The Privacy Bill tabled by Justice Minister Andrew Little this week will increase the Privacy Commissioner's powers and strengthen privacy protections.

The changes will align New Zealand more closely with comparable regimes but do not go as far as the Privacy Commissioner would have liked.

No date has been set for submissions as yet. We will update you on the timetable once it is known.

Key changes

  • The Privacy Commissioner will be able to make binding decisions on complaints about access to information and issue compliance notices. A compliance notice may require an organisation or individual to undertake or to desist from certain actions. They can be enforced by, and appealed to, the Human Rights Review Tribunal (HRRT).
  • Mandatory reporting to the Privacy Commissioner and to affected individuals of any unauthorised access to, or disclosure of, personal information which has caused the individual harm.
  • A requirement on New Zealand agencies to take reasonable steps to ensure that any personal data disclosed overseas will be subject to acceptable privacy standards. The Bill also clarifies the application of New Zealand law when a New Zealand agency engages an overseas service provider.
  • It will be a criminal offence to obtain another person's private information by deceit or to knowingly destroy documents which are under request by the Privacy Commissioner. Committing these offences will attract a fine of up to $10,000.
  • Strengthened information gathering powers for the Privacy Commissioner by:
    • shortening the timeframe for compliance, and
    • increasing the penalties for non-compliance.

Major elements of the current Act will be retained – in particular, the 12 privacy principles.

Chapman Tripp comments

The rewrite of the Act is well overdue and has taken a long time to get to this point. The National government signed off on a reform package in March 2014 but failed to deliver a Bill.

Clearly the Labour-led government has given the issue a higher priority but the Bill is modest in scope compared to other jurisdictions and to what the Privacy Commissioner has been pushing for.

In his 2016 recommendations, for example, the Privacy Commissioner recommended civil penalties for privacy breaches of up to $100,000 for individuals and $1 million for corporates, and enshrining data portability as a consumer right.

However, our understanding is that the Bill is a work in progress and that much will depend on the submissions to the select committee. We urge you to engage with the process if you want your views reflected in the legislation.

The information in this article is for informative purposes only and should not be relied on as legal advice. Please contact Chapman Tripp for advice tailored to your situation.