New Privacy Act – what every Kiwi Business needs to know

For the first time in 27 years New Zealand’s privacy laws were updated on 1 December 2020 to be more relevant in today's digital age. The Privacy Act 2020 calls for big changes to organisations’ privacy policies and data protection practices. It might set a precedent for a more agile legal position in line with technological changes, too. For individuals and customers, the Act provides new tools to enforce rights. For businesses, it means action is needed to check the right privacy systems are in place and all staff understand their obligations. Harmful privacy breaches under the new Act: a privacy breach is identifiable when it already has, or could, cause serious harm to an affected individual.

It is essential the privacy breach that is causing, or could cause, serious harm is immediately notified to those individuals and to the Privacy Commissioner. Exceptions to this obligation include the possibility that this notification could result in further breaches, or could prejudice an individual’s health. At the other extreme, if the risks are serious, as in threatening to the individual’s life or health, organisations are also expected to let individuals know the details of any person or organisation in possession of their information. Customers and individuals have more rights under the new Act, for example for the first time being able to begin proceedings in the Human Rights Review Tribunal as a class action.It’s not just New Zealand companies who’ll be subject to the Act. Also counted will be overseas companies seen to be doing business in New Zealand — regardless of whether they have a physical office in New Zealand or not.


Compliance notices

The Commissioner has new powers to issue businesses with notice that they are considered to have breached the new Act, and require them to take action to remedy the breach. Organisations that fail to follow a compliance notice or mislead an organisation in a way that affects personal information, may be liable for fines of up to $10,000. Compliance notices will be made public, unless the Commissioner believes it is in the public interest to withhold them.


Cross-border disclosures

The Act introduces a new set of controls that are intended to ensure personal information sent offshore will be covered by the same safeguards as those in New Zealand. The one key exception to the IPP is that information sent offshore is not seen as a disclosure if the party does not use the information for its own purposes. How does the NZ Privacy Act compare? By establishing the need to notify the Commissioner about current or possible breaches, the Privacy Act 2020 in many respects, brings New Zealand in line with other countries such as Australia and European countries. Things will become clearer as cases start to be enacted by the courts once the Act comes into force. In the meantime, err on the side of caution when figuring out what the category of ‘serious harm’ could cover.