The changes to The Privacy Act 1993 with the new Privacy Act 2020

An introduction to the Privacy Act 2020 with John Edwards, New Zealand’s Privacy Commissioner and Joanna Hayward, the General Counsel

The key drivers for reform:

Multiple tweaks and adjustments have been suggested to the legislation since its inception in 1993 (the Privacy Act 1993)

2011: Law Commission Report issued proposing a series of amendments and new policy initiatives in order to modernise the 1993 Act and make it fit for purpose

Why? What is missing from the current Act?

  • Increasing digital economy and an increasing globalisation of the data economy
  • Local and international data businesses (whether large or small) require use of personal information
  • There are whole businesses locally and internationally providing goods and services in exchange for personal information
  • This has the potential to leave individuals exposed

Principle based approach remains as the current legislation’s fundamental principles remain sound

Enforcement mechanisms need to be more muscular – currently a restorative model; no power to enforce the Privacy Act in current form.  This will change with the new legislation – there will be real remedies when things go wrong

Requirement for agencies that lose control of information and cause a privacy breach à inform the Office of the Privacy Commissioner as well as the individual whose personal information has been disclosed (i.e. a mandatory privacy breach notification)

  • this restores control to the individual; enables them to do what they need to do to keep their data safe
  • compliance notices can be issued by the Office of the PC
  • every New Zealander can request access to their personal information, whichever agency is holding that data (bank, Dr, etc) (i.e. a mandatory disclosure requirement)
  • when personal information misused, this will become a criminal offence
  • the right to access own personal information underscored by an agency committing a criminal offence where they destroy personal information held
  • if a business carrying on business with NZ, they will be subject to the NZ Privacy Act 2020
  • rising tide with privacy regulation around the world (GDPR)
  • federal privacy law in the US (prompted by California)
  • NZ is increasing its level of protection and catching up with our international partners – an international uniformity is emerging