New Zealand: Privacy Bill risks ”slipping behind international developments”

22 March 2018

The Office of the Privacy Commissioner of New Zealand (‘OPCNZ’) released, on 20 March 2018, a statement welcoming the introduction of the Privacy Bill, Government Bill 34-1 (‘the Bill’). The Bill, which would replace the Privacy Act 1993, seeks to enhance and strengthen privacy and data protection in New Zealand by implementing a number of the key recommendations made by the Law Commission in 2011. Nevertheless, though the Privacy Commissioner, John Edwards, recommended the introduction of fines of up to AUD $1 million (approx. €626,670) for breaches, the Bill sets a maximum fine of AUD $10,000 (approx. €6,270) for non-compliance.

Frith Tweedie, Digital Law Leader at EY Law Limited, told DataGuidance, ”[When compared to] the maximum fine available under the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’) of €20 million or 4% of a company’s global annual turnover, New Zealand’s proposed maximum fine risks looking paltry in comparison. [In addition, Edwards] recommended including rules relating to data portability, which are also absent from the Bill. Without such changes, there is a danger that the Bill will simply be seen as business as usual and New Zealand’s once world leading privacy laws will slip behind international developments. [This would] increase the risk of New Zealand losing its adequacy status in the EU under the GDPR’s standards as well as its favourable position in a competitive globalised world.”

If the Bill is finalised in its current form, organisations should prepare and test a data breach response plan

The Bill would authorise the OPCNZ to make binding decisions on complaints in relation to subject access requests (‘SAR’), in particular, if an agency had previously refused an individual’s SAR; and issue compliance notices to organisations, which would be enforceable at the Human Rights Review Tribunal. Moreover, the Bill introduces mandatory reporting for harmful privacy breaches.

Tweedie concluded, ”The Bill presents a similar form of mandatory data breach notification to the Notifiable Data Breaches Scheme introduced in Australia in February 2018, [with a timeframe] that is [potentially] more lenient than the one prescribed by the GDPR. If the Bill is finalised in its current form, organisations should prepare and test a data breach response plan. The plan should detail key elements such as roles and responsibilities, incident response processes, steps for containing a breach and draft notification wording. [Furthermore], organisations should understand what personal information is currently being collected and held, offer training to all members of staff, and [conduct] reviews of contracts with service providers who deal with personal information to determine if they need updating.”

ANGELA POTTER | Junior Privacy Analyst