The Privacy Bill passed the Committee of the Whole House stage in Parliament on 3 June, with the House sitting under urgency. A Supplementary Order Paper (SOP) successfully introduced a number of amendments – most notably, a new commencement date. Once passed by Parliament, the new Privacy Act will come into effect roughly six months from now on 1 December 2020.
Among other drafting changes, the latest SOP amendments make clear that liability for privacy breach notifications sits with a business or organisation and not individual employees. The updated Act will allow the Human Rights Review Tribunal to award up to $350,000 to each member of a class action, and privacy principle 4 has been clarified, requiring agencies to ensure the way they collect information from children and young people is fair.
The Bill will now undergo a third reading in Parliament before becoming the Privacy Act 2020. The SOP amendments supplement the new provisions already in the Bill, which aim to reflect changes in society since New Zealand’s original privacy legislation was passed in 1993. The key changes in the Privacy Act 2020 are outlined below.
Notifiable privacy breaches
The Privacy Act 2020 will introduce a privacy breach notification regime. If a business or organisation has a privacy breach that it believes has caused (or is likely to cause) serious harm, it will need to notify the Office of the Privacy Commissioner and affected individuals as soon as possible. Under the Act, it is an offence to fail to inform the Privacy Commissioner when there has been a notifiable privacy breach. As noted above, the Act clarifies that liability for breach notifications sits with the business or organisation, and not the individual employees.
It is important to note that not all privacy breaches need to be reported to our office. The threshold for a notifiable breach is ‘serious harm’. This can be assessed by considering, for example, the sensitivity of the information lost, actions taken to reduce the risk of harm, the nature of the harm that could arise, and any other relevant matters.
The Office of the Privacy Commissioner will be launching an online privacy breach notification tool and updated guidance ahead of the new Act to help businesses and organisations with this new requirement.
The Privacy Commissioner will be able to issue compliance notices to businesses or organisations to require them to do something, or stop doing something, in order to comply with the Privacy Act. Compliance notices will describe the steps that the Commissioner considers are required to remedy non-compliance with the Act and will specify a date by which the organisation or business must make the necessary changes.
Enforceable access directions
The Privacy Commissioner will be able to direct agencies to provide individuals access to their personal information. This will allow faster resolution of complaints relating to information access under principle 6. Access directions will be enforceable in the Human Rights Review Tribunal.
Disclosing information overseas
A new privacy principle 12 has been added to the Privacy Act to regulate the way personal information can be sent overseas. Under principle 12, an organisation or business may only disclose personal information to an agency outside of New Zealand if the receiving agency is subject to similar safeguards to those in the Privacy Act.
If a jurisdiction does not offer similar protections, the individual concerned must be fully informed that their information may not be adequately protected and they must expressly authorise the disclosure.
The new Privacy Act now clearly states that it has extraterritorial effect. This means that an overseas business or organisation that is ‘carrying on business’ in New Zealand will be subject to the Act’s privacy obligations, even if it does not have a physical presence here. This will affect businesses located offshore, such as Google and Facebook.
New criminal offences
The Privacy Act 2020 introduces new criminal offences. It will now be an offence to mislead an agency to access someone else’s personal information – for example, impersonating someone in order to access information that you are not entitled to see. It will also be an offence for an organisation or business to destroy personal information, knowing that a request has been made to access it. The penalty for these offences is a fine of up to $10,000.
The new Act retains the privacy principles of the current legislation, with some changes. Principle 1 has been clarified to ensure that businesses and organisations do not collect identifying information from people if it is not necessary. There are new withholding grounds for access requests under principle 6 and the Codes of Practice, such as the Health Information Privacy Code, will be updated in accordance with the provisions in the new Act.