Significant changes to NZ’s Privacy Act - but where is the bite?

After a lengthy process (dating as far back as 1998, depending on how you measure it) the Privacy Bill, which amends the Privacy Act 1993, has finally made its way through Parliament, receiving Royal Assent on 30 June 2020.   

The amendments, which come into effect on 1 December 2020, introduce some of the most significant changes to New Zealand's privacy law since the enactment of the Privacy Act, including:

• mandatory data breach reporting; 
• restrictions on offshore transfers of personal information; and 
• clarifications on the extraterritorial scope of the Privacy Act.

However, Parliament has deliberately chosen not to align the Privacy Act with international precedent in terms of broader data subject rights or large fines for non-compliance. This means the Privacy Act remains a bit of a ‘toothless tiger’ relative to other global data protection laws.

The changes come at a time where the data protection landscape is changing rapidly, both in New Zealand and globally. Cybersecurity and data protection are now some of the biggest issues facing local and international businesses.  With the:

• ever increasing risk of cyber threats (just look at the large uptick in cybercrime during the COVID-19 pandemic); 
• media attention given to data breaches and the increased risk of reputational harm; and 
• international regulators starting to wield the big sticks they have been given under laws like the GDPR (in the form of eye-watering fines),

this should be firmly on your radar!

The key changes

Data breach reporting

The mandatory data breach reporting regime will see New Zealand move closer to international best practice.  Under the new laws, any organisation that suffers a data breach that has caused or is likely to cause serious harm to affected individuals will be required to notify the Privacy Commissioner and the relevant individuals.  The Privacy Act includes guidelines for assessing the likelihood of serious harm, including: 

• any action taken to reduce the risk of harm following the breach;
• whether the personal information is sensitive in nature;
• the nature of the harm that may be caused to affected individuals;
• who obtained (or could obtain) the personal information as a result of the breach (if known); and
• whether the personal information is protected by a security measure.

There are some circumstances where individuals do not have to be notified, or notification can be delayed.  An example given by the Justice Committee following its review of an earlier draft of the amendments is that if an organisation’s security systems were shown to be vulnerable as a result of a privacy breach, notification could risk wider exploitation of the vulnerability, and should be delayed to prevent the risk of more harm (though the Privacy Commissioner would still need to be notified).  However, the Committee made it clear that protecting the organisation’s reputation would not be a good enough reason to delay notification.

Cross-border data flows

The changes introduce restrictions on overseas disclosure of personal information.  Unless the relevant individual has authorised disclosure outside New Zealand, the disclosing party will need to ensure that the information will be protected by safeguards comparable to New Zealand’s privacy laws before transferring it offshore.  Examples of how this can be achieved are:

• imposing contractual data protection obligations on the recipient comparable to the protections in the Privacy Act; or
• ensuring the recipient is subject to laws of another jurisdiction that provide comparable protection to the Privacy Act (countries can be ‘whitelisted’ in regulations, which will have a similar effect to a GDPR adequacy decision).

Importantly, the transfer of personal information to an offshore data processor (eg a cloud storage provider) will (usually) not constitute an overseas disclosure.  This is an important exception given that none of the major public cloud service providers have datacentres in New Zealand (though Microsoft has recently announced plans for an Azure datacentre in New Zealand).

Extraterritorial scope

The Privacy Act now expressly states that it will apply to any actions taken by an overseas organisation in the course of carrying on business in New Zealand, regardless of where the information was collected or held and where the person to whom the information relates is located.  An organisation would be treated as carrying on business in New Zealand whether or not it has a physical place of business here, charges any monetary payment for goods or services, or makes a profit from its business here. 

What’s missing?

The amendments give some limited additional powers to the Privacy Commissioner, such as the ability to issue compliance notices and demand release of personal information in certain circumstances.  However, controversially, the amendments do not go as far as fully aligning the Privacy Act with other highly-publicised data protection laws such as the EU’s GDPR and California’s CCPA.  Most notably:  

• the Privacy Commissioner does not have the ability to hand out the massive fines we have been seeing for privacy breaches in the UK, EU and USA; and
• individuals do not have the same rights as data subjects in other countries, such as the ‘right to be forgotten’ or the right to data portability.  

Whether this will impact New Zealand’s adequacy decision under GDPR, or otherwise affect data flows between us and our major trading partners, remains to be seen.

What do you need to do?

With the challenges we’re all facing in the current environment, December may seem like the distant future. However, for most organisations, there will be significant systems and process changes required to ensure compliance - don't leave it too late! 
 
For more information on the impending changes and what you should be doing to ensure compliance, please get in touch.