Privacy legislation is changing both in New Zealand and overseas. While the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) are taking up most of the spotlight, closer to home the long-awaited Privacy Bill, which will repeal and replace the Privacy Act 1993 (the Privacy Act), has been making its way through Parliament.
The purpose of the Privacy Bill is to better align New Zealand privacy law with international developments and promote people's confidence that their personal information is secure and will be treated properly. It is expected that the Privacy Bill will pass into law later this year, with a commencement date of early 2020.
In summary, as with any new piece of legislation, there remains a level of ambiguity regarding how certain provisions of the Privacy Bill will be applied. However, with the right preparation and guidance, compliance with the new Privacy Act is entirely achievable and provides you with a valuable opportunity to refresh your privacy practices and build trust with your clients. If you have any questions or concerns about preparing for the upcoming changes, please don’t hesitate to contact us at firstname.lastname@example.org
To help people better understand the key changes set out in the Privacy Bill, we have included a summary of the major ones below:
Mandatory breach reporting The most debated key change set out in the Privacy Bill is the introduction of mandatory reporting of privacy breaches.
As currently drafted, organisations will be required to notify both the individual and the Privacy Commissioner in the event the organisation suffers a notifiable privacy breach. In determining whether an organisation has suffered a notifiable privacy breach, organisations will need to consider first whether there has been a privacy breach and then whether the breach is notifiable.
A privacy breach is notifiable if it is reasonable to believe it has caused serious harm or is likely to do so. The Privacy Bill provides factors to consider when assessing whether a privacy breach is likely to cause serious harm, which include the nature of the harm, any actions taken by the organisation to reduce the risk of harm following the breach and whether the personal information is sensitive in nature.
Unlike GDPR which mandates a 72 hour timeframe within which a notifiable data breach must be reported to the Supervisory Authority, the Privacy Bill has not provided a specified timeframe and instead requires an organisation to notify the Privacy Commissioner as soon as practicable after becoming aware that a notifiable privacy breach has occurred.
It is proposed that it will be an offence not to notify the Privacy Commissioner. Organisations failing to notify will be liable to a fine up to $10,000.
Stronger cross-border data protection The Privacy Bill provides stronger protection for personal information being disclosed to people or entities outside New Zealand. Organisations seeking to transfer information overseas will only be able to do so if they satisfy the disclosure requirements set out in the new Information Privacy Principle 12.
The requirements are designed to ensure that either:
personal information is protected by comparable safeguards to those set out in the Privacy Act; or
the individual concerned authorise disclosure having been expressly informed that the overseas person or entity may not be required to provide comparable safeguards to those set out in the Privacy Act.
The question of whether a country can be treated as providing comparable safeguards to those set out in the Privacy Act is likely to be answered in regulations made prior to the commencement of the Privacy Bill.
Cloud service providers and processors The Privacy Bill clarifies accountability in situations where an organisation discloses information to another organisation for safe custody or processing (e.g. where an organisation uses a cloud service provider (CSP) or other processor).
The organisation engaging the CSP is treated as being the holder of the personal information and remains accountable for all personal information stored or held on its behalf by the CSP (regardless of whether the information is stored and/or processed outside New Zealand). Further, the transfer of personal information from the organisation to the CSP is not deemed to be a use or disclosure of information. The provisions relating to international transfer of personal information do not apply where the information is being transferred overseas for safe custody or processing.
However, if the CSP or processor subsequently uses or discloses personal information for their own purposes, they will also be accountable as an organisation under the Privacy Bill.
Application to overseas organisations The Privacy Bill clarifies the extent to which the Privacy Act will apply to overseas organisations. The Privacy Bill prevents overseas organisations from asserting that the Privacy Act does not apply to them by mandating that the Privacy Act applies to all overseas organisations carrying on business in New Zealand. An organisation is treated as carrying on business in New Zealand regardless of whether the organisation has a place of business in New Zealand, receives monetary payment for the supply of goods or services from its business in New Zealand, or makes a profit from its business in New Zealand.
Compliance notices The Privacy Bill provides the Privacy Commissioner with a new power to issue a compliance notice to any organisation not complying with privacy law.
A compliance notice will describe the breach, including the relevant statutory provisions that the organisation is supposedly breaching. The notice may also identify steps the Privacy Commissioner considers need to be taken by the organisation to remedy the breach and any conditions the Privacy Commissioner considers to be appropriate.
The Privacy Commissioner will be obliged to publish the fact that they have issued such a notice alongside the identity of the organisation to which the notice was issued, other details about the notice or breach and a statement or comment about the breach unless such publication would cause the organisation undue harm that outweighed the public interest in having access to that information.
Organisations will be provided with an opportunity to review and comment on the compliance notice and can also appeal all or part of the compliance notice to the Human Rights Review Tribunal. However, they must do so within fifteen working days from the day the compliance notice was issued.
Privacy Officers The Privacy Bill reiterates the current requirement for every organisation to appoint a Privacy Officer. However, it elaborates that the Privacy Officer may be appointed from within or outside the organisation.