Life in the digital age means that we increasingly collect, store and disclose personal information like never before. The new Privacy Act 2020 provides a much needed change to privacy law in New Zealand, refreshing the 27-year-old Privacy Act 1993, ensuring we align with international best practice.
The Act came into force on December the 1st, the changes are due to impact organisations, businesses and individuals by placing greater value on individual privacy rights. The Act primarily does this through providing greater accountability when there is a breach of privacy and streamlining the complaints process.
The Government has implemented many of the changes seen in the Act based on recommendations from the Law Commission’s 2011 review of New Zealand’s privacy laws. It appears that these changes have been a long time coming, reflecting the increasing difficulty that our law-makers have when keeping up-to-date with advancing technologies. As stated by Privacy Commissioner John Edwards:
“No, legislation can’t keep up, but that doesn’t mean it shouldn’t try.”
New Criminal Offences
The Act has introduced new criminal offences where personal information is destroyed after someone has made a request for it and where someone misleads a business or organisation in a way that affects someone’s personal information. The maximum fine for these offences is $10,000.
Mandatory Notification for Harmful Breaches
It is now mandatory businesses and organisations to notify the Privacy Commissioner and any affected parties of privacy breaches which have caused, or are likely to cause, serious harm. This is a marked change to the current system where compliance relies on an individual bringing a complaint to the Commissioner themselves.
Powers of the Privacy Commissioner
The Act has also given the Privacy Commissioner the right to issue compliance orders where agencies are not complying with the Act. Failure to comply with a compliance notice may result in a fine of up to $10,000.00. The Privacy Commissioner can also demand the release of personal information where an organisation or business refuses to make personal information available upon request.
In order to address harmful privacy breaches from overseas, New Zealand organisations or businesses will need to ensure those overseas entities have similar levels of privacy protection to those in New Zealand before disclosing New Zealanders’ personal information overseas.
The Act also has explicit application to businesses whether or not they have a legal or physical presence in New Zealand. If an international digital platform is carrying on business in New Zealand, with New Zealanders’ personal information, there will be no question that they will be obliged to comply with New Zealand law regardless of where they, or their servers are based.
Privacy Protection Laws fit for a Data Rich Society?
The changes that have been introduced by the Privacy Act aim to retain the flexibility of the current legislation, by way of its principles, whilst taking a more preventative approach to privacy breaches.
As the changes have received cross-party support from Parliament there is a clear sense of unanimity that our concerns surrounding data sharing are well founded. Although privacy law is reactive by nature, Privacy Commissioner John Edwards is optimistic about the updated legislation as it ultimately:
“…provides a modernised framework to better protect New Zealanders’ privacy rights in today’s environment.”
To examine the exact changes, see the Privacy Act 2020 here.
The final Parliamentary Justice Select Committee report can be found here.
If you need any more detail on how these changes will affect your organisation then contact our Privacy Law Specialists in the Corporate and Commercial Law Team.
Author: Annie Prosser