In a world that is placing an increasing reliance on technology and value in data, it is hardly surprising that New Zealand's outdated Privacy Act 1993 ("Act") is scheduled to be replaced on 1 December 2020 in its entirety by the Privacy Bill ("Bill") which is currently making its way through the final stages of Parliament.
What Suite of Changes Does the new Act Include?
Mandatory Reporting Requirements
There is a new mandatory reporting regime for notifiable breaches of privacy and this is the Bill's most significant change. Data breaches will be notifiable to both the Privacy Commissioner and affected individuals if the breach has caused, or is likely to cause, “serious harm”. This "serious harm" threshold draws from the Australian threshold for data breach reporting and we await further guidance on this requirement via the Courts.
The new requirement means organisations should begin to update their privacy policies and processes to deal with the prospect of a notifiable breach, by 1 December 2020. Some considerations in the interim could include implementing a data breach response team to deal with these new reporting requirements and organisations could also start developing processes to assist with identifying, reporting and examining a personal data breach - in order to ensure they can meet reporting obligations.
Recent trends in similar jurisdictions such as Australia and the UK have seen a significant increase in the reporting of breaches – for example, in Australia the spike in breach reporting was more than 75%.
Cross Border Data Exchange
You will need to know if your organisation sends any data overseas – and might be surprised to learn where your client or employee data ends up being stored or processed by your service providers (such as cloud service providers or even directly).
If you are an offshore agency and you carry on business in New Zealand, you will also be subject to the new Bill. It is therefore worth reviewing any service provider arrangements that you may be a party to which involve the sharing, storage or processing of your data to assess whether they might involve the disclosure of your data to a "foreign person or entity". These amendments seek to align the Bill's application with the position of the General Data Protection Regulation (GDPR) and Australia's Privacy Act.
The Privacy Commissioner will be able to issue a compliance notice for an organisation to do, or cease doing, something in order to comply with the new Act.
Compliance notices must be published publicly with a statement that includes details about the identity of the agency and the extent of the breach, unless publication would cause undue harm that outweighs the public interest. If an agency does not comply with a compliance notice, it can be enforced by the Privacy Commissioner through the Tribunal and failure to comply with a compliance notice could result in a fine of up to $10,000.00.
Privacy Commissioner's New Muscle Flex
Globally, 2019 demonstrated the teeth of Europe's GDPR and the willingness of data regulators to use and enforce the resources available in its armoury. This included significant fines levied against heavyweight Facebook, as well as sanctions imposed on British Airways and Marriot Hotels for data breaches involving customer's personal information.
New Zealand's own Privacy Commissioner, John Edwards, is likely to be eager to test his own more limited range of enforcement options including:
• The ability to make binding information access determinations, following requests made by individuals;
• Issuing compliance notices that require an agency to do (or cease doing) something that is inconsistent with the privacy principles; and
• The right to 'name and shame' agencies that are the subject to compliance notices (this reputational impact may be significant for businesses in New Zealand's small market).
The Privacy Commissioner is aware that he does not possess the complete toolkit on his own to protect the privacy of individuals whose personal information is collected by agencies. The Commissioner has often argued for stronger measures to use at his disposal to help fill this enforcement void. The first port of call by the Privacy Commissioner may well be the New Zealand Commerce Commission - which is already starting to focus on privacy issues and as comparable international experience indicates, it is likely to have a role to play in the privacy realm in the not too distant future.
Our team at McVeagh Fleming is ready to assist organisations with guidance on the best forms of compliance with the new Act.
In the meantime, if you have any questions relating to the changes brought into effect under the new Act, or how they relate to you or your business, please contact us on the details below:
See our Expertise page
© McVeagh Fleming 2020
This article is published for general information purposes only. Legal content in this article is necessarily of a general nature and should not be relied upon as legal advice. If you require specific legal advice in respect of any legal issue, you should always engage a lawyer to provide that advice.