New Zealand’s 2020 Privacy Act Lifts Compliance Standard in Region

From 1 December 2020, the Privacy Act 2020 (NZ) will repeal and replace the current Privacy Act 1993, representing a once-in-a-generation overhaul of New Zealand’s privacy laws. The new Privacy Act 2020 introduces important changes with extraterritorial reach. These include regulating the sending of personal information overseas, New Zealand’s first data breach notification regime, new criminal offences and much more. 

Whether you are a business operating exclusively in New Zealand, or an Australian business with a presence in New Zealand, the new Privacy Act 2020 (PA 2020) will impact your business as a new era of privacy regulation dawns in New Zealand. Tyrilly Csillag and Andrew McDonald (Practical Law, Australia) caught up with Abigail Milburn (Practical Law, New Zealand) and Louise Sinclair (Practical Law, Australia) to take a closer look at the changes. 

Extraterritorial reach  

The extraterritorial impact of the PA 2020 is now expressly stated, meaning that an overseas business or organisation conducting business in New Zealand will be subject to the obligations imposed by the new law (section 4, PA 2020). 

Country’s first mandatory data breach notification regime 

For the first time, New Zealand businesses will be required to notify the Privacy Commissioner as soon as reasonably practicable after becoming aware that a notifiable privacy breach has occurred (section 114, PA 2020). A notifiable privacy breach broadly means a breach that causes (or is likely to cause) serious harm to an affected individual or individuals (section 112(1), PA 2020).

“Businesses operating in New Zealand will have a lot at stake if they fail to update their data breach response plan. Employees and business leadership need to get up to speed now on compliance with the new Privacy Act 2020 as we enter this new phase of data protection.” 

– Abigail Milburn, Senior Writer, New Zealand, Practical Law 

Failure to notify the Privacy Commissioner will be an offence that will potentially result in a conviction and fine of up to NZD 10,000, unless there is a reasonable excuse for failing to notify (section 118, PA 2020). 

New Zealand businesses will also need to notify affected individuals as soon as practicable after becoming aware that a notifiable privacy breach has occurred, unless an exception applies (section 115(1), PA 2020).  

Restrictions on sending personal information outside of New Zealand 

The PA 2020 introduces new Information Privacy Principle 12 (IPP 12), which lists circumstances in which an agency may disclose personal information to a foreign person or entity. This includes, for example, where the receiving foreign person or entity is subject to privacy laws comparable to those in New Zealand (paragraph (1)(c) of IPP 12, section 22, PA 2020).

Criminal offences update

New offences with fines of up to NZD 10,000 will be introduced, including the offence of misleading an agency in order to gain access to another person’s personal information (section 212(2)(c), PA 2020), and the offence of a business destroying personal information in response to a request from an individual to seek access to that personal information (section 212(2)(d), PA 2020). 

Other new criminal offences in section 212 include (in summary): 

  • Obstructing, hindering or resisting the Privacy Commissioner (or any other person) in the exercise of their powers. 
  • Refusing or failing to comply with directions from the Privacy Commissioner. 
  • Making knowingly false or misleading statements to the Privacy Commissioner. 
  • Making false representations about holding authority under the PA 2020. 

Heightened powers for the Privacy Commissioner 

The Privacy Commissioner will be authorised to issue compliance notices to businesses or organisations to require them to do something, or cease doing something, in order to comply with the PA 2020 (section 123, PA 2020). 

As part of investigating access complaints, the Privacy Commissioner will also have authority to make enforceable access directions to direct organisations to provide individuals with access to their personal information (section 92, PA 2020). 

Adequacy status under the GDPR 

In enacting the PA 2020, New Zealand’s Parliament paid particular attention to the global context of privacy law reform, particularly the European Union (EU) General Data Protection Regulation (GDPR) and recent changes to Australian privacy laws. This global context is expressly contemplated in the purposes of the PA 2020, which provide for the promotion and protection of individuals by giving effect to internationally recognised privacy obligations and standards, including the OECD Guidelines and the International Covenant on Civil and Political Rights (section 3, PA 2020).  

The European Commission (EC) has previously adopted a decision that, for the purposes of Article 25(2) of Directive 95/46/EC of the European Parliament and of the Council (Data Protection Directive), New Zealand is considered as ensuring an adequate level of protection for personal data transferred from the EU (see European Commission: Commission Implementing Decision pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data by New Zealand (19 December 2012)).  

The EC reviews its decisions on adequacy periodically. However, for the time being, that decision remains in force. This means for the purposes of Article 45(1) of the GDPR, a transfer of personal data from the European Economic Area to New Zealand may take place without any specific authorisation. 

RELATED: Cyber Risks and Data Threats for Virtual Workforces

What do the changes mean for Australian businesses?

Given the express extraterritorial reach of the PA 2020, Australian businesses should consider the extent to which obligations which will be imposed by the PA 2020 might extend to impact their operations. 

“Australian businesses that collect or store the personal information of New Zealanders, or carry on business in New Zealand, will need to consider how these new obligations apply to their business.” 

– Louise Sinclair, Senior Writer, Commercial, Practical Law

For example, Australian businesses should consider whether their internal privacy practices, processes and policies will need to be reviewed and updated. They should also consider whether their data breach response plan is compliant with the PA 2020.  

Legal guidance resources

A table comparing the Privacy Act 1993 with the PA 2020, prepared by the Office of the Privacy Commissioner (OPC) with Practical Law New Zealand, is freely accessible online.  

Additionally, an overview of New Zealand’s privacy laws, including extensive discussion of the new PA 2020, written by Hayley Miller, Partner and Campbell Featherstone, Senior Associate with assistance from Emily Tombs, Solicitor, all of Dentons Kensington Swan is available for Practical Law Australia and New Zealand subscribers.

Not subscribed to the legal guidance solution? Connect with a Thomson Reuters consultant today for information on gaining access to Practical Law.

Tyrilly joined Practical Law from IBM, where she held the role of Managing Counsel for the A/NZ Legal Team supporting IBM’s consulting services, hardware, and software licensing transactions, with special responsibility for Privacy, Data Incidents, and Cybersecurity. She also managed lawyers practising in both the A/NZ and Asia Pacific legal teams. Tyrilly has extensive practical technology law experience, having negotiated multimillion-dollar private sector and government projects, reseller/channel partnerships agreements and resolved IT disputes. She has over 10 years’ commercial experience in both private practice and in-house, advising on IP and related litigation, as well as a strong knowledge of marketing law and media regulation from her time as in-house counsel at Foxtel.

Subscribe toLegal Insight

Discover best practice and keep up-to-date with insights on the latest industry trends.