seeking urgent injunctive relief from the Courts.
Resources
Our summary sheet provides an overview of the Privacy Act 2020.
Our notifiable privacy breaches flowchart will help you work out whether a breach is notifiable and provides an overview of the notice requirements.
Work Highlights
Te Whatu Ora & Ministry of Justice
Obtaining urgent restraining orders preventing the access, use or disclosure of confidential information obtained during a cyber-attack on Mercury IT, Te Whatu Ora & Anor v Unknown Defendants (2023).
Waikato District Health Board (now Te Whatu Ora)
We acted for Waikato District Health Board in a landmark proceeding for breach of confidence against Radio New Zealand (RNZ) and others preventing further publication of information published on the dark web as the result of a cyber-attack, Waikato District Health Board v Radio New Zealand (2022).
Various clients
We regularly advise national and multinational businesses (including leading technology firms, consumer products businesses, social media platforms and luxury brands) on privacy and data-related issues in the development and/or rollout of new products and services to the New Zealand market such as:
- connected car services
- virtual reality headsets and other wearable technologies
- biometrics and digital identity verification tools
- satellite communication services
- machine learning models and generative AI tools
- drones
- surveillance and monitoring technologies (including facial recognition technologies)
Recent examples of products, services and technologies that the team has advised on include:
- advising a leading social media platform on the use of cookies and GPS data to facilitate tailored advertising to users, and on the privacy implications for use of facial recognition technology with eye tracking and lip sync capabilities on the platform
- advising a luxury goods brand on its in-store and online customer registration processes, proposed use cases for personal information, data retention policies, data locality requirements and anti-spam compliance
- advising a global mobile handset provider on the provision of a satellite-based data service to facilitate data transmission when users are outside of cellular network coverage
- advising an international payments provider on its proposed use of an AI fraud detection tool
