About the author

Kathryn is a fractional GC with extensive experience in the financial services, fintech and payments technology sectors.

She is an Australian qualified lawyer and supports her clients globally as part of Clearlake’s international counsel service.

Clearlake Law provides an outsourced legal department specialised in supporting organisations in the payments industry across the UK, New Zealand and Australia.

This article explores the data protection and privacy requirements for payments businesses operating across these jurisdictions, summarising the most important aspects and providing practical strategies for compliance.

Understanding data protection and privacy regulations

Payments businesses handle vast amounts of sensitive customer information, making compliance with international data protection and privacy laws essential.

Regulations vary across jurisdictions but, in the round, they all aim to safeguard the personal data of your customers (the data subjects) and ensure you process their data securely and transparently.

United Kingdom

In the UK, businesses must comply with the UK General Data Protection Regulation and the Data Protection Act 2018 when processing the personal data of UK residents.

Businesses must report serious breaches to the Information Commissioner’s Office (ICO) within 72 hours of discovery.

Non-compliance can result in fines of up to ÂŁ17.5 million or 4% of global turnover. If 4% of global turnover exceeds ÂŁ17.5 million, the higher amount will apply.

Australia

In Australia, the Privacy Act 1988 and the Australian Privacy Principles (APPs) govern data protection.

Privacy breaches relating to Australia residents must be reported to the Office of the Australian Information Commissioner (OAIC) as well as the affected individuals.

Penalties for non-compliance include fines of up to AUD 2.5 million for individuals and AUD 50 million for companies.

New Zealand

In New Zealand, the Privacy Act 2020 outlines requirements for handling personal information.

Breaches posing a risk of serious harm must be reported to the Office of the Privacy Commissioner.

Fines for non-compliance in New Zealand are capped at NZD 10,000, but reputational damage can be far more significant.

Financial information as personal data

Australia

In Australia, under the Privacy Act, financial information is not classified as “sensitive information” (which includes health data, religious beliefs, etc.), but it is still considered personal information.

APP 11, however, imposes stricter obligations on businesses to protect financial information, including taking reasonable steps to secure personal data against misuse, loss, or unauthorised access.

Financial institutions and organisations handling payment data often face additional industry-specific obligations, such as compliance with the Australian Prudential Regulation Authority standards and the Payment Card Industry Data Security Standard for card payments.

Breaches of financial information could also fall under the Notifiable Data Breach scheme, requiring businesses to notify affected individuals and the OAIC if the breach is likely to result in serious harm.

New Zealand

The New Zealand Privacy Act treats financial information as personal information but does not assign it a higher level of protection compared to other types of personal data.

Unlike Australia, New Zealand does not impose any industry-specific privacy rules for financial data outside general data protection requirements.

United Kingdom

In the UK, financial information is protected as personal information, but the UK does not grant financial information an inherently higher level of protection unless it intersects with other sensitive data categories (e.g., racial or health data linked to financial profiles).

Financial institutions and businesses processing payments must also comply with sector-specific regulations, such as the Financial Conduct Authority guidelines and the Payment Services Regulations. These regulations often require additional safeguards for protecting financial data.

Businesses handling payment card data must also adhere to Payment Card Industry Data Security Standard to minimise the risk of fraud and ensure secure transactions.

International transfers

Payments businesses operating across the UK, Australia and New Zealand often need to move the personal data of their customers between these jurisdictions and others.

The most typical transfers of interest occur when any subcontractors or suppliers come into contact with the personal data of your customers.

Having said that, simple transfers between your own group companies or between your different cloud servers are viewed through the same lens.

The key is often identifying the location of your own and your suppliers’ email and cloud servers to understand the flow of the data that you are processing.

The regulators are just as concerned with the jurisdictions into which the data flows (think cloud servers) as they are with the place of incorporation of the company receiving the data.

Each country’s regulations impose requirements for ensuring the security and legality of such transfers.

New Zealand

New Zealand’s regulation emphasises ensuring personal information sent overseas is protected by privacy standards comparable to those that apply in New Zealand.

Businesses must take reasonable steps, such as using binding contracts, assessing the adequacy of the recipient country’s laws or notifying individuals and obtaining their explicit consent.

If transferring personal data to Australia or the UK, these tests should be easily met since, of the three jurisdictions in question, New Zealand’s regime is considered the least stringent.

Ensuring comparable privacy protections can be difficult when the recipient country has weaker data protection frameworks.

Organisations in New Zealand often face uncertainty about whether their measures meet the “comparable standards” test.

Australia

In Australia, specific contractual clauses are often needed to demonstrate that the transferred personal data remain safeguarded.

The Privacy Act 1988 and the APPs require businesses to ensure overseas recipients will also comply with the APPs.

In Australia, there is the explicit requirement for the Australian transferring organisation to take responsibility for breaches by overseas receiving entities if those overseas entities fail to take reasonable steps to ensure compliance.

The reasonable steps that must be taken include implementing detailed contractual safeguards and maintaining records of compliance processes.

United Kingdom

The UK’s GDPR is the strictest of the three jurisdictions on the subject of international data transfers.

The UK GDPR mandates that where transfers of personal data out of the UK are to jurisdictions that are not explicitly approved as providing adequate protection by the UK ICO, those transfers must be governed by strict standard contractual clauses (enshrined in law).

Interestingly, New Zealand is currently considered to provide adequate protections, but Australia is not.

The UK also imposes additional scrutiny and requirements on transfers to certain high-risk jurisdictions.

The UK uniquely requires businesses to conduct Transfer Impact Assessments (TIAs) to evaluate risks associated with overseas transfers.

