New Zealand's new and updated privacy legislation has passed through Parliament, ushering in a new legal framework and regime for the protection of information, including the introduction of a mandatory data breach notification scheme.
The Bill to replace the 27-year-old Privacy Act 1993 passed its third reading in Parliament on 25 June with unanimous support. The Privacy Act 2020 will come into effect on 1 December 2020.
According to Justice Minister Andrew Little, the legislation introduces new mechanisms to promote early intervention and risk management by agencies, rather than relying on people making complaints after a privacy breach has already happened.
The Bill’s reforms will also enhance the role of the Privacy Commissioner and strengthen protections for information disclosed overseas, Little said.
“The protections in the Privacy Bill are vitally important. The key purpose of the reforms is to promote and protect people’s privacy and give them confidence that their personal information is properly safeguarded,” Little said.
Privacy Commissioner John Edwards welcomed the passage through Parliament of the Privacy Act 2020, noting that many of the changes were based on recommendations from the Law Commission’s 2011 review of New Zealand’s privacy laws.
“The new Privacy Act provides a modernised framework to better protect New Zealanders’ privacy rights in today’s environment,” Edwards said.
“I am grateful for the cross-party support of Parliament on this issue. It is an endorsement of the significance of privacy as a universal human right that the Bill was passed with the multi-party support of the House.”
Among the key reforms included in the new Privacy Act is the introduction of mandatory notification of harmful privacy breaches.
This measure means that if organisations or businesses have a privacy breach that poses a risk of serious harm, they are required to notify the Privacy Commissioner and affected parties.
According to the government, this change brings New Zealand in line with international best practice. At the very least, it mirrors Australia’s mandatory data breach notification scheme, which came into effect in early 2018.
The new legislation also includes the introduction of compliance orders, meaning that the Commissioner can issue compliance notices to require compliance with the Privacy Act, with failure to follow a compliance notice potentially resulting in a fine of up to $10,000.
Additionally, the new laws provide for binding access determinations, so that if an organisation or business refuses to make personal information available upon request, the Commissioner will have the power to demand release.
The legislation also includes provisions for controls on the disclosure of information overseas. This means that before disclosing New Zealanders’ personal information overseas, New Zealand organisations or businesses will need to ensure those overseas entities have similar levels of privacy protection to those in New Zealand.
The new laws also include new criminal offences. Under the new legislation, it will be an offence to mislead an organisation or business in a way that affects someone’s personal information or to destroy personal information if a request has been made for it. The maximum fine for these offences is $10,000.
Moreover, the legislation provides for explicit application to businesses whether or not they have a legal or physical presence in New Zealand.
As such, if an international digital platform is carrying on business in New Zealand, with the New Zealanders’ personal information, there will be no question that they will be obliged to comply with New Zealand law regardless of where they, or their servers, are based.
The Privacy Bill, which not long ago appeared to be fatally stalled due to the pandemic, passed a Committee of the Whole House stage in Parliament in early June, clearing the way for a third reading in Parliament.