The long-awaited amendment in the New Zealand Privacy Bill, which proposes amendment in the Privacy Act 1993, finally got a green flag in the parliament in June this year. The said amendments come into effect on 1st December 2020, and are expected to bring about some of the most significant changes in the New Zealand Privacy Law till date.
These changes come at an exciting time, when the global data protection landscape is witnessing significant disruption. With ever-growing cyber threats and stringent media attention on data breaches, cybersecurity and data protection are getting major attention from businesses across the globe.
Seeing how the changes introduced as a part of this data protection act can transform the New Zealand data privacy law, it becomes imperative to understand them in detail.
Significant Reforms Listed in the Updated NZ Data Privacy Law
International Data Flow
The New Zealand Privacy Act 2020 proposed update restricts disclosure of personal data outside of New Zealand, without prior authorization from relevant individuals. In case of any offshore data transfer, the disclosing party must ensure that the information is protected by safeguards comparable to New Zealand’s privacy laws.
Some ways organisations can become compliant with this update include –
- imposing contractual data protection obligations on the recipient comparable to the protections in the Privacy Act; or
- ensuring the recipient is subject to laws of another jurisdiction that provide comparable protection to the Privacy Act (countries can be ‘whitelisted’ in regulations, which will have a similar effect to a GDPR adequacy decision)
However, this update comes with an exception – if the personal information is transferred to an offshore data processor, it does not constitute an overseas disclosure.
Mandatory Data Breach Reporting
This is an international best practice that has been incorporated into the New Zealand data privacy law. According to the new update, if there is a data breach that causes or can cause serious harm to involved individuals, the responsible organisation must inform the Privacy Commissioner and the affected individuals. The act also lists some guidelines to assess the harm done by a breach –
- any action taken to reduce the risk of harm following the breach;
- whether the personal information is sensitive in nature;
- the nature of the harm that may be caused to affected individuals;
- who obtained (or could obtain) the personal information as a result of the breach (if known); and
- whether the personal information is protected by a security measure.
Again, there is an exception to this amendment. The update lists a few circumstances where companies may delay notifying the individuals or not notify them at all in case of a breach. Here is what an instance stated by the Justice Committee following its review of an earlier draft of the amendments said – if an organisation’s security systems were shown to be vulnerable as a result of a privacy breach, notification could risk wider exploitation of the vulnerability, and should be delayed to prevent the risk of more harm (though the Privacy Commissioner would still need to be notified).
It was, however, made clear by the Committee protection of its reputation is not a reason good enough to delay notifying the affected parties.
It has been explicitly stated in the Privacy Act that it is applicable to any actions that an overseas organisation will take while conducting business in New Zealand, irrespective of where the information was collected or where the data subject is from. The definition of an organisation carrying business in New Zealand is if it earns money in exchange for goods or services, or makes profit from its business there.
Fines and Penalties: New Zealand Privacy Act 2020
The 2020 update of the NZ Privacy Act states that if an organisation fails to comply with the law or misleads another organisation/individual in a way that affects personal information, it can be levied with a fine of up to $10,000. While some may argue that this financial penalty isn’t enough, it is the potential damage to the reputation of the organisation that can be a cause of concern for those who are non-compliant. This can be better understood in the words of John Edwards, New Zealand’s privacy commissioner – “We have a fairly high trust environment [in New Zealand], so the reputational harm of a commissioner declaring a company as non-compliant should be an incentive. That’s what we will work with—that’s the assumption that we will test. Our powers of persuasion, our ability to make findings and to issue compliance notices should be able to give New Zealanders the confidence they need to deal in the digital economy.”