REUTERS/David Gray (Photo)
On 1 December 2020, the Privacy Act 2020 (NZ) repealed and replaced the Privacy Act 1993, which represents a once-in-a-generation overhaul of New Zealand’s privacy laws. The new Privacy Act 2020 introduces important changes with extraterritorial reach. These include regulating the sending of personal information overseas, New Zealand’s first data breach notification regime, new criminal offences and much more.
Whether you are a business operating exclusively in New Zealand, or a business with a presence in New Zealand, the new Privacy Act 2020 (PA 2020) will impact your business as a new era of privacy regulation dawns in New Zealand. Tyrilly Csillag and Andrew McDonald (Practical Law, Australia) caught up with Abigail Milburn (Practical Law, New Zealand) and Louise Sinclair (Practical Law, Australia) to take a closer look at the changes.
The extraterritorial impact of the PA 2020 is now expressly stated, meaning that an overseas business or organisation conducting business in New Zealand will be subject to the obligations imposed by the new law (section 4, PA 2020).
Country’s first mandatory data breach notification regime
For the first time, New Zealand businesses will be required to notify the Privacy Commissioner as soon as reasonably practicable after becoming aware that a notifiable privacy breach has occurred (section 114, PA 2020). A notifiable privacy breach broadly means a breach that causes (or is likely to cause) serious harm to an affected individual or individuals (section 112(1), PA 2020).
“Businesses operating in New Zealand will have a lot at stake if they fail to update their data breach response plan. Employees and business leadership need to get up to speed now on compliance with the new Privacy Act 2020 as we enter this new phase of data protection.” – Abigail Milburn, Senior Writer, New Zealand, Practical Law
Failure to notify the Privacy Commissioner will be an offence that will potentially result in a conviction and fine of up to $10,000 (NZD), unless there is a reasonable excuse for failing to notify (section 118, PA 2020).
New Zealand businesses will also need to notify affected individuals as soon as practicable after becoming aware that a notifiable privacy breach has occurred, unless an exception applies (section 115(1), PA 2020).
Restrictions on sending personal information outside of New Zealand
The PA 2020 introduces new Information Privacy Principle 12 (IPP 12), which lists circumstances in which an agency may disclose personal information to a foreign person or entity. This includes, for example, where the receiving foreign person or entity is subject to privacy laws comparable to those in New Zealand (paragraph (1)(c) of IPP 12, section 22, PA 2020).
Criminal offences update
New offences with fines of up to $10,000 (NZD) will be introduced, including the offence of misleading an agency in order to gain access to another person’s personal information (section 212(2)(c), PA 2020), and the offence of a business destroying personal information in response to a request from an individual to seek access to that personal information (section 212(2)(d), PA 2020).
Other new criminal offences in section 212 include (in summary):
- Obstructing, hindering or resisting the Privacy Commissioner (or any other person) in the exercise of their powers.
- Refusing or failing to comply with directions from the Privacy Commissioner.
- Making knowingly false or misleading statements to the Privacy Commissioner.
- Making false representations about holding authority under the PA 2020.
Heightened powers for the Privacy Commissioner
The Privacy Commissioner will be authorised to issue compliance notices to businesses or organisations to require them to do something, or cease doing something, in order to comply with the PA 2020 (section 123, PA 2020).
As part of investigating access complaints, the Privacy Commissioner will also have authority to make enforceable access directions to direct organisations to provide individuals with access to their personal information (section 92, PA 2020).
Adequacy status under the GDPR
In enacting the PA 2020, New Zealand’s Parliament paid particular attention to the global context of privacy law reform, particularly the European Union (EU) General Data Protection Regulation (GDPR) and recent changes to Australian privacy laws. This global context is expressly contemplated in the purposes of the PA 2020, which provide for the promotion and protection of individuals by giving effect to internationally recognised privacy obligations and standards, including the OECD Guidelines and the International Covenant on Civil and Political Rights (section 3, PA 2020).
The European Commission (EC) has previously adopted a decision that, for the purposes of Article 25(2) of Directive 95/46/EC of the European Parliament and of the Council (Data Protection Directive), New Zealand is considered as ensuring an adequate level of protection for personal data transferred from the EU (see European Commission: Commission Implementing Decision pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data by New Zealand).
The EC reviews its decisions on adequacy periodically. However, for the time being, that decision remains in force. This means for the purposes of Article 45(1) of the GDPR, a transfer of personal data from the European Economic Area to New Zealand may take place without any specific authorisation.
What do the changes mean for businesses?
Given the express extraterritorial reach of the PA 2020 businesses should consider the extent to which obligations which will be imposed by the PA 2020 might extend to impact their operations.
“Businesses that collect or store the personal information of New Zealanders, or carry on business in New Zealand, will need to consider how these new obligations apply to their business.” – Louise Sinclair, Senior Writer, Commercial, Practical Law
For example, businesses should consider whether their internal privacy practices, processes and policies will need to be reviewed and updated. They should also consider whether their data breach response plan is compliant with the PA 2020.
Legal guidance resources
A table comparing the Privacy Act 1993 with the PA 2020, prepared by the Office of the Privacy Commissioner (OPC) with Practical Law New Zealand, is freely accessible online.
Additionally, an overview of New Zealand’s privacy laws, including extensive discussion of the new PA 2020, written by Hayley Miller, Partner and Campbell Featherstone, Senior Associate with assistance from Emily Tombs, Solicitor, all of Dentons Kensington Swan is available for Practical Law Australia and New Zealand subscribers.
Tyrilly Csillag, Head of Commercial and In-House, Practical Law Australia
Tyrilly is an experienced senior in-house lawyer with over a decade of experience working within in-house legal teams for multinational, national corporate and also government entities. Prior to joining Practical Law, she held the position of Counsel for IBM with a focus on technology contracting and data protection laws, and managed lawyers practising in the ANZ and Asia Pacific legal teams. Tyrilly currently sits on the NSW Law Society’s Privacy and Data Protection Committee and is a member of the Association of Corporate Counsel Australia (ACC), the In-house Counsel Women’s Network (ICWN) and the International Association of Privacy Professionals (iAPP). She recently received the In-house Counsel Certified (ICC) designation from the Association of Corporate Counsel’s Credentialing Institute.
Andrew McDonald, Writer, Practical Law, Australia
Andrew joined Practical Law after more than seven years in practice at leading law firm King & Wood Mallesons and specialist corporate firm Watson Mangioni. Andrew’s practice included advising clients on a range of corporate transactions and commercial matters including mergers and acquisitions, restructures, commercial contracts, capital raising and corporate governance.