On 1 December 2020, the Privacy Act 2020 (NZ) (the NZ Privacy Act), repealed and replaced the Privacy Act 1993 (NZ). The NZ Privacy Act better aligns the privacy law in New Zealand (NZ) with international best practice. Importantly, for Australian residents and organisations, it means greater security and accountability for cross-border flow of personal information.
What are the key changes?
Cross border protection and extraterritorial reach
New Zealand organisations will now have to take reasonable steps to ensure that personal information sent overseas is protected by comparable privacy safeguards to those available in New Zealand. The NZ Privacy Act also expressly states that when international organisations, including those in Australia, conduct business in New Zealand, they will be required to comply with the NZ Privacy Act if they hold personal information about New Zealanders.
Mandatory breach reporting
The NZ Privacy Act sees a shift from voluntary to mandatory breach reporting, akin to that of Australia’s notifiable data breach regime. While not every breach will apply, those that have caused or are likely to cause serious harm will need to be reported to the Privacy Commissioner and the relevant individuals.
New criminal offences
Harsher penalties have been introduced, including the introduction of:
- an offence relating to impersonating or falsely pretending to be an individual in order to gain access to another’s personal information; and
- an offence relating to the destruction of personal information in response to a request to seek access to that personal information.
Increased powers for the regulator
The Privacy Commissioner now has the power to issue compliance notices that may require the recipient to do something, or cease to do something if it reasonably believes that an organisation has breached the NZ Privacy Act. In addition, the Privacy Commissioner will have the authority to direct organisations to provide individuals with access to their personal information.
Broadened requirements for class actions
The NZ Privacy Act now permits aggrieved individuals or classes of individuals to bring actions in the Human Rights Review Tribunal where harm occurs as a result of an organisation’s privacy breaches. This right of action for the individual is not currently present in Australian privacy laws.
What does this mean for you?
Given the exterritorial reach of the NZ Privacy Act, you will have to consider the extent to which this new legislation applies to your organisation.
If you carry on business in New Zealand, or collect or store the personal information of New Zealanders, even if you do not have a physical presence in New Zealand, these new obligations will apply to your organisation. This is an opportune time to consider whether your organisation’s privacy practices, processes, and policies need changing or updating as a result of these changes.
With regard to mandatory breach reporting, while you will not be required to report near-misses, you should review your current practices to ensure you have systems in place to capture and assess any potential privacy breaches that may require reporting.
It is important to understand how the NZ Privacy Act may impact your business. Its introduction comes at a time where our cybersecurity landscape is evolving rapidly and is particularly topical due to the increased reliance on technology and online transactions as a result of the COVID-19 pandemic.
The New Zealand Office of the Privacy Commissioner’s resources on the introduction of the NZ Privacy Act can be found here.
The New Zealand Office of Privacy Commissioner’s online tool ‘NotifyUs’ which is used to report privacy breaches that are likely to cause serious harm can be found here.
This article was written by Special Counsel, Hayley Bowman. If you have any questions about the NZ Privacy Act, please contact Hayley.