Life in the digital age means that we increasingly collect, store and disclose personal information like never before. The Privacy Bill provides a much needed change to privacy law in New Zealand, refreshing the 27-year-old Privacy Act 1993, ensuring we align with international best practice.
The Privacy Bill has passed its third and final reading and is expected to take effect as the Privacy Act 2020 on 1 December, after it gains Royal Assent.
The changes are due to impact organisations, businesses and individuals by placing greater value on individual privacy rights. The Act primarily does this through providing greater accountability when there is a breach of privacy and streamlining the complaints process.
The Government has implemented many of the changes seen in the Bill based on recommendations from the Law Commission’s 2011 review of New Zealand’s privacy laws. It appears that these changes have been a long time coming, reflecting the increasing difficulty that our law-makers have when keeping up-to-date with advancing technologies. As stated by Privacy Commissioner John Edwards:
“No, legislation can’t keep up, but that doesn’t mean it shouldn’t try.”
New Criminal Offences
The Act will introduce new criminal offences where personal information is destroyed after someone has made a request for it and where someone misleads a business or organisation in a way that affects someone’s personal information. The maximum fine for these offences is $10,000.
Mandatory Notification for Harmful Breaches
The Act creates a requirement that businesses and organisations must notify the Privacy Commissioner and any affected parties of harmful privacy breaches. This is a marked change to the current system where compliance relies on an individual bringing a complaint to the Commissioner themselves.
Powers of the Privacy Commissioner
The Act will also give the Privacy Commissioner the right to issue compliance orders and demand the release of personal information where an organisation or business refuses to make personal information available upon request.
In order to address harmful privacy breaches from overseas, New Zealand organisations or businesses will need to ensure those overseas entities have similar levels of privacy protection to those in New Zealand before disclosing New Zealanders’ personal information overseas.
The Act will also have explicit application to businesses whether or not they have a legal or physical presence in New Zealand. If an international digital platform is carrying on business in New Zealand, with New Zealanders’ personal information, there will be no question that they will be obliged to comply with New Zealand law regardless of where they, or their servers are based.
Privacy Protection Laws fit for a Data Rich Society?
The changes that will be introduced by the Privacy Act aim to retain the flexibility of the current legislation, by way of its principles, whilst taking a more preventative approach to privacy breaches.
As the changes have received cross-party support from Parliament there is a clear sense of unanimity that our concerns surrounding data sharing are well founded. Although privacy law is reactive by nature, Privacy Commissioner John Edwards is optimistic about the updated legislation as it ultimately:
“…provides a modernised framework to better protect New Zealanders’ privacy rights in today’s environment.”
The Privacy Commissioner has prepared an overview of the Bill, which can be found here.
The Bill can be read in full on the New Zealand Legislation website here.
The final Parliamentary Justice Select Committee report on the Bill can be found here.
If you need any more detail on how these changes will affect your organisation then contact our Privacy Law Specialists in the Corporate and Commercial Law Team.
Author: Annie Prosser