The Privacy Act 2020 which comes into force on 1 December 2020 introduces significant regulatory changes. The changes recognise increased globalisation and social media, and extends to overseas agencies and individuals.
Who is covered?
The 2020 Act explicitly applies to overseas agencies and individuals not ordinarily resident in New Zealand. Overseas agencies need not be in commercial operation or even have a place of business in New Zealand to be considered to be ‘carrying on business in New Zealand.’
This is particularly significant as the Courts have shown a reluctance to apply Acts extraterritorially unless explicitly provided.
The most significant and important changes are the imposition of mandatory reporting duties.
The mandatory reporting requirement brings New Zealand in line with other countries like Australia, the United States and the European Union. Although the security of personal information has always been a feature of the Privacy Act 1993, the duty to report breaches of this principle has only been voluntary.
Agencies must notify both the Commissioner and affected individuals once they become aware that a notifiable privacy breach has occurred.
A notifiable privacy breach is a breach that will or will likely cause serious harm to affected individuals. The new Act gives agencies factors an agency must consider when assessing the likelihood of serious harm:
Whether the agency has taken steps to reduce the harm following the breach
Whether the personal information is sensitive in nature
The nature of the harm that may be caused
The person or body that has obtained (or may obtain) personal information as a result of the breach
Whether the personal information is protected by a security measure
Any other relevant matters.
The biggest question is whether any particular breach meets the notifiable threshold. The Commissioner has urged agencies to carefully consider whether a privacy breach is notifiable, noting that in some cases notifying an individual of a breach can cause more harm than the privacy breach itself. Over-reporting may also affect an agency’s security reputation.
On the other hand, failure to report a notifiable privacy breach is considered to be interference with the privacy of an individual and can result in a conviction and a $10,000 fine.
This creates a somewhat uneasy tension. In marginal cases an agency may need to choose between damage to its own reputation by reporting a breach on one hand, and running the risk of committing an offence under the Act on the other. Until we have the first precedents there is likely to be uncertainty as to the threshold for a breach to be notifiable.
More power for the commissioner- compliance notices
Under the 1993 Act the Privacy Commissioner has limited ability to make binding decisions. The new Act grants the Commissioner wider power to issue compliance notices.
If an agency does not comply with a compliance notice (or appeal it), the Commissioner can take enforcement proceedings in the Human Rights Review Tribunal.
The Commissioner will have a more proactive role. He will no longer be reliant on privacy complaints to take action.
The 2020 Act adds a new principle to the 12 which exist under the 1993 Act, relating to cross-border disclosures. Agencies will need to consider whether information sent overseas is adequately protected, whether it be by the 2020 Act, by equivalent foreign privacy protection laws, or by contract.
The new Act clarifies that if agency A holds information as agent for agency B, the information is being treated as being held by B. It will not be treated as being held by A unless A uses the information for its own purposes. This applies to cross-border disclosures. This means that information stored on cloud services such as Google Drive are not considered to be cross-border disclosures.
Selected Other changes
The new Act strengthens the protections around the fair collection of personal information, and expressly requires agencies to consider the circumstances when collecting personal information of children or young persons.
Agents have new grounds for refusing to release personal information to individuals This is concerning as it limits individuals the right to access their personal information, although this is mitigated by the fact that the threshold for the new grounds of refusal is high.
The Act increases the maximum penalty for existing criminal offences from $2,000 to $10,000 and introduces new criminal offences, including destroying documents containing personal information in the knowledge that a Privacy Act request has been made.