1st April 2022 - Jax Floro

New Zealand’s Privacy Act 2020, amending Privacy Act 1993, was passed on June 30, 2020, and came into effect on December 1, 2020. Consistent with global trends, this law was created in order to strengthen New Zealand’s privacy laws with the implementation of stricter privacy compliance through additional obligations and requirements.

The changes to New Zealand’s privacy laws aligns New Zealand and Australian laws and brings them closer to the EU’s General Data Protection Regulation (GDPR) scheme.

What is new?

The Privacy Act 2020 has a new privacy principle (IPP 12) that is similar to the Australian Privacy Principle 8 which covers overseas disclosure of personal information. Both laws strictly regulate the transfer of personal information abroad without the person’s consent unless certain obligations are met.

If there has been a data breach, all business and organisations in New Zealand are required to notify the Privacy Commissioner. Similar to Australia’s laws, the requirement arises when the breach causes serious harm or is likely to cause harm to the affected parties. The key factor here is the potential for serious harm to occur.

Very much alike the Australian and EU counterpart, the New Zealand Privacy Act implements a system for compliance and offences that puts emphasis on enforcement.

What is different?

The Australian Privacy Act contains a special category of personal information, that is, sensitive information which is described as religious or philosophical beliefs and affiliations, racial or ethnic origin, sexual orientation or practices, political opinions, criminal record, biometric information, health information, genetic information and other specific information. Although the New Zealand Act also has a wide definition of personal information, it does not have a special category of sensitive information like Australia has.

In the Australian Privacy Act, employee records that contain an employee’s personal information, in the possession of the employer are exempt from the Australian Privacy Principles. The New Zealand Privacy Act does not contain such an exemption.

Under the privacy legislation, maximum penalties in Australia can reach up to AU$450,000 for individuals and AU$2.1 million for corporations. On the other hand, Kiwis can face penalties of up to NZ$10,000 that includes an option to bring the matter to the Human Rights Tribunal which can grant damages of up to NZ$350,000.

Australian privacy principles (APP) provide for restrictions in using unsolicited personal information and using personal information for direct marketing, but these are not stated in the New Zealand information privacy principles (IPP). Furthermore, APP 9, the principle about unique identifiers, is only limited to how and when private organizations can use government issued identification numbers. IPP 13 of New Zealand, conversely, restricts the use of any unique identifiers.

Key Changes

The key changes in the New Zealand privacy laws include the requirements to report privacy breaches to the Commissioner and notify the people affected. The Commissioner has the authority to issue compliance notices to agencies to do or stop doing something. The Commission can also make binding decisions on complaints about access to information rather than the Human Rights Review Tribunal although the decisions can be appealed to the Human Rights Tribunal. New Zealand agencies must take reasonable steps to ensure that any personal information that is sent overseas is protected by comparable privacy standards. A New Zealand agency will also have to ensure that if it engages an overseas service provider, that the provider complies with New Zealand privacy laws. There are new criminal offences for misleading an agency in a way that affects someone’s information and in relation to the obligation to destroy personal information if a request has been made. The penalty is a fine up to $10,000.

Takeaway Points:

• New Zealand’s new Privacy Act 2020 came into effect on December 1, 2020.
• The changes to New Zealand’s privacy laws aligns the New Zealand Privacy Act to Australian laws and to the EU’s General Data Protection Regulation (GDPR).
• Both laws strictly regulate the transfer of personal information abroad without a person’s consent unless certain obligations are met.
• Under the Australian Privacy Act, employee records that contain an employee’s personal information, in the possession of the employer are exempt from the Australian Privacy Principles, but the New Zealand Privacy Act does not contain such an exemption.
• Penalties in the Australian Privacy Act are more onerous than the penalties in the New Zealand Privacy Act.

 

Jaclyn-Mae Floro, BCompSc

Contact W3IP Law on 1300 776 614 or 0451 951 528 for more information about any of our services or get in touch at law@w3iplaw.com.
Disclaimer. The material in this post represents general information only and should not be taken to be legal advice.