New Zealand's Refreshed Privacy Act Takes EffectIncludes New Breach Notification Requirements, Fines and Greater Regulatory Powers
New Zealand’s refreshed Privacy Act, which came into effect Tuesday, introduces breach notification requirements and civil penalties. It also holds data handlers to higher responsibilities to counter new threats to personal data.
The Privacy Act 2020 replaces the Privacy Act 1993. It was approved by New Zealand’s Parliament in June after several years of discussion.
“The new act brings with it a wider range of enforcement tools to encourage best practice, which means we are now able to take a different approach to the way we work as a regulator,” says New Zealand Privacy Commissioner John Edwards.
But while the act doesn’t have the same teeth as either the European Union’s General Data Protection Regulation or the California Consumer Privacy Act, “the stakes are still higher than before,” write Katherine Forrest, Patrick Gunning and John Swinson of the law firm King & Wood Mallesons.
Mandatory Breach Notification
One of the most significant changes under the new act is that organizations that lose data or experience a breach are now legally required to notify the Office of the Privacy Commissioner and those affected.
Under the old act, notification was not mandatory, although the privacy commissioner encouraged reporting, according to the law firm Hunton Andrews Kurth. Organizations that fail to report a breach could be fined up to 10,000 New Zealand dollars ($7,020).
The fine is far short of what the privacy commissioner had hoped. In 2017, Edwards advocated civil penalties of up to NZ$100,000 on an individual and NZ$1 million for a corporation for an unreported serious breach or repeated violations (see: NZ Privacy Chief Backs $1 Million Fines for Breaches).
The New Zealand law's provisions also pale in comparison to Australia’s Notifiable Data Breaches law. Last year, the government increased the maximum penalty for violations from 2.1 million Australian dollars ($1.5 million) to the greater of either AU$10 million or three times the value of any benefit obtained through the misuse of information - or, if the court cannot determine the value of the benefit, 10% of a company’s annual domestic revenue, according to the Office of the Australian Information Commissioner.
While a maximum fine of NZ$10,000 seems low, data breach victims could bring a class action to New Zealand’s Human Rights Review Tribunal, which can award damages based on violations of the Privacy Act. The maximum the tribunal can award is NZ$350,000 per person.
When to Report
Breaches subject to notification are those that present a likely risk of harm, such as the release of sensitive personal information.
The privacy commissioner has launched an online self-assessment tool for organizations to gauge whether their incident meets the reporting requirements. According to the tool, sensitive information would include health or financial data or political or religious beliefs.
The new act also addresses a point that has been chafing regulators. Overseas-based companies that provide services to New Zealanders have often ignored the country’s privacy laws. The act will now apply to all companies that do business in New Zealand, no matter where those firms are based. The privacy commissioner notes that “this will cover businesses such as Google and Facebook.”
Organizations are allowed to disclose personal information to an overseas agency as long as that agency is bound by personal data regulations similar to New Zealand's new law. Also, companies that use cloud services must ensure that those services handle data in accordance with New Zealand law.
New Regulatory Powers
The privacy commissioner also gains new powers. For example, the commissioner's office can issue compliance notices, which can order an organization to take action or stop doing something that violates the Privacy Act. Those orders can be appealed to the Human Rights Review Tribunal.
Failing to follow a compliance notice is subject to a fine of up to NZ$10,000.
Under the new law, individuals now have the right to access to personal information held by an organization.
If an organization refuses a valid request, the privacy commissioner can issue an access direction. Failure to comply with a direction means the organization can be fined up to NZ$10,000. Also, an individual who tries to obtain someone else’s personal information under false pretenses can be fined up to NZ$10,000.
Other privacy principles have also been updated. For example, organizations can only collect data if a need is demonstrated, a practice known as data minimization.
The act also states that businesses should consider how they collect data from children and whether it is fair given that kids may not realize the implications of divulging certain kinds of data.
Organizations also are required to protect unique identifiers, such as customer numbers, and only use those appropriate for their services to reduce the chance of identity theft.