NZ gets a new privacy law … but has it gone far enough?

On 26 June 2020, the NZ Parliament passed a bill reforming the nation’s privacy law, replacing its 27-year-old Privacy Act 1993. The Privacy Commissioner supported this first major change to NZ privacy laws in 25 years stating it ‘provides a modernised framework to better protect New Zealanders’ privacy rights in today’s environment.”

The new Act, first introduced in March 2018, aims to bring the NZ privacy legislation up to speed with other privacy regimes and gives some additional protections including extended territorial application and an enhanced role for the New Zealand Privacy Commissioner. But has it gone far enough?

What has changed?

Increased powers for the Privacy Commissioner and penalties

The NZ Privacy Commissioner will have additional powers.  The Commissioner will be able to issue compliance notices to require a covered entity to do something, or stop doing something. The Commissioner will also be able to make binding decisions on complaints about access to information, rather than the Human Rights Review Tribunal.  However, the Commissioner’s decisions can be appealed to the Tribunal.

The Act now permits class actions in the Human Rights Review Tribunal by persons other than the Director of Human Rights Proceedings. It will also be an offence to mislead an agency in a way that affects someone else’s information, and to destroy documents containing personal information if a request has been made for it. The penalty will be a fine of up to $10,000.

However, there is no right for the Commissioner to seek civil penalties.  Arguably, it’s the civil penalty regime under the GDPR, that includes fines up to 4% of annual global turnover, that has been most influential in raising compliance levels.

Extra-territoriality

The new Privacy Act will apply to all New Zealand entities collecting personal information (regardless of whether the information is collected or held in NZ or overseas). Its operation is extended to overseas entities that collect personal information in the course of carrying on business in New Zealand, and non-resident individuals who collect personal information while in New Zealand.

This means, for example, that if an international digital platform (like, say, Google) is carrying on business in New Zealand, and collecting or handling New Zealanders’ personal information, there will be no question that they will be obliged to comply with New Zealand law regardless of where they, or their servers are based.[1]

Disclosing Personal Information out of NZ

New Zealand entities covered by the Act will have to take reasonable steps to ensure that personal information sent overseas is protected by privacy standards comparable to those under the NZ Privacy Act. The Act also clarifies that when a New Zealand entity engages an overseas service provider, it will have to comply with New Zealand privacy laws.

Mandatory Data Breach Notification

There is a data breach notification requirement similar to that under the Australian Privacy Act. Notification to the Commissioner and affected individuals is required where there is a breach may reasonably cause serious harm to an affected individual.

When do amendments become effective?

The amendments will take effect on 1 December 2020, but are subject to royal assent to become law.

Changes the Privacy Commissioner wanted but did not get

The Privacy Commissioner argued for a number of changes which were not included in the final legislation. These include a power to seek civil penalties, rights of erasure for individuals (sometimes referred to as “a right to be forgotten”), data portability, and transparency for algorithmic decisions (all of which are part of the enhanced individual rights available under the GDPR).  The NZ Ministry of Justice departmental report indicates further reform along these lines may be needed to maintain EU adequacy.

Why does privacy reform take so long?

The amendments passed in June 2020, and effective as of 1 December 2020, came from the NZ Law Commission’s comprehensive 2011 review of New Zealand’s privacy laws.  The time lag is not dissimilar to the Australian experience, where amendments were passed in 2012, becoming effective in 2014 and implementing recommendations from the Australian Law Reform Commission report released in 2008.

The NZ Privacy Commissioner issued a statement saying that the Bill “addresses some of the most pressing aspects of the modern digital economy” but that he would continue to make the case for more civil enforcement powers and “other modernising reforms to ensure that New Zealand’s privacy framework is robust, fit-for-purpose and comparable to those of its trading partners”.

In an area where the collection and  use of information is changing rapidly and expanding exponentially, delays of between 6 and 9 years for the introduction of up to date laws is less than ideal, particularly where the government has shown it can move quickly in other legislative areas. It seems that the public would also like to see better and more up to date privacy laws.  The Office of the Privacy Commissioner in NZ released the results of its latest survey, showing that 65 percent of New Zealanders want more privacy regulation.[2]

Conclusion

It has taken 9 years to bring NZ laws into alignment with other privacy regimes, such as Australia’s. However, there are still major gaps between the NZ privacy law and the GDPR, which it is supposed to align to. For example, the new law does not include meaningful civil penalties for non-compliance, rights of deletion and data portability, or any requirements in relation to automated decision-making and profiling, Privacy by Design and Data Protection Impact Assessment or a clearer and stricter definition of ‘consent’.

While NZ is still regarded as having an ‘adequate’ privacy regime by the EU (although this is currently under review), something that is likely to remain out of Australia’s grasp for some time, they seemingly suffer from the same legislative lag as many non-EU countries (including Australia). Rather than crafting privacy protections consistent with contemporary expectations and addressing current issues, they are playing a game of ‘catch up.’

What would it take for NZ and Australia to become leaders in this space in the same way that Australia has, for example, been a leader in rolling out its COVIDSafe App (with supporting legislation) and embracing anti-encryption laws?

Read the Act here.

Follow Progress of the Bill here.

Other resources:

https://www.privacy.org.nz/the-privacy-act-and-codes/privacy-law-reform/

[1] https://privacy.org.nz/news-and-publications/statements-media-releases/parliament-passes-modernised-privacy-bill/

[2] https://privacy.org.nz/news-and-publications/statements-media-releases/survey-two-thirds-of-new-zealanders-want-more-privacy-regulation/