From 1 December 2020, the Privacy Act 2020 (“the Act”) will replace the Privacy Act 1993 (“the 1993 Act”). The Act introduces sweeping reform to promote New Zealander’s confidence that their personal information is secure and treated properly by public and private sector agencies.

Easing the tracking leash

In the wake of COVID-19, there has been an acute awareness of privacy implications from the handling of personal information. Most of us have used, or certainly heard about, the Ministry of Health’s NZ COVID Tracer app. It has been rolled out to protect our family, friends and community by providing a means to exchange our personal information for comprehensive contact tracing to supress the pandemic.

While this unprecedented example has drawn widespread attention, personal information in the Digital Age is constantly collected, stored, and distributed in many ways, often plucked away without our knowledge.

Think of everyday actions – sharing a photo on social media; taking a trip with a rideshare app; browsing for a gift online; or simply unlocking your phone using a fingerprint scanner or facial recognition. These actions may attract an occasional privacy afterthought, though it is important to remember that in every occurrence you are freely providing personal information to an entity you cannot ultimately control.

To address the obscurities of the Digital Age, the Act will ensure proper treatment of personal information by these entities, meeting New Zealander’s call for strengthened privacy regulation at a critical time.

Transition to the new Act

Reform was long-anticipated, many changes stemming from the Law Commission’s 2011 privacy law review. The Act will modernise privacy law, while maintaining the principles-based approach of the 1993 Act.

The Information Privacy Principles (“IPPs”) maintained in the Act were established in 1993 with respect to:

• Agencies’ collection, storage, use, and disclosure of information relating to individuals; and

• Individuals’ rights to access and correct information about themselves.

The Act revises how IPPs are enforced and provides the Commissioner with greater enforcement powers.

Key changes in the Privacy Act 2020

1. Mandatory reporting of notifiable privacy breaches

An agency must report a privacy breach and details of the affected individual to the Commissioner, if it reasonably believes the breach has caused, or is likely to cause, serious harm.

This has raised the standard of privacy reporting. Agencies must consider the nature of the personal information and harm in determining whether there has been a notifiable privacy breach.

2. Overseas extension of the Act

The Act will extend and apply to:

• Overseas agencies conducting business in New Zealand; and

• Action or personal information held or collected overseas by agencies conducting business in New Zealand.

This means, for example, that the Commissioner has greater ability to contend with potential privacy breaches of large multinationals that operate in New Zealand, like Facebook or LinkedIn.

3. Offshore data protection

The Act creates a prohibition on unpermitted cross-border disclosure of personal information.

The extraterritorial effect of the Act means personal information may only be disclosed to an agency outside of New Zealand if the receiving agency is subject to similar protections to those under the Act.

4. Increased fines

Offences under the Act will attract a fine of up to $10,000 (an increase from $2,000 under the 1993 Act). However, this is insignificant compared to the Commissioner’s request to levy fines for harmful breaches of up to $100,000 for individuals and $1 million for body corporates (as is the case in Australia).

5. Enforcement powers of the Privacy Commissioner

The Commissioner will have the power to issue compliance notices and make binding decisions on information access requests.

6. Protecting children and young persons

Agencies must specifically consider the vulnerability of children and young persons when collecting personal information fairly and by lawful means.

See here for a detailed breakdown comparing both Acts, issued by the Office of the Privacy Commissioner (“the Commission”).

What do these changes mean for New Zealand businesses?

If an organisation or business has or suspects a notifiable privacy breach, capable of serious harm, it must advise the affected individual and the Commission. The Commission will be launching an online privacy breach notification scheme. In the meantime, guidance on handling privacy breaches can be found here.

Agencies in New Zealand must take reasonable steps to ensure personal information stored here is kept secure, and personal information sent overseas is safeguarded by comparable privacy standards.

Businesses should consider the importance of integrating privacy frameworks in order to align with the expectations of reporting and protections under the Act. The increased prevalence of privacy concerns in our digital world calls for businesses to innovate in ways that are consistent with privacy values in the Act.