How to remain compliant across jurisdictions

A practical solution for ensuring compliance of internal transfers of personal data between your group companies and internal server locations is to establish internal group cross-border data transfer agreements that align with the strictest regulatory requirements (i.e. the UK, in the context of these three jurisdictions).

These cross-border data transfer agreements should include clauses on data encryption, access controls and audit mechanisms to ensure compliance across all regions.

Obtaining customer consent

The approach to what constitutes lawful processing of personal date across the UK, Australia and New Zealand varies, particularly with the concept of legitimate interests.

United Kingdom

The starting point in the UK is that data subjects (your customers) must consent to you processing their personal data.

Businesses processing the personal data of UK residents can, however, rely on the concept of “legitimate interest” as a lawful basis for data processing, without explicit consent from the data subject, provided they conduct a Legitimate Interests Assessment (LIA).

An LIA involves weighing your business needs against the potential impact on individual privacy and documenting the rationale for processing.

Australia

Processing in Australia is acceptable with implied consent for non-sensitive data, but clear and informed consent is required for sensitive information, unless the processing meets specific legal exceptions, such as the prevention of harm or compliance with legal obligations.

In Australia, the Privacy Act does not explicitly recognise legitimate interests as a basis for processing.

New Zealand

In New Zealand, businesses are required to process data for a lawful purpose that aligns with the individual’s reasonable expectations.

For example, if the purpose of processing is unclear or unusual, explicit consent or detailed notification would typically be required to ensure compliance.

There is no formal equivalent to the UK’s legitimate interest regime in New Zealand.

Practical solutions

Deploying consent check boxes linking to robust privacy policies when first gathering personal details from your customers or prospects is advisable.

This approach can help you to comply with the most stringent requirements across all jurisdictions with a relatively light touch whilst avoiding multiple different compliance mechanisms.

Data breach notifications

Data breaches, of course, present another significant risk across all three jurisdictions. Understanding the specific breach notification requirements is critical for payments businesses to avoid fines and reputational damage.

United Kingdom

Under the UK GDPR, businesses must report data breaches to the Information Commissioner’s Office (ICO) within 72 hours of becoming aware of the incident, if the breach is likely to result in a risk to individuals’ rights and freedoms.

This strict deadline places significant pressure on organisations to have a well-prepared incident response plan.

Failure to report within the timeframe can lead to fines of up to ÂŁ8.7 million or 2% of global turnover, even if the breach itself does not attract the maximum penalty.

Businesses must also notify affected individuals without undue delay if the breach poses a high risk to their personal data.

Australia

Australia’s Privacy Act 1988 requires businesses to notify the OAIC and affected individuals if a breach is likely to result in serious harm.

The definition of “serious harm” is somewhat subjective, leaving room for interpretation and uncertainty, and may include financial, emotional or reputational damage.

For payments businesses, the challenge lies in assessing the severity of a breach and deciding whether to notify.

Failure to report can result in penalties of up to AUD 50 million (where the reporting entity is an incorporated business).

Businesses are advised to adopt a proactive stance by regularly updating their risk assessments and breach response plans.

New Zealand

In New Zealand, organisations are required to notify the Office of the Privacy Commissioner and affected individuals if a breach is likely to cause serious harm.

While similar to Australia’s framework, the New Zealand regime does not define “serious harm” as clearly, making it difficult for organisations to assess their obligations.

Smaller organisations, in particular, often struggle with these requirements due to limited resources and expertise.

The maximum fine for failing to comply with the breach notification obligations is NZD 10,000, but reputational damage can far outweigh the financial penalties.

Payments businesses are encouraged to implement robust monitoring systems to detect and evaluate breaches quickly, ensuring compliance with the notification requirements.

Technology solutions

International payments businesses often leverage technology tools to monitor their compliance with data protection standards.

OneTrust is a comprehensive tool that supports compliance with global data protection regulations, including GDPR, the Privacy Act 1988 in Australia, and New Zealand’s Privacy Act 2020.

TrustArc helps businesses streamline compliance through automated data flow mapping, privacy assessments and regulatory updates across jurisdictions.

The benefits of data protection compliance

Ensuring robust compliance with data protection and privacy regulations not only mitigates legal and reputational risks but, if carefully presented and communicated, can also actively enhance customer trust.

Payments businesses that understand and prioritise data security can differentiate themselves in a competitive market, building stronger relationships with customers and stakeholders.

This is a complex area of regulation. The more jurisdictions your organisation touches, the more complex the compliance puzzle becomes. Please do get in touch with us directly if you have any specific questions.

For additional guidance on risks facing organisations in the fintech sector across each of these three jurisdiction, see our post on the top 5 risks for fintech SMEs expanding in the UK, Australia and New Zealand.

About Clearlake Law

Clearlake Law provides a sector-specialist outsourced legal department for your business.

We support organisations in the payments industry operating across the UK, New Zealand, and Australia.

Our experienced, industry-expert lawyers work as an extension of your team.

We provide a single point of contact for all legal matters that arise in your business, from data protection compliance and privacy policies to advising on regulatory obligations and cybersecurity.

Our role is to ensure your business is protected and poised for success at all times.

The author of this post and our leading expert in the payments industry sector is Kathryn Beater.

Visit Kathryn’s profile page now to learn more…

The information provided in this blog is for general informational purposes only and does not constitute legal advice. You should seek independent legal advice regarding your particular circumstances. Accessing or using this blog does not create a solicitor-client or attorney-client relationship with Clearlake Law LLP or with any of our lawyers.