What happened?

On 1 December 2020, the long anticipated Privacy Act 2020 (Privacy Act) came into force in New Zealand. The Privacy Act significantly enhances New Zealand's privacy regime and sees the introduction of additional privacy obligations and compliance requirements. The extraterritorial scope of the Privacy Act is an issue relevant for all organisations operating in New Zealand, regardless of where they are headquartered.

What's new?

Key changes include the following:

  1. Extraterritorial scope – the Privacy Act clarifies that foreign organisations who "carry on business" in New Zealand will be subject to the Privacy Act in the same way that New Zealand based organisations are. Importantly, the definition of "carry on business" is broad. For example, this means organisations do not need to have a physical presence in New Zealand in order to be subject to the obligations imposed under the Privacy Act.
  2. Mandatory data breach reporting – in line with global trends, the Privacy Act enforces a mandatory obligation for entities to notify the regulator and affected individuals where a notifiable privacy breach occurs (the triggers for notification are discussed in greater detail, below).
  3. Restrictions on overseas transfers – the Privacy Act restricts the transfer of personal information outside of New Zealand unless certain requirements are met. For example, Information Privacy Principle (IPP) 12 sets out that organisations are restricted from disclosing personal information outside of New Zealand unless the receiving organisation is subject to safeguards comparable to those set out in the Privacy Act.
  4. Criminal Offences – the Privacy Act introduces new offences and fines where obligations under the Privacy Act are not complied with. For example, where misleading statements are made about how personal information will be handled. Unlike the massive penalty regimes privacy laws have imposed in Australia and the European Union (EU), the maximum fine for offences under New Zealand's Privacy Act is NZD$10,000; and
  5. Regulatory powers – the New Zealand Office of the Privacy Commissioner (OPC) will also be able to issue compliance notices if the OPC believes agencies are not complying with the obligations of the Privacy Act. These compliance notices are issued to require them to do something, or cease doing something, in order to comply with the Privacy Act.

What is considered to be a data breach in New Zealand and how does it compare to other jurisdictions?

Similar to the existing Australian and EU privacy regimes, the Privacy Act introduces an obligation on organisations to notify the OPC and affected individuals if a privacy breach has caused (or is likely to cause) serious harm to those individuals.

The difference, however, that makes this new scheme in New Zealand stand out from the rest, is the way that the Act defines a "privacy breach".

The existing Australian and EU counterparts generally refer to unauthorised access, disclosure or loss of personal information. However, the Privacy Act goes one step further to include an action that prevents the agency from "accessing the information on either a temporary or permanent basis". This will automatically bring ransomware incidents within the definition of "privacy breach" where under the existing Australian and EU regimes, further investigation is required to assess whether there has been access to or exfiltration of personal information as a result of that ransomware event.

These changes are a big shift from the previous voluntary reporting scheme that operated in New Zealand. Organisations will need to consider what steps and expertise it has in place in order to identify, respond and manage data breaches. Our specialist cyber team (see contact details below) are available to have a chat with you to discuss these steps, or to advise on any breach (or potential breach) more generally.

The Privacy Act compared

To summarise the similarities and key differences between the Australian, EU and New Zealand privacy regimes, below is a comparative snapshot of some of the key elements of each regime.

New Zealand - Privacy Act 2020

Australia - Privacy Act 1988 (Cth)

European Union - General Data Protection Regulation (GDPR)

Who regulates these laws?

The Office of the Privacy Commissioner.

The Office of the Australian Information Commissioner.

The application of the GDPR is monitored by the relevant "supervisory authority" in each EU (and European Economic Area) member state. For example, the United Kingdom's Information Commissioner's Office.

Who do these laws apply to?

Agencies, being any public or private sector organisation. Some exceptions exist, including for news media while gathering and reporting news.

APP entities, being agencies or an organisation with an annual turnover of more than AUD 3 million, or which fall under the Privacy Act because of the type of services provided (e.g. health services).

Data controllers, being any natural or legal person, public authority, agency or other body which determines the purposes and means of processing personal data; and

Data processors, which process personal data on behalf of the controller.

Do these laws apply outside the country or jurisdiction's borders?

  • The Act applies to New Zealand agencies regardless of where the information is collected or held; and overseas agencies collecting and holding personal information during the course of carrying on business in New Zealand.
  • incorporated in Australia; or
  • organisations or operators that carry on business in Australia and collect or hold personal information in Australia i.e. where there is an "Australian link" (this is a similar concept to the "carrying on business" requirement in the NZ Privacy Act).
  • are established within the EU;
  • are not established in the EU but which offer goods or services to individuals based within the EU; or
  • are not established in the EU but which monitor the behaviour of individuals in the EU.

What rights do individuals have?

Individuals rights generally include the right to:

  • access their personal information; or
  • have their data corrected (which may be made by way of a deletion), rectification, or update).
  • access their personal information; or
  • have their data corrected (which may be made by way of a deletion), rectification, or update).
  • access their personal data;
  • have their personal data corrected;
  • have their data erased;

What amounts to a reportable data breach?

A notifiable privacy breach occurs when there is an:

  • unauthorised or accidental access to, or disclosure, alteration, loss, or destruction of, the personal information; or
  • an action that prevents the agency from accessing the information on either a temporary or permanent basis; and
  • it is reasonable to believe that this will cause serious harm (or is likely to cause serious harm).
  • unauthorised access to, unauthorised disclosure of, or loss of, personal data held by an entity; and
  • the relevant entity has reasonable grounds to believe that the access, disclosure or loss is likely to result in serious harm to any of the individuals to whom the information relates.
  • the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed; and
  • the breach is likely to result in a risk to the rights and freedoms of the individuals concerned.

Reporting timeline

Agencies must notify the Privacy Commissioner as soon as practicable after becoming aware that a notifiable privacy breach has occurred.

APP entities have up to 30 days to carry out a reasonable and expeditious assessment (subject to some exceptions).

Once an organisation determines that the breach is notifiable, the entity must notify the OAIC and individuals as soon as practicable (this is separate to the obligation to complete the assessment within the 30 days).

Controllers must notify the relevant supervising authority without undue delay and where feasible within 72 hours from awareness of the personal data breach.

While there is no prescribed timeline for notifying individuals (in high risk cases). However, the notification must be made without undue delay.

Maximum penalty

NZD$10,000.

AUD$2.1 million (this is currently under review).
  • €20 million; or
  • 4% of the organisation's total worldwide annual turnover of the preceding financial year.

What do you need to do?

Organisations currently operating in New Zealand (or with plans to enter the market) must have an understanding of the Privacy Act and the impact that its obligations may have on their operations.

This includes mapping key data assets and implementing processes to maintain compliance and respond to a security incident or a privacy breach.