NEW ZEALAND’S PRIVACY LAW IS CHANGING – WHAT’S AT STAKE?
An update to New Zealand’s privacy laws is long overdue. When the Privacy Act 1993 came into force almost 30 years ago, the world wide web had only been around for a few years. There have since been massive changes in technology, meaning that the way that people’s personal information and data is gathered and handled, and the associated risks, have changed dramatically.
The new Privacy Act 2020 which replaces the outdated Privacy Act 1993 will take effect from 1 December 2020. The new Act makes some significant changes to our privacy laws in order to strengthen privacy protections. Notably, it introduces mandatory reporting of privacy breaches and new criminal offences.
Key changes
The key changes to be aware of include:
Requirements to report privacy breaches
- If an agency has a privacy breach that causes serious harm or is likely to do so, it must notify the people affected and the Privacy Commissioner.
- The Act provides that when an agency is assessing whether a privacy breach is likely to cause serious harm in order to decide whether it is required to notify the breach, the agency must consider:
- any action taken by the agency to reduce the risk of harm following the breach;
- whether the personal information is sensitive in nature;
- the nature of the harm that may be caused to affected individuals;
- the person or body that has obtained or may obtain personal information as a result of the breach (if known);
- whether the personal information is protected by a security measure;
- any other relevant matters.
- There are some exceptions to the requirement to notify the public or an affected individual of a privacy breach, including where the agency believes on reasonable grounds that doing so would endanger the safety of any person or reveal a trade secret. However, the Commission would still need to be notified.
- It is an offence to fail to notify the Commissioner of a privacy breach. The penalty will be a fine of up to $10,000.
Decisions on access requests
- The Commissioner will be able to make binding decisions on complaints about access to personal information, rather than the individual having to apply to the Human Rights Review Tribunal. The Commissioner’s decisions can be appealed to the Tribunal.
Cross-border data protections
- A new privacy principle 12 has been added to regulate the way personal information can be sent overseas. Under principle 12, an agency may only disclose personal information to a foreign agency if the receiving agency is subject to similar safeguards to those in the Privacy Act, for example through similar privacy laws or pursuant to an agreement entered into between the two entities. If those protections do not exist, then the individual concerned must be fully informed that their information may not be adequately protected, and they must expressly authorise the disclosure.
Class actions
- The Act permits class actions in the Human Rights Review Tribunal by persons other than the Director of Human Rights Proceedings.
New criminal offences
- The Act introduces new criminal offences including providing that it is an offence to mislead an agency in a way that affects someone else’s information (for example, by impersonating someone in order to access information that you are not entitled to see), and to destroy documents containing personal information if a request has been made for it. The penalty for these offences will be a fine up to $10,000.
What’s at stake?
Non-compliance with privacy laws is a real business risk. There is a lot to lose, including:
- Reputation – you don’t want your business to be in the headlines for Privacy Act breaches or poor privacy practices. Reputational harm is also not a good enough reason to delay or avoid public notification of privacy breaches under the new Act.
- Compensation for breaches – the Human Rights Review Tribunal can award compensation or damages to an individual for privacy breaches. The high-water mark for damages for hurt, humiliation and injury to feelings was set by the Tribunal in MacGregor v Craig, where Ms MacGregor (former press secretary for Colin Craig) was awarded a record award of $120,000 for emotional harm.
- Contractual breaches – in many cases, failure to comply with the Privacy Act will breach your supplier, customer and other business contracts. The consequences can include termination and / or damages for loss arising from the breach.
- Fines under the new Act – there are a number of new offences under the Act which attract fines up to $10,000 if found liable.
- Costs associated with remediating a privacy breach – don’t underestimate the time and resources required to remedy a privacy breach. For example, engaging experts to investigate and remedy systems failures, and PR companies to minimise reputational damage. It could also be costly contacting all of those impacted by the breach, which will be mandatory under the Privacy Act 2020.
What’s missing?
There are a number of aspects of international data protection laws which are notably absent from our new Privacy Act. In particular, the Privacy Commissioner does not have the ability to hand out large fines for privacy breaches like regulators can in the EU, UK and USA. For example, penalties for breaching the General Data Protection Regulation (the European data protection regulation), include fines up to either 20 million euros or four percent of annual global turnover, whichever is higher.
There is also no “right to be forgotten” in the new Act, which is a rule which gives EU citizens the power to demand data, including search links, about them be deleted.
If you would like more information on the changes to the Privacy Act and the steps that your business may need to take before the new Act comes into force at the end of the year, please get in touch.