Fears New Zealand's new and updated privacy law could run out of time to pass into law in the current Parliament may be unfounded.
The Privacy Bill, which appeared to be perhaps fatally stalled due to the pandemic, passed a Committee of the Whole House stage in Parliament last week, clearing the way for a third reading.
The Bill, which has cross-party support in Parliament, repeals and replaces the Privacy Act 1993.
"If the Bill passes soon, it is anticipated the new Privacy Act will take effect on 1 December 2020," the Office of the Privacy Commissioner said in an update this week.
Privacy Commissioner John Edwards said the new law would provide a modernised framework and better protect New Zealanders’ privacy rights.
For businesses and the technology sector the key reform in the new law is the introduction of mandatory data breach notification, requiring both the Commissioner and third parties be informed of any harmful breaches.
Binding access determinations will also give the Commissioner power to demand the release of personal information if an organisation denies this on an individual's request.
It will also be an offence to mislead an organisation in a way that affects someone’s personal information or to destroy personal information if a request has been made for it.
The Commissioner may also issue compliance notices to require compliance with the Privacy Act.
Before New Zealanders’ personal information can be disclosed overseas, New Zealand organisations will also need to ensure those overseas entities have similar levels of privacy protection New Zealand's.
Edwards pushed for civil penalties of up to $100,000 in the case of an individual and up to $1 million in the case of a body corporate back in 2016, but these have been well watered down in the new Bill.
The maximum payable fine under the new Bill is $10,000.