12 March 2021
New Zealand has implemented a much-needed update to its main privacy law, the New Zealand Privacy Act. In effect from December 2020, the amendments bring New Zealand law a little closer to the strict standards of the EU General Data Protection Regulation (GDPR).
Key changes include a broad application that encompasses non-New Zealand businesses, privacy breach notification requirements, and a prohibition on certain transfers of personal information overseas.
This article will outline New Zealand's existing privacy principles, and take a close look at some of the new obligations.
Before we look at what's new in the 2020 act, we're going to look briefly at the "information privacy principles," most of which were introduced under the New Zealand Privacy Act 1993.
Note that the Act refers to the people and organizations to which it applies as "agencies." Agencies have responsibility for any personal information (which the Act defines as "information about an identifiable individual") they collect, hold or control.
The Act sets out 13 information privacy principles. One of these principles (number 12) is a new entry under the 2020 act.
What to tell an individual: When you collect personal information, you must tell the individual:
Access: Provide an individual with access to their personal information unless it would:
Disclosure: Only disclose personal information to a third party if:
Complying with all these principles is essential whenever collecting, storing, or otherwise using New Zealand residents' personal information.
Enter your email address where you'd like your policy sent, select translation versions and click "Generate."
Now let's look at the most significant changes to the New Zealand Privacy Act.
The New Zealand Privacy Act is now one of many privacy laws that applies both to domestic and foreign agencies.
An agency based outside of New Zealand must comply with the Act if it is "carrying on business in New Zealand in respect of personal information" the agency holds or collects, regardless of:
Where the agency:
Whether the agency:
The Act clearly attempts to apply as broadly as possible: any organization doing business in New Zealand must comply with it.
The Act makes some changes to the rules on when agencies must notify people about "privacy breaches."
"Privacy breach" means personal information has been subject to unauthorized or accidental:
"Privacy breach" can also mean any action that means an agency is permanently or temporarily unable to access personal information. A privacy breach can be caused by a person internal or external to the agency, and can be either ongoing or completed.
An agency must provide a privacy breach notification if it is reasonable to believe that the breach has caused serious harm to an affected individual(s) or is likely to do so.
Here's section 113 of the Act, which outlines how to assess whether a privacy breach is notifiable:
When assessing whether the privacy breach is likely to cause serious harm, you can consider the following factors:
If you suffer a notifiable privacy breach, you must notify the New Zealand Office of the Privacy Commissioner (OPC) "as soon as practicable" after you become aware of the breach. You can use the OPC's "NotifyUs" page for this.
Your privacy breach notice must contain:
A description of the breach, including:
Here's section 115 of the Act, which concerns the notification of individuals affected by a privacy breach:
You must notify the affected individuals as soon as practicable after you become aware of the breach, unless:
If either of the latter two points applies, you should consider whether you can notify the individual's representative, if they have one.
Your notice to individuals must contain:
The Act introduces new rules about transferring personal information out of New Zealand. This is a new "information privacy principle."
Here's information privacy principle 12, as it appears in the Act:
You cannot transfer personal information collected in New Zealand to a third party outside of New Zealand unless the recipient is covered by "comparable safeguards" to those imposed by the act. There are other exceptions which we'll cover below.
"Comparable safeguards" include the principles set out in Schedule 8 of the act:
The OPC hasn't yet provided a list of countries with "comparable safeguards." However, you may wish to consider the EU's list of countries in receipt of an "adequacy decision." The EU deems these countries have laws that are "essentially equivalent" to the GDPR.
If you need to transfer personal information to an agency in a country that doesn't have "comparable safeguards," you may do so only if one or more of the following applies:
The OPC can issue "compliance notices" to agencies failing to comply with the Privacy Act. This notice will require you to do something or stop doing something. It will provide steps you must take to meet your obligations and a deadline by which you must act.
The Act also introduces "access orders." The OPC can force you to provide and individual access to their personal information.
An agency can face a fine of up to $10,000 NZD (approx. $7,200 USD) if it:
We mentioned that the New Zealand Privacy Act brings Kiwi law a little closer to EU standards. However, the GDPR imposes more extensive obligations on businesses.
Here's a roundup of some of the key differences between the two laws.
|GDPR||New Zealand Privacy Act|
|Data breach requirements||
Transfers of personal data to non-EEA countries are prohibited unless:
Transfers of personal information to agencies outside of New Zealand are prohibited unless:
Two levels of penalties:
|Up to $10,000 NZD (approx. $7,200 USD)|
The New Zealand Privacy Act 2020 impacts on any business operating in New Zealand that processes personal information.
Key updates to the law include:
Agencies must report privacy breaches:
Agencies must not transfer personal information to third parties based overseas unless:
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.