On 1 December 2020, the Privacy Act 2020 will repeal and replace the Privacy Act 1993. As the Privacy Commissioner put it “the new Privacy Act provides a modernised framework to better protect New Zealanders’ privacy rights in today’s environment”.
Whilst many will find the new Act still lacks teeth, in particular by international standards considering fines will not exceed $10,000 per breach, it also imposes more stringent obligations on businesses and gives new enforcement powers to the Privacy Commissioner and the Human Rights Review Tribunal.
Non-compliant businesses will be exposed. Now is a good time to prepare; 1 December is less than four months away.
1. Harmful privacy breaches to be notified (Part 6 of the new Act – ss 112-122)
Businesses will be required to notify a privacy breach that causes serious harm or is likely to cause serious harm to the individuals affected and to the Privacy Commissioner. It will be an offence not to do so (with a fine of up to $10,000).
2. Compliance notices (Part 6 – ss 123-135)
The Commissioner will be able to issue notices to businesses which are considered to breach the new Act and require them to remedy the breach. If a business fails to comply with a notice the Commissioner will be able to take enforcement proceedings in the Human Rights Review Tribunal (which could end up with the Tribunal imposing a fine of up to $10,000).
- The appointment a Privacy Officer;
- Criteria to assess whether a breach is serious enough to be notified to affected parties and the Commissioner;
- A step-by-step plan to deal with privacy breaches and compliance notices with a clear framework and responsibility chart to investigate, contain, respond (including mitigating any bad publicity) and remedy a breach.
Again, whilst the financial liabilities are low, the reputational impact of a privacy breach in a small county like New Zealand should not be underestimated.
3. Complaints to and investigations and decisions by the Commissioner (Part 5 – ss 70-96)
The Commissioner will be given broader powers to investigate complaints. The Commissioner may summon and examine on oath any person, and may require information and documents from any person. Complaints about access to personal information will be adjudicated by the Commissioner (rather than the Human Rights Review Tribunal) with binding access determinations (which can still be appealed to the Tribunal).
Steps businesses should take: Set out clear processes and make sure your Privacy Officer and other key staff are adequately trained to deal with complaints and investigations and interact with any aggrieved parties, the Privacy Commissioner and the media.
4. Increased obligations when storing information outside of New Zealand (Part 8 – ss 192-200)
Businesses in New Zealand may only transfer personal information overseas to foreign countries which have privacy laws providing comparable safeguards to those available in New Zealand. This includes ensuring that an overseas service provider (such as a cloud service provider) complies with New Zealand privacy laws.
Steps businesses should take: Make sure you understand what data you collect, how it’s used, which third parties hold it and where. Check your agreement(s) with cloud service providers.
Whilst not truly transformative, the Privacy Act 2020 is a big step forward for New Zealand privacy laws. It is still not as stringent as the now well-known European Union’s General Data Protection Regulation (the ‘GDPR’ and its fines of up to 20 million euros) to which many New Zealand businesses have already adapted.
Still, businesses will need to pay attention to the new requirements of the Privacy Act 2020 and the risks they introduce. They should be prepared by educating themselves, training their staff and reviewing and updating their processes and internal policies. Transparency, ease of access and security when collecting, using, storing, and disclosing information are paramount.