On 1 December 2020, New Zealand's Privacy Act 2020 (the Act) came into force to replace the Privacy Act 1993. The Office of the Privacy Commissioner (NZ), under a campaign called ‘Privacy is Precious', stated that there was a need for stronger privacy protections given the advances in technology, and increased online collection and sharing of information since the old Act was introduced in 1993.
The key changes under the new Act include an extension of the powers and functions of the Privacy Commissioner, the strengthening of cross-border protections, the introduction of criminal penalties for certain behaviour, and an increased focus on risk management and early intervention by ‘agencies' (which is how the Act describes entities that handle personal information).
Mandatory breach notification
There is a new requirement for agencies to report a privacy breach to both the Privacy Commissioner and the person or people affected, if the agency believes the breach has caused or is likely to cause serious harm. Liability for failure to report a breach sits with businesses, not individual employees.
Enhanced role of Privacy Commissioner
Under the new Act, the Commissioner's new powers include:
- the power to shorten the time frame in which an agency must comply with investigations (with an increase in the penalty for non-compliance);
- the power to issue compliance notices to agencies, containing a requirement that they do or stop doing something to ensure compliance with the Act. The notice will specify steps to be taken and a date by which changes must be made;
- the power to direct agencies to provide access to individuals' personal information held, with such directions enforceable in the Human Rights Review Tribunal; and
- the ability to make binding decisions about complaints regarding access to information. Formerly, the Human Rights Review Tribunal was required to make such decisions – now it will hear any appeal of a decision by the Commissioner.
Cross-border protection and extra-territorial application
The Act contains a new privacy principle 12, which requires agencies to ensure that any information sent overseas is protected by privacy standards in that jurisdiction that are similar to the safeguards under New Zealand privacy law, or seek the individual's express authority to make the overseas disclosure if that is not the case. Further, if an offshore entity provides goods or services in New Zealand, that provider is required to comply with New Zealand privacy laws as it is considered to be ‘carrying on business' in New Zealand (even if it does not have a physical presence in New Zealand). It is therefore essential for any entity doing business in New Zealand to understand the application of, and be familiar with their obligations under, the new Act.
The Act also introduces criminal penalties (up to NZ$10,000) for: destroying documents that contain personal information (after there has been a request for access to that information); and misleading an agency that holds another person's personal information in a way that affects the person's information (for example, impersonating another person in an attempt to access their information).