This article was written by John Swinson and Kai Nash.
We are now less than a month away from a new privacy law in New Zealand. The Privacy Act 2020 (NZ) (the NZ Privacy Act), which commences on 1 December 2020, will repeal and replace the Privacy Act 1993 (NZ). The NZ Privacy Act will better align the law in New Zealand with the ever-evolving consumer sentiment and conceptions of privacy in the digital age. Australian privacy laws are also under review after much anticipation. The terms of reference were released in late October 2020 and are available here.
In this alert, we highlight the headline updates under the new legislation in New Zealand and what it means for Australian organisations who operate their business “across the ditch”.
What is changing?
The NZ Privacy Act introduces a number of reforms that impact the way organisations can collect, use and disclose personal information.
- Clarification of the extra territorial scope: The NZ Privacy Act now clarifies that the privacy laws have an extraterritorial effect. This means that “overseas agencies” based outside of New Zealand, including in Australia, who “carry on business” in New Zealand will be subject to the privacy obligations imposed by the NZ Privacy Act if they hold information about New Zealand individuals. The definition of “carry on a business” is broad, such that an organisation may be captured even if it does not have a physical presence in New Zealand, receive any monetary payment for its goods or services or intend on making a profit in New Zealand.
- Cross border transfers: A new Information Privacy Principle (IPP) will be introduced to regulate the way personal information can be transferred out of New Zealand. Under the new IPP 12, an organisation covered by the NZ Privacy Act will be restricted from disclosing personal information to an entity outside of New Zealand unless the receiving party is subject to equivalent protections and safeguards to those in the NZ Privacy Act.
If the receiving party is not subject to protections and safeguards comparable to New Zealand’s privacy laws, the individual concerned must be expressly informed that the recipient may not be required to protect the information in a way that is consistent with the NZ Privacy Act, and they must consent to their information being disclosed to that entity outside of New Zealand.
Despite these enhanced protections under IPP 12, there is an important exception whereby an offshore transfer of information to a third party for storage or processing will not be classified as a use or disclosure. This allows organisations covered by the NZ Privacy Act to transfer personal information to offshore data processors (such as cloud storage providers) without meeting the requirements of IPP 12. At the time of writing this article, none of the major cloud service providers have a data centre in New Zealand.
- Mandatory breach reporting: The NZ Privacy Act introduces a notifiable data breach regime similar to the Australian scheme. If an organisation suffers a privacy breach that causes serious harm, or is likely to do so, it must notify the people affected and the NZ Office of the Privacy Commissioner (Commissioner). After locking down a breach, however caused, the organisation must assess the likelihood of serious harm to the affected individuals in order to ascertain whether the breach is eligible to trigger the notification obligations.
The NZ Privacy Act also seeks to enhance organisational accountability for breaches of the NZ Privacy Act, including:
- Increasing the powers for the regulator: The Commissioner will now be able to issue compliance notices if it reasonably believes that an organisation has breached its obligations under the NZ Privacy Act. Compliance notices may be issued to require an organisation to do something or stop doing something. Organisations have a statutory requirement to comply with these notices.
- Introducing new criminal offences: The NZ Privacy Act creates a new criminal offence if a person or organisation attempts to mislead the Commissioner or any other person exercising their powers under the legislation. The new offence contemplates a person making misleading statements, attempting to access another person’s information through impersonation or knowingly destroying personal information subject to a request made by the Commissioner. A person may face a fine up to $10,000.
- Broadening standing requirements to allow class actions: Under the new laws, an aggrieved individual or class of individuals may bring an action to the Human Rights Review Tribunal. Once the legislation comes into effect next month, these new provisions will facilitate class action claims where harm occurs as a result of privacy breaches by organisations. In contrast, Australian privacy laws have no such individual right of action at this time.
What does it mean for Australian businesses?
With just under one month to go until the new regime is introduced, now is a good time to revisit your organisation’s privacy practices. Although the NZ Privacy Act does not bear the same teeth of stricter regimes such as the GDPR or CCPA, the stakes are still higher than they were before. Organisations should consider the following questions:
- Does the NZ Privacy Act apply to my organisation?
If you operate in New Zealand – yes. An Australian entity with operations in New Zealand will likely be captured by the NZ Privacy Act. Under section 4, the NZ Privacy Act applies to New Zealand agencies and “overseas agencies”, which as described above will include an Australian organisation that is “carrying on business” in New Zealand.
- How do I manage the new cross border disclosure rules?
If your organisation does disclose personal information to entities outside of New Zealand, including intra-group and related entities, you will need to consider the reforms with respect to the type of personal information being disclosed and the relevant overseas jurisdictions. Obtaining ‘good consent’ to disclose the personal information across borders will solve most issues. If you do not have consent, you may, among other things, need to gain comfort that the information disclosed to an entity outside of New Zealand will be protected by safeguards comparable to New Zealand’s privacy laws. To do this, you could:
- review your contractual protections to assess the extent to which the recipient is obliged to comply with safeguards comparable to New Zealand’s privacy laws; or
- establish whether the recipient of the personal information is subject to domestic laws that are comparable to New Zealand’s privacy laws (i.e. a jurisdiction with privacy laws at least on par with the NZ Privacy Act).
- Is my organisation prepared for the mandatory notification regime?
By now, most Australian businesses will have implemented robust data breach response plans on the back of the Australian scheme that was introduced in 2018. Now is a good time to revisit your existing internal processes or implement an organisational data breach response plan if you do not have one already.
- Should I conduct a privacy governance refresh?
KWM has good relationships with lawyers in New Zealand who specialise in privacy and data protection.
Want to know more?
The data economy is transforming the way we do business and leveraging the opportunities it presents is key to staying competitive in an evolving market. Check out KWM’s Data Hub here or get in touch.
 The Information Privacy Principles (IPPs) are akin to the Australian Privacy Principles (APPs).