Published on the 08/07/2020 | Written by Jonathan Cotton
What does it mean for business?…
New Zealand’s 27-year-old privacy laws have finally been updated with the passing of the 2020 Privacy Act by Parliament last month.
The bill repeals and replaces the Act of 1993, as recommended by the Law Commission’s review way back in 2011.
Now it’s done, with the new Act’s purpose, according to the Privacy Commission, to ‘promote people’s confidence that their personal information is secure and will be treated properly’.
“Liability for breach notifications sits with the business or organisation, not individual employees.”
So what are the key changes to the Act?
For business, the first notable change is new mandatory privacy breach notification requirements: According to the new rules, if organisations have a privacy breach that ‘poses a risk of serious harm’, they are required to notify the Commissioner and affected parties.
Going forward, not notifying the Commissioner in the event of a breach will be considered an offence.
“Under the Act, it is an offence to fail to inform the Privacy Commissioner when there has been a notifiable privacy breach.
“The Act clarifies that liability for breach notifications sits with the business or organisation, and not the individual employees.”
This move pulls New Zealand into line with EU standards and GDPR data breach notification requirements, as well as Australia’s Privacy Act.
There are also strict new rules regarding the movement of data offshore. Under the new rules, agencies are only able to disclose personal information to an overseas person ‘if the [data owner] authorised the disclosure, the overseas person was in a prescribed country, or the agency believed on reasonable grounds that the overseas person was required to protect the information in a way that, overall, provides comparable safeguards to those in the bill’.
Simply put, if an agency outside of New Zealand is receiving Kiwi users’ data, they are subject to similar requirements as that in the new Privacy Act. If a jurisdiction does not offer similar protections, the individual concerned must be fully informed of that fact, and made aware that their information may not be adequately protected with disclosure expressly authorised.
Similarly, foreign presences will have to comply with New Zealand law if they are doing business here.
“If an international digital platform is carrying on business in New Zealand, with the New Zealanders’ personal information, there will be no question that they will be obliged to comply with New Zealand law regardless of where they or their servers are based.”
The bill creates new criminal offences as well, including misleading an agency to obtain access to someone else’s personal information as well as destroying a document containing personal information, knowing that a request has been made for it.
Under the old Act, penalties for offences are fines of up to $2,000. Under the new Act, fines for offences can now reach $10,000. The Privacy Commissioner has, in the past, called for fines as high as $1 million.
To enforce it all, the Privacy Commissioner’s powers have been beefed up, with the Commissioner now able to issue notices ordering agencies to comply with the Privacy Act. If an organisation refuses to make personal information available upon request, the Commissioner will have the power to demand its release.
The bill passed with unanimous support.
“The new Privacy Act provides a modernised framework to better protect New Zealanders’ privacy rights in today’s environment,” says Privacy Commissioner John Edwards.
“I am grateful for the cross-party support of Parliament on this issue. It is an endorsement of the significance of privacy as a universal human right that the Bill was passed with the multi-party support of the House.”
Coinciding with the announcement, the Privacy Commissioner also released the results of its latest survey, which shows a healthy national appetite for improved privacy law.
The report, entitled Concerns and Sharing Data, finds nearly two-thirds of survey respondents in favour of “more regulation of what companies can do with their customers’ personal information”. (29 percent said they were happy with the same level, with just 6 percent calling for less regulation)
According to the report, New Zealanders’ privacy concerns centre on unauthorised business sharing of their personal information (75 percent); theft of banking details (72 percent); and security of personal information online (72 percent). While of lower concern, 41 percent of respondents say they are concerned with the rise of CCTV and facial recognition technology in New Zealand.
Three-quarters of respondents were either concerned or very concerned about businesses sharing their personal information without permission – compared to 65 percent who were concerned or very concerned about government agencies doing the same.
No official date has been announced yet, but the Act is expected to come into effect in December this year.