Kia ora koutou,
On 1 Dec., New Zealand’s new Privacy Act 2020 came into force, repealing and replacing the Privacy Act 1993. Unlike other countries now enacting GDPR-like privacy laws, the Privacy Act 2020 is not a direct response to the GDPR. We’ve had a strong and well-regarded privacy regime in NZ for more than 25 years. Rather, this new law is the result of a long legislative review process initiated by NZ’s Law Commission back in 2011.
This means the Privacy Act 2020 retains many of the flexible, reasonable and technology-neutral features that made it so revolutionary back in the 1990s. However, it also means it lacks many of the stricter and more prescriptive provisions of the GDPR and other more recent global privacy laws. For example, the Privacy Act 2020 does not create a punitive fines regime (though it does provide for several criminal offenses and a strong and effective complaints regime and harm-based damages awards), it does not provide rights to be forgotten or to data portability, it says nothing about automated decision-making, and it leaves much of the management of privacy compliance to agencies to determine.
That said, Privacy Act 2020 does move NZ’s privacy regime significantly, further along, focusing as it does on increasing the privacy commissioner’s enforcement powers and requiring greater accountability from agencies. The new law has been described as reflecting “the changes in New Zealand’s wider economy and society as well as a modernised approach to privacy.”
The privacy commissioner now has the power to issue enforceable compliance notices and binding subject access determinations. Agencies are now required to notify serious privacy breaches to the privacy commissioner and the people affected. There is a new prohibition on disclosing personal information to an overseas recipient (other than a service provider), requiring the discloser to ensure the information will be protected by comparable privacy safeguards. Importantly for New Zealanders interacting in the global market, the new act also asserts extraterritorial jurisdiction, applying to any overseas agency carrying on business in NZ.
While most of the privacy principles remain substantively the same, the new obligations will require real changes of practice for many agencies. The privacy commissioner has been working hard to assist agencies to understand, prepare for and comply with the new act. These efforts will be of equal value to both NZ agencies and overseas agencies delivering services to NZ. A new privacy breach notification tool, Notify Us, will help agencies assess whether a privacy breach is serious and, if so, notify it to the commissioner. Model contract clauses have been developed to assist agencies to comply with the new overseas disclosure restrictions. The commissioner has also published his "Compliance and Regulatory Action Framework," providing welcome transparency to agencies about the way he will exercise his new powers.
Many agencies — both here and overseas — will now need to assess their privacy programs and frameworks to understand how the Privacy Act 2020 changes things for them. The IAPP will work to develop helpful and relevant content on this in the coming months. In the meantime, the IAPP has already produced some original content on the new law, including a thoughtful piece from former NZ Assistant Privacy Commissioner Blair Stewart on contracting out the privacy officer role under the new act.
On a broader note, we’ve released a couple of ANZ Summit Sessions, providing members with the opportunity to hear some of the great content that should have been delivered at the ANZ Summit this year. You can find a practical session on embedding a privacy program in a national organization, and a session on the convergence of privacy regulation in Australia.
This will be my last introduction email until the New Year, so have a wonderful break if you’re taking one, and see you again in 2021. Enjoy the digest, folks.
Ngā mihi nui,