The new Privacy Act 2020 (Act) came into force on 1 December 2020, replacing the 27 year old Privacy Act 1993. The new Act is intended to be more fit for the digital age where new technologies, such as social media platforms, e-commerce, and cloud storage, have transformed the way personal information is used. Many of the reforms attempt to better align New Zealand privacy law with the GDPR.
The Act makes six main changes:
Mandatory notification
Agencies must notify privacy breaches causing serious harm to the Office of the Privacy Commissioner and the affected individual, subject to exceptions such as where notification would endanger a person’s safety or reveal a trade secret. If it is not reasonably practicable to notify an affected individual the agency must give public notice instead. Failure to notify without reasonable excuse is an offence. Failure to notify may also amount to an interference with the privacy of an individual (which can entitle civil remedies).
The OPC has created an online tool NotifyUs to help agencies determine if a privacy breach is notifiable and allow notifiable privacy breaches to be reported to the OPC online.
Enforceable compliance notices
The Privacy Commissioner gains the power to issue compliance notices requiring an agency to comply with the Act. The Privacy Commissioner can enforce compliance notices through proceedings in the Human Rights Tribunal (HRT), which can order the agency to comply with the notice. Failure to comply with the HRT order without reasonable excuse is an offence. The Privacy Commissioner will likely issue guidance about how it will use this enforcement power.
Binding access directions
The Privacy Commissioner can now make binding decisions on complaints relating to access to information (IPP 6) by issuing an access direction requiring an agency to release personal information to an individual. Aggrieved individuals can apply to the HRT for an access order requiring the agency to comply with the access direction. Failure to comply with an access order without reasonable excuse is an offence.
Disclosing information overseas
A new information privacy principle (IPP 12) requires agencies to ensure that personal information disclosed to foreign entities will be subject to safeguards comparable to those that apply under the Act. This may be achieved through contract for countries that allow the contract to be enforced. IPP 12 does not apply in certain situations, for example when disclosure is to the individual who is the subject of the personal information.
Extraterritorial effect
The Act now explicitly applies to overseas agencies to the extent they collect information in the course of carrying on business in New Zealand, even if they have no physical presence here. This means the Act can apply to businesses like Facebook and Google.
Criminal offences
New criminal offences apply, including for impersonating a person to gain access to their personal information and destroying personal information knowing that a request has been made for that information. The fine for all criminal offences in the Act is raised to $10,000.
A copy of the Act is available on legislation.govt.nz. More information about the Act and privacy obligations can be found on the Privacy Commissioner’s website.