Kia ora koutou,
On 1 Dec., New Zealand’s new Privacy Act 2020 came into force, repealing and replacing the Privacy Act 1993. Unlike other countries now enacting GDPR-like privacy laws, the Privacy Act 2020 is not a direct response to the GDPR. We’ve had a strong and well-regarded privacy regime in NZ for more than 25 years. Rather, this new law is the result of a long legislative review process initiated by NZ’s Law Commission back in 2011.
This means the Privacy Act 2020 retains many of the flexible, reasonable and technology-neutral features that made it so revolutionary back in the 1990s. However, it also means it lacks many of the stricter and more prescriptive provisions of the GDPR and other more recent global privacy laws. For example, the Privacy Act 2020 does not create a punitive fines regime (though it does provide for several criminal offenses and a strong and effective complaints regime and harm-based damages awards), it does not provide rights to be forgotten or to data portability, it says nothing about automated decision-making, and it leaves much of the management of privacy compliance to agencies to determine.
That said, Privacy Act 2020 does move NZ’s privacy regime significantly, further along, focusing as it does on increasing the privacy commissioner’s enforcement powers and requiring greater accountability from agencies. The new law has been Notify Us, will help agencies assess whether a privacy breach is serious and, if so, notify it to the commissioner. Model contract clauses have been developed to assist agencies to comply with the new overseas disclosure restrictions. The commissioner has also published his "Compliance and Regulatory Action Framework," providing welcome transparency to agencies about the way he will exercise his new powers.
Many agencies — both here and overseas — will now need to assess their privacy programs and frameworks to understand how the Privacy Act 2020 changes things for them. The IAPP will work to develop helpful and relevant content on this in the coming months. In the meantime, the IAPP has already produced some original content on the new law, including a thoughtful piece from former NZ Assistant Privacy Commissioner Blair Stewart on embedding a privacy program in a national organization, and a session on the