View all Insights

Navigating New Zealand's New Privacy Arena

Navigating New Zealand's New Privacy Arena

Tuesday, June 30, 2020
Written by:
Andrew Knight

In a world that is placing an increasing reliance on technology and value in data, it is hardly surprising that New Zealand's outdated Privacy Act 1993 ("Act") is scheduled to be replaced on 1 December 2020 in its entirety by the Privacy Bill ("Bill") which is currently making its way through the final stages of Parliament.

What Suite of Changes Does the new Act Include?

Mandatory Reporting Requirements

There is a new mandatory reporting regime for notifiable breaches of privacy and this is the Bill's most significant change. Data breaches will be notifiable to both the Privacy Commissioner and affected individuals if the breach has caused, or is likely to cause, “serious harm”. This "serious harm" threshold draws from the Australian threshold for data breach reporting and we await further guidance on this requirement via the Courts.

The new requirement means organisations should begin to update their privacy policies and processes to deal with the prospect of a notifiable breach, by 1 December 2020. Some considerations in the interim could include implementing a data breach response team to deal with these new reporting requirements and organisations could also start developing processes to assist with identifying, reporting and examining a personal data breach - in order to ensure they can meet reporting obligations.

Recent trends in similar jurisdictions such as Australia and the UK have seen a significant increase in the reporting of breaches – for example, in Australia the spike in breach reporting was more than 75%.

Cross Border Data Exchange

You will need to know if your organisation sends any data overseas – and might be surprised to learn where your client or employee data ends up being stored or processed by your service providers (such as cloud service providers or even directly).

If you are an offshore agency and you carry on business in New Zealand, you will also be subject to the new Bill. It is therefore worth reviewing any service provider arrangements that you may be a party to which involve the sharing, storage or processing of your data to assess whether they might involve the disclosure of your data to a "foreign person or entity". These amendments seek to align the Bill's application with the position of the General Data Protection Regulation (GDPR) and Australia's Privacy Act.

Compliance Notices

The Privacy Commissioner will be able to issue a compliance notice for an organisation to do, or cease doing, something in order to comply with the new Act.

Compliance notices must be published publicly with a statement that includes details about the identity of the agency and the extent of the breach, unless publication would cause undue harm that outweighs the public interest. If an agency does not comply with a compliance notice, it can be enforced by the Privacy Commissioner through the Tribunal and failure to comply with a compliance notice could result in a fine of up to $10,000.00.

Privacy Commissioner's New Muscle Flex

Globally, 2019 demonstrated the teeth of Europe's GDPR and the willingness of data regulators to use and enforce the resources available in its armoury. This included significant fines levied against heavyweight Facebook, as well as sanctions imposed on British Airways and Marriot Hotels for data breaches involving customer's personal information.

New Zealand's own Privacy Commissioner, John Edwards, is likely to be eager to test his own more limited range of enforcement options including:

• The ability to make binding information access determinations, following requests made by individuals;

• Issuing compliance notices that require an agency to do (or cease doing) something that is inconsistent with the privacy principles; and

• The right to 'name and shame' agencies that are the subject to compliance notices (this reputational impact may be significant for businesses in New Zealand's small market).

The Privacy Commissioner is aware that he does not possess the complete toolkit on his own to protect the privacy of individuals whose personal information is collected by agencies. The Commissioner has often argued for stronger measures to use at his disposal to help fill this enforcement void. The first port of call by the Privacy Commissioner may well be the New Zealand Commerce Commission - which is already starting to focus on privacy issues and as comparable international experience indicates, it is likely to have a role to play in the privacy realm in the not too distant future.

Our team at McVeagh Fleming is ready to assist organisations with guidance on the best forms of compliance with the new Act.

In the meantime, if you have any questions relating to the changes brought into effect under the new Act, or how they relate to you or your business, please contact us on the details below:   

Andrew Knight on (09) 306 6730 (aknight@mcveaghfleming.co.nz)

See our Expertise page

Privacy and Data Protection

© McVeagh Fleming 2020

This article is published for general information purposes only.  Legal content in this article is necessarily of a general nature and should not be relied upon as legal advice.  If you require specific legal advice in respect of any legal issue, you should always engage a lawyer to provide that advice.

Recent Posts

Beyond Paper: the Power of Implied Agreements
Holding Overseas Manufacturers Accountable
Accredited Employer Work Visa – New business issues, and the application of compliance for all
Construction contract disputes
Can bad behaviour cost you during divorce or separation?
Legislative gap leaves New Zealand exposed to deepfakes
Maintenance after the end of a relationship
Earthquake-prone buildings: Are you on shaky ground?
Selling a business (pet treats) and the consequences of misrepresentation
A large compensation payment for bullying
Subscribe to Updates

Related Topics

Privacy & Data Protection

All Topics

Anti-Money Laundering
Banking & Finance
Bankruptcy & Personal Insolvency
Business & Corporate
Care of Children
Commercial & Consumer Law
Commercial Contracts
Commercial Land & Property Disputes
Commercial Property & Bodies Corporate
Company
Company & Corporate Structuring
Company & Shareholders
Construction & Building Matters
Construction & Property Disputes
Consumer & Fair Trading Claims
Contract Law
Countering Financing of Terrorism
Covid-19 updates
Criminal & Traffic Offences
Developments
Disruptive Innovation
Domestic Violence
Employment - Employees
Employment - Employers
Enforcement of Guarantees
Estate Administration
Family Law & Relationship Property
Family Protection Act
Family Violence
Financial Adviser & Financial Service Provider Compliance & Advice
Guarantees
Immigration
Incorporated Societies
Insolvency & Debt Recovery
Intellectual Property
Land & Property Disputes
Litigation & Disputes
Maritime Law
Mergers, Sales & Acquisitions
Money Claims
Notary Public
Offers of Financial Products & Financial Markets Advice
Personal
Privacy & Data Protection
Property
Relationship Property
Residential Property – Buying & Selling
Resource Management & Environmental Issues
Resource Management, Subdivisions & Environmental Issues
Securities Law
Separation & Dissolution (Divorce)
Telecommunications Law
Trusts
Trusts & Estate Litigation
Wills & Enduring Powers of Attorney

Subscribe to receive updates

I would like to receive updates for:
Thank you for subscribing. Your submission has been received!
Oops! Something went wrong while submitting the form. Please try again.
AUCKLAND : +64 9 377 9966
NORTH HARBOUR : +64 9 415 4477
MANUKAU : +64 9 262 0330
Translation:
Terms of usePrivacy Policy
©2024 McVeagh Fleming
All rights reserved