New Zealand's amended privacy law goes into effect this month, adding to the growing number of laws in the Asia-Pacific region that have been adopted or modified recently to impose EU-style restrictions on cross-border transfers of personal data, extraterritorial provisions, and breach notification obligations. New Zealand was the first jurisdiction in the region to enact a comprehensive privacy law in 1993 and is the only one to date recognized by the EU as providing adequate privacy protection. 

The amendments, which became effective on December 1, 2020, make significant changes to New Zealand's privacy regime. In particular, the Privacy Act 2018 (“Act”) expands the application of the privacy regime to businesses whether or not they have a legal or physical presence in New Zealand. In order to transfer personal data outside of New Zealand, an organization must reasonably believe that the receiving entity provides “comparable safeguards” to those provided by the Act (or the organization must satisfy another condition specified in the Act). In the event of a data breach, the organization must notify both the data protection authority and affected individuals. In addition, the Act provides for a number of new offenses, increased fines, and compliance notices.

Given these changes, companies doing business in New Zealand should review their existing privacy compliance programs to ensure that they comply with the new requirements under the Act.

The following provides an overview of the key changes.

Scope.

Unlike the original privacy law, which applied only to organizations in New Zealand, the Act applies to public and private organizations in New Zealand as well as overseas organizations that collect or hold personal information in course of carrying out business in New Zealand. It does not matter where the personal information is collected or held or where the individual concerned is located. An organization may be treated as carrying on business in New Zealand without necessarily:

  • Being a commercial operation;
  • Having a place of business in New Zealand;
  • Receiving any monetary payment for the supply of goods or services; or
  • Intending to make a profit from its business in New Zealand.

According to the Office of the Privacy Commissioner (“OPC”) in its guidance on Disclosing personal information outside New Zealand (“Guidance”), in determining whether an organization is “carrying on business” in New Zealand, relevant factors include whether:

  • The organization is undertaking activities that involve the collection, use, and disclosure of personal information on a repetitive, systematic, or continuing basis;
  • The organization has a website offering goods or services to countries including New Zealand, or specifically targeted at New Zealanders;
  • The activities take place or are acted upon in New Zealand; or
  • The organization is the holder of trademarks or has registered web domains in New Zealand.

Cross-Border Transfers.

The Act includes new cross-border transfer restrictions. To transfer personal information to a foreign person or entity outside of New Zealand, the foreign recipient must be subject to comparable privacy safeguards or the individual to whom the personal information relates must consent to the disclosure. In particular, the organization must have reasonable grounds to believe that the overseas recipient is:

  • Subject to the Act;
  • Subject to privacy laws that, overall, provide comparable safeguards to those in the Act;
  • Is a participant in a prescribed binding scheme (such as binding corporate rules or “BCRs”);
  • Subject to privacy laws of a prescribed country (to be set forth in subsequent regulations); or
  • Is required to protect the data in a way that, overall, provides comparable safeguards to those in the Act (for example, pursuant to an agreement entered into between the two organizations).

Alternatively, where the individual consents to the disclosure, the individual must be expressly informed beforehand that the foreign recipient may not be required to protect the information in a way that provides comparable safeguards to those in the Act. 

According to the OPC Guidance, the best and most practical way to ensure comparable safeguards is through an agreement between the transferring organization and the recipient. If the organization has reasonable grounds to believe the foreign entity is required, under its contractual agreement with that foreign entity, to protect the information in a way that provides comparable safeguards, then this will comply with the requirements of the Act. Where the foreign entity is subject to a privacy law that does not provide comparable safeguards, the contract should refer to the applicable legislation and provide additional protections so that the agreement provides comparable safeguards. The OPC recommends that organizations consider using its recently issued model contractual clauses for cross-border transfers. Organizations can modify the clauses to suit their needs or use their own contract clauses, so long as comparable privacy safeguards are included.

In its guidance on the model contractual clauses, the OPC cautions that organizations will need to have a reasonable basis to believe that the model clauses will provide comparable safeguards to the Act. This means that an organization may not be able to rely on an agreement based on its model clauses where the transfer is to a country that does not have a fair, reliable, and accessible court system allowing enforcement of the agreement, or a country that has other laws that would undermine the privacy protections in the agreement.

