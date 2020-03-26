The Office of the Privacy Commissioner of New Zealand (‘OPCNZ’) announced, on 18 March 2020, that the privacy bill (‘the Bill’) will commence on 1 November 2020, as set out in the supplementary order paper (‘the Paper’) tabled on 17 March 2020 by Justice Minister Andrew Little. In particular, the OPCNZ highlighted that one of the main changes introduced by the Bill will be the requirement for organisations to report serious privacy breaches to the OPCNZ and any affected individuals.

What are the main provisions that organisations need to be aware of?

The Bill seeks to repeal and replace the Privacy Act 1993 (‘the Act’), although the principles-based framework set out in the Act would remain. The Ministry of Justice of New Zealand highlighted that the changes in the Bill would strengthen privacy protections. In particular, the Bill aims to update the law to reflect new needs in the digital age. Furthermore, the reforms promote early intervention and risk management by agencies, rather than relying of complaints after the occurrence of a privacy breach. The Bill also seeks to enhance the role of the OPCNZ.

Breach notification

Notifiable privacy breaches will require organisations to notify the OPCNZ and any affected individuals if there is a breach that has caused serious harm, or poses a risk of causing serious harm. Clause 122 of the Bill would create an offence of failure to notify the OPCNZ of a notifiable privacy breach. Agencies that outsource their data storage or processing to another agency should be responsible for informing individuals of any notifiable breach, no matter which agency caused the breach. The Justice Committee notes that it is important for an outsourcing agency to have an agreement with its service provider about handling information, and this agreement should set out when the service provider will notify the principle agency about a privacy breach. For this matter, the Justice Committee recommends the implementation of a new clause to encourage such terms in agreements between agencies.

In addition, a reference to breaches of codes of practice (under the Bill) or codes of conduct (under other acts) has been added to Clause 124 of the Act. The publication of details of a compliance notice shall no longer be required as a default, but at the discretion of the OPCNZ. The OPCNZ can publish or delay publication of details if it believes such action would be desirable for the public interest.

Part 6, Subpart 2 of the Bill would allow the OPCNZ to issue a compliance notice requiring an agency to do something, prevent it from doing something, or comply with privacy laws. However, under Clause 129(A)(2), such information would not be published if it would cause the agency undue harm that outweighs the public interest.

Overseas agencies

The Justice Committee highlighted that the Bill should include a provision outlining whether and when it would apply to agencies that are outside of New Zealand. A New Zealand agency is defined as a public or private sector agency established under New Zealand law or having its central management and control in New Zealand, an individual who is ordinarily resident in New Zealand, or a court or tribunal (except in relation to its judicial functions). This definition excludes news media carrying out news activities, in order to enable them to perform their role of supporting the free flow of information to the public.

In this respect, the Justice Committee recommended the implementation of a Clause 3A, setting out that the Bill would apply to any actions by a New Zealand agency, whether inside or outside of New Zealand. In addition, that all personal information collected or held by New Zealand agencies would fall under the scope of the Bill, regardless of where the information was collected or held, and the location of the individual to whom the information relates.

Cross-border disclosure

The Ministry of Justice noted that agencies will have to take reasonable steps to ensure that personal information sent overseas is protected by acceptable privacy standards. Under the Bill, agencies would only be able to disclose personal information to an overseas person if:

the individual concerned has authorised the disclosure;

the overseas person was in a prescribes country; or

the agency believed on reasonable grounds that the overseas person was required to protect the information in a way that, overall, provides comparable safeguards to those in the Bill.

New offences and penalties

The Bill would create new criminal offences, including:

misleading an agency to obtain access to someone else’s personal information (Clause 212(2)(c)); and

destroying a document containing personal information, knowing that a request has been made for it (Clause 212(2)(d)).

Currently, under the Act, offences are punishable by fines of up to NZD 2,000 (approx. €1,080). Under the Bill, fines for offences would be increased to up to NZD 10,000 (approx. €5,400).

Although the Bill would increase the amount of penalties for non-compliance, the monetary fines still remain significantly low in comparison with other privacy laws, in particular the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’), which provides for administrative fines of up to €20 million, or in the case of an undertaking, up to 4% of the agency’s total worldwide annual turnover of the preceding financial year, whichever is higher (Article 83(5) of the GDPR).

The Bill is due to be debated before the Committee of the Whole House, following which, it will move on to its Third Reading, and then Royal Assent.

MONA BENAISSA, Privacy Analyst

