My research list

Loading My Research List ...

Save my research

Don't lose any of your research. Fill out the form below and have your research list emailed to you.

Register to receive our latest publications

Can U keep a secret: Select Committee releases Privacy Bill Report

March 14, 2019

Contacts

Partners Jania Baigent, Sally McKechnie, Karen Ngan

Data protection (inc Privacy Bill and GDPR) Government reform and public policy

In March 2018, we updated you on the Government's introduction of the Privacy Bill into Parliament (See our article on the Bill here). The Bill was referred to the Justice Select Committee in April 2018. The Select Committee reported back on the Bill yesterday, endorsing many of the proposed reforms, but also making some key changes.

In this update, we briefly highlight the key changes proposed by the Select Committee and remind you of the other main reforms in the Bill. A copy of the Report can be found here.

Key changes proposed by the Select Committee

In summary, the Select Committee’s recommendations on the Bill include:

  • Clarification on the mandatory data breach reporting regime: The introduction of a mandatory data breach reporting regime is endorsed, but a number of amendments to it have been proposed. Most significantly, data breaches will now only be notifiable to the Commissioner and affected individuals if the breach has caused, or is likely to cause, “serious harm”. Previously the Bill required notification of breaches causing or likely to cause harm that fell within the scope of an “interference with privacy”, which did not have the concept of serious - there just needed to be loss, detriment, damage or injury, or an adverse effect or similar. The amendment should reduce potential over-reporting of privacy breaches, and reduce the cost of compliance. This amendment is also more aligned with the Australian threshold for data breach reporting.
  • Privacy Act extended to apply to activities of a NZ agency offshore: The Privacy Act will apply to all actions taken by a New Zealand agency, whether inside or outside New Zealand. It will also apply to all personal information collected or held by a New Zealand agency, regardless of where the information is collected or held, and where the individual concerned is located.
  • Privacy Act extended to apply to offshore agencies: A significant proposed change is to expressly extend the Privacy Act to apply to agencies located offshore, so long as that agency is “carrying on business in New Zealand”. The Act will apply to personal information collected in the course of such business, regardless of where the information is collected or held, and whether or not the overseas agency has a physical presence in New Zealand, charges monetary payment, or makes a profit from its business here. It is clear the Select Committee is intent on ensuring that global businesses doing business in New Zealand, irrespective of where the individual or the agency is located, comply with the new Privacy Act.
  • Responsibility for Cloud Service Provider Actions: Amendments have been made to make it clear that so long as a cloud service provider is not using or disclosing a customer’s information for its own purposes, that information will be treated as being held by the customer. As a consequence, it will be the cloud service provider’s customer who will be liable for any privacy breaches by the cloud service provider.
  • Further strengthening to cross-border data flow protection: A new information privacy principle has been added for the off-shoring of personal information. If an agency wants to disclose personal information to an overseas person, it will need to rely on an applicable exemption. For example:
  • the individual concerned authorises the disclosure of his or her information to the overseas person after being expressly informed that his or her personal information may not be required to be protected by the overseas person in a way that provides comparable safeguards to those in the new Privacy Act;
  • the overseas person is either carrying on business in New Zealand and subject to the Privacy Act, or is otherwise subject to privacy laws that provide comparable safeguards; or
  • the overseas person is a participant in a prescribed binding scheme (being an internationally recognised scheme which the participant agrees to be bound by specified measures for protecting personal information that is collected, held, used, and disclosed and mechanisms for enforcing compliance with those measures).

Other key privacy reforms in the Bill

Other key reforms that still remain in the Bill include:

  • greater enforcement powers available to the Privacy Commissioner, including:
  • the ability to issue compliance notices (with an added obligation to publish details of compliance notices); and
  • the power to make binding decisions on access requests;
  • creation of new criminal offences;
  • fines of up to $10,000; and
  • the strengthening of cross-border data flow protection.

There is also now a requirement to have regard to the potential vulnerability of children and young persons when collecting their personal information.

Select Committee rejects call for further reforms

The Select Committee has not gone as far as called for in submissions from the Privacy Commissioner and others, including the call for greater alignment with the European Union’s General Data Protection Regulation.

Some will be pleased that the Privacy Commissioner’s call for $1 million fines was not adopted, but with his recent reappointment for a further term, we can expect him to continue to make the case for more enforcement powers and to publicly comment on agencies who he considers have not been adopting appropriate privacy practices.

What next?

The Bill currently has a commencement date of 1 March 2020.

The Bill awaits its second and third readings in Parliament. With a commencement date of March 2020, it seems the expectation is that the Bill will be passed in late-2019.

We will be providing more insights into the proposed reforms in the Bill, but in the meantime, contact us if you have questions or want guidance on what the reforms might mean for you.

Contributors nick.jens@simpsongrierson.com