Alternatively, organizations may disclose personal information to a foreign entity that is subject to a privacy law that provides comparable safeguards to the Act. However, the organization would need to undertake due diligence to be satisfied that it can rely on this legal basis. “Comparable safeguards” do not mean that the foreign entity must be subject to requirements that are exactly the same as New Zealand requirements. The organization would need to carefully investigate whether any key differences from New Zealand privacy law are significant. For example, some laws only cover specific sectors, such as health. A privacy law that is limited to the health sector could provide comparable safeguards if the recipient organization is in that sector and is subject to that law. 

Use of Cloud Providers

Similar to the original law, the Act does not restrict transfers to service providers acting only as agents (i.e., they only process the information in accordance with the organization's instructions). The OPC guidance on Disclosing personal information outside New Zealand further clarifies that the use of an offshore cloud provider to store or process the organization's data is not considered to be a disclosure under the Act and, therefore, is not subject to the cross-border rules, provided that the cloud provider is not using that information for its own purposes. However, if the receiving organization uses or shares that personal information for their own purposes, then the transfer of personal information to them will be covered by the cross-border rules.

Security Breach Notification.

Organizations must now notify the OPC as soon as practicable after becoming aware that a “Notifiable Privacy Breach” has occurred. A Notifiable Privacy Breach is defined as a privacy breach that has caused or is likely to cause serious harm to affected individuals. Affected individuals must be notified as soon as practicable after an organization becomes aware that a Notifiable Privacy Breach has occurred, unless an exception applies or a delay is permitted. 

Notice to affected individuals must describe the Notifiable Privacy Breach and state whether the organization has or has not identified any person or body that the organization suspects may be in possession of personal data, explain the steps taken or to be taken in response to the breach, and, where practicable, describe the steps affected individuals may wish to take to mitigate or avoid potential loss or harm (if any). In addition, the notice must advise individuals whether the OPC has been notified, inform them that they have the right to make a complaint to the OPC, and give them contact details of a person within the organization for inquiries. 

If it is not reasonably practicable to notify an affected individual or each member of a group of affected individuals, then the organization must instead give public notice of the privacy breach, unless an exception under the Act applies or a delay is permitted.  Public notice must be given in a form in which no affected individual is identified and in accordance with any regulations made under the Act. 

The notice to the OPC  must describe the Notifiable Privacy Breach, including the number of affected individuals (if known) and the identity of any person or body that the organization suspects may be in possession of personal data as a result of the breach (if known). It must explain the steps that the organization has taken or plans to take in response to the breach, including whether any affected individuals have been or will be contacted. If the organization is giving public notice of the breach in lieu of individual notices, the notice must set out the reasons why. If the organization is relying on an exception, or is delaying notifying affected individuals or giving public notice, it must state the exception relied on and set out the reasons for relying on it or state the reasons why a delay is needed and the expected period of delay. The notice must also provide the names or give a general description of any other agencies that the organization has contacted about the breach and the reasons for having done so and give details of a contact person within the organization for inquiries.

Penalties and Compliance Notices.

The Act increases the fines for law violations from NZ $2,000 to NZ $10,000 and introduces new offenses such as misleading a business by impersonating someone, or pretending to act with that person's authority, to gain access to their personal information or to have it altered or destroyed and destroying a document containing personal information, knowing that a request has been made for that information. 

In addition, an organization that, without reasonable excuse, fails to notify the OPC of a Notifiable Privacy Breach commits an offense and is liable on conviction to a fine not exceeding NZ $10,000. It is not a defense to a charge under the Act that the organization has taken steps to address the breach. It is a defense, however, that the organization did not consider the privacy breach to be a Notifiable Privacy Breach, but only if it was reasonable to do so in the circumstances. 

Lastly, unlike the original law, the Act empowers the OPC  to issue compliance notices to organizations that fail to comply with their obligations under the Act. Organizations must comply with these notices as soon as practicable upon receipt and, if applicable, remedy the violation by the date specified in the compliance notice.

Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Morrison & Foerster LLP. All rights reserved