After almost two years of deliberations and delays, the Privacy Bill has now passed its third reading and is about to become the new Privacy Act, with the changes in effect on 1 December 2020. We discuss the key changes below.

More in step with global data privacy rights, but further reform needed.

The new Privacy Act is an important step forward for New Zealand and our personal data privacy regime. The Act remains a principles-based regime (based on Information Privacy Principles), focusing on protection of personal information about people ordinarily resident in New Zealand. The new regime plugs some significant gaps in the old law by dealing with restrictions to cross-border disclosures and notifiable privacy breaches in line with the privacy legislation in other jurisdictions such as Europe and Australia.

However, some pending issues are still waiting for further reform. For example, the meaning of some relevant terms such as “personal information” and “carrying on business in New Zealand” are not definitively defined. This means that we must rely on the Courts for guidance on the scope of these terms. Others, including the Privacy Commissioner, continue to raise issues about the low level that fines are set at in the new Privacy Act when compared internationally, and the lack of other rights for individuals available under the GDPR such as data portability and the right to be forgotten.

Timing

The new Privacy Act will come in force on 1 December 2020, meaning that businesses have until then to ensure all privacy policies and processes are fit for purpose.

KEY CHANGES

Key changes that organisations should preparing for now are outlined below.

Extra-territorial effect

The Act will now extend beyond New Zealand in certain situations, for example, to agencies that are outside New Zealand and collect or hold personal information from New Zealanders. This reform supports the view that the Privacy Commissioner has expressed, that an entity that does not have a New Zealand office is subject to the Privacy Act if it operates in New Zealand and provides services to persons in New Zealand.

Disclosure of personal information outside New Zealand (new Information Privacy Principle 12)

The new Information Privacy Principle stipulates the limited situations in which agencies are able to disclose personal information about New Zealand residents to an overseas person. Businesses may only disclose personal information to an agency outside of New Zealand if such agency is subject to similar privacy safeguards to those in the Privacy Act.

Businesses which disclose information to a foreign agency must:

• ensure that the agency is subject to laws which provide comparable safeguards as those found in the new Privacy Act; or
• expressly inform the individual concerned (when collecting their personal information) that this may not be protected in a comparable way when disclosing it to an overseas agency.

Sending information to a cloud storage provider which is processing information for purposes of the business will not be treated as disclosure, but the agency using the services of the cloud storage provider will remain responsible for the personal information.

Businesses should review their privacy practices to assess whether they can meet the requirements under the new Act. Privacy policies, processes and/or arrangements with off-shore agencies (and cloud service providers) may need amendment to ensure that the requirements of the new Act are met.   

Mandatory notification of privacy breaches

Under the new Act, an agency must notify the Privacy Commissioner, and any affected individual(s), as soon as practicable after becoming aware of a privacy breach which is likely to cause serious harm to the affected individual (or individuals).

The agency in question must assess, in relation to any privacy breach it becomes aware of, if the breach is likely to cause “serious harm” and so to decide if the breach is notifiable. Factors the agency must consider include the sensitivity of the personal information, likely harm, who has obtained or may obtain the personal information as a result of the breach (if known), and whether a security measure protects the information.

Next steps / Get in touch

Businesses should:

• review and update their privacy policies/statements;
• amend their internal procedures to detect, investigate, assess and report data breaches; and
• train their staff to make them aware of what to do in the event of a serious data breach.

Under the new Act, for example, failing to report a notifiable privacy breach to the Privacy Commissioner is an offence and businesses could be liable to a fine up to $10,000.

Reviewing and implementing new privacy policies and practices can be a complex and confusing process. Please contact our privacy law specialists (pictured right) if your organisation needs help to get ahead of the new Act’s commencement on 1 December 2020.

Contributors maria.nieto@simpsongrierson.com