On 26^th of June, the Privacy Act 2020 was unanimously passed by the New Zealand parliament. It will come into effect on 1 December 2020.

For the 27 years it’s taken for New Zealand’s privacy laws to be updated, pressures have been mounting because of their irrelevance to the digital age. The Privacy Act 1993 was founded as long ago as the year the first accessible web browser was born. As Privacy Commissioner, John Edwards, says, updates to the laws have “been a long time coming“.

The Privacy Act 2020 calls for big changes to organisations’ privacy policies and data protection practices. It might set a precedent for a more agile legal position in line with technological changes, too. As Edwards has said, it is a more dynamic document that can be reviewed as new technology is introduced.

2020 changes

The updated Privacy Act is a response to the advent of the Internet. Experiences of instantaneous communication that breaks down distance-related barriers, of individuals coordinating efforts across the globe, and open tether for individuals business to access much of the same online technologies. For governments on the other hand, the Internet risks citizens being exposed to an unprecedented interactions that weren’t conceived at the 1993 drafting.

The Privacy Act 2020 also taps into the reputational risk that comes with operating in a small country – essentially telling businesses, ‘do the right thing and protect customers information or else be outed’. New Zealanders tend to place a lot of faith and trust in businesses. Our high degree of social connectedness lends to greater pressure on organisations to do the right thing.

For individuals and customers, the Act provides new tools to enforce rights. It undoubtedly means that organisations must take their privacy obligations more seriously. For businesses, it means action is needed to check the right privacy systems are in place and all staff understand their obligations.

Harmful privacy breaches

Under the new Act, a privacy breach is identifiable when it already has, or could, cause serious harm to an affected individual. It is essential the privacy breach that is causing, or could cause, serious harm is immediately notified to those individuals and to the Privacy Commissioner.

Exceptions to this obligation include the possibility that this notification could result in further breaches, or could prejudice an individual’s health. At the other extreme, if the risks are serious, as in threatening to the individual’s life or health, organisations are also expected to let individuals know the details of any person or organisation in possession of their information.

Customers and individuals have more rights under the new Act, for example for the first time being able to begin proceedings in the Human Rights Review Tribunal as a class action.

It’s not just New Zealand companies who’ll be subject to the Act. Also counted will be overseas companies seen to be doing business in New Zealand — regardless of whether they have a physical office in New Zealand or not.

Compliance notices

The Commissioner has new powers to issue businesses with notice that they are considered to have breached the new Act, and require them to take action to remedy the breach. Organisations that fail to follow a compliance notice or mislead an organisation in a way that affects personal information, may be liable for fines of up to $10,000, considerably up from the maximum $2000 in the 1993 Act.

The Act widens the powers of the Commissioner. The Commissioner will have the power to publish compliance notices for breaches. Compliance notices will be made public, unless the Commissioner believes it is in the public interest to withhold them.

Cross-border disclosures

The Act introduces a new set of controls that are intended to ensure personal information sent offshore will be covered by the same safeguards as those in New Zealand. The new information privacy principle (IPP) contains a process of controls for disclosing personal information to foreign agencies. This is particularly risky when organisations use third-party platforms with their own use for that information, such as using the data for advertising purposes. Before disclosing information to a foreign party, organisations must be satisfied they have assurance from the party that they will abide by the Act’s safeguards.

The one key exception to the IPP is  that information sent offshore is not seen as a disclosure if the party does not use the information for its own purposes.

Note: The key exception to this rule is Cloud storage arrangements. Ask your Cloud service provider if you’re unclear on what it means for your business.

Recognitions of outstanding privacy practice

New awards have been established to encourage exemplary privacy exemplars. The Privacy Trust Marks, announced in May 2018, endorse specific products, services or processes that show privacy excellence. The award criteria cover design, proactivity, visibility and user-centricity. So far, just five organisations have been awarded the Privacy Trust Mark. The most recent in June 2020 were contact tracing app Rippl and TICC’s Anti-Money Laundering Customer Due Diligence’s Online Forms and Portal.

Questions have been raised about the strictness of the criteria. As Edwards told CIO earlier this year “Some jurisdictions in our region are being more open with their trust mark awards, and we may have to look at that standard and see if we have set it a bit too high, whether it would be a useful thing to allow a wider range of agencies to signal their commitment to privacy”.

Cross-country stack up – How does the NZ Privacy Act compare?

By establishing the need to notify the Commissioner about current or possible breaches, the Privacy Act 2020 in many respects, brings New Zealand in line with other countries such as Australia and European countries.

It is worth noting that the Privacy Act 2020 reforms don’t cover the same breadth as Europe’s General Data Protection Regulation (GDPR). For example New Zealand organisations are not explicitly required to be transparent about the reasons behind their algorithmic decision making, for example.

Notably data portability is not a requirement under the new Act. While customers can request that a company provides them with their own data, organisations are under no obligation to transfer customers’ data to another business. This has implications for network providers, for example, because if a customer decides to switch providers there won’t be a legal requirement for the original organisation to send data to the new provider. An organisation is also not under obligation to destroy the customer’s data after they leave.

Another of the GDPR’s most noted features, not present in the Privacy Act 2020 is the ‘right to be forgotten’ that means citizens can demand their personal data, including search links, about them be destroyed.

Some have argued that potential prosecution is light-handed compared to the financial penalties handed out by other countries for privacy breaches. In the US, the Federal Trade Commission has fined Facebook US$5 billion. In the UK, the British Airways were fined £180 million by the Information Commissioner. This raises the question if large-scale breaches, albeit unprecedented breaches, were to occur, would the law have the teeth to cover them fairly?

The future of New Zealand privacy law – up for debate

While maybe not transforming New Zealand’s privacy laws as radically as other countries, the Privacy Act 2020 is undoubtably a step forward. It sets out non-exhaustive factors businesses should consider when deciding what is likely to cause serious harm, but falls short of actually defining what ‘serious harm’ is.

Things will become clearer as cases start to be enacted by the courts once the Act comes into force. In the meantime, if you’re a kiwi business, you’re advised to err on the side of caution when figuring out what the category of ‘serious harm’ could cover. You wouldn’t want to be caught in the crossfire.

Next read this:

• The US election and tech – five areas where politics will have major influence
• Not just a ‘big business’ thing: Why all organisations must respond to the Privacy Act 2020
• How can we meet customer concerns with facial and body recognition?