NEED FOR STRONGER PROTECTION
The Privacy Bill (Bill) was introduced to Parliament in March 2018. The Bill is intended to update and modernise the current Privacy Act 1993 (Act) and will affect all organisations doing business in NZ that collect, use or hold information on individuals in NZ.
Reform of the Act is long overdue and is needed to reflect and keep pace with the major technological developments that have occurred over the past 27 years – such as the rise of the Internet and new technologies such as E–commerce, social media and cloud storage.
NZ also needs more robust regulation of personal information to ensure NZ is in line with the global trend in privacy law reforms, such as Australia’s recent Privacy Act reforms, the OECD Privacy Guidelines and the EU’s General Data Protection Regulation (GDPR).
Unfortunately, the Bill has not gone as far as other reforms that have been adopted overseas, particularly the GDPR and the recent Australian reforms.
While the Bill repeals and replaces the Act, it retains the key privacy principles of the Act. The six key changes to the Act under the current Bill are:
1. Mandatory reporting: Agencies are required to notify the Privacy Commissioner and affected individuals about any privacy breach that has caused, or is likely to cause, serious harm to the affected individuals.
2. Compliance notices: The Commissioner has a new ability to enforce compliance by issuing compliance notices which can be enforced by the Human Rights Review Tribunal.
3. Cross-border transfers: There is a new cross-border disclosure principle which regulates the transfer of personal information outside of NZ.
4. Information collected: There are tighter controls on the information that can be collected – agencies cannot require a person’s identifying information unless it is necessary for the lawful purpose for which they are collecting the information.
5. New offences: There are two new criminal offences: misleading an agency to get someone else’s personal information, and destroying a document that contains personal information knowing it has been requested.
6. Fines increased: Fines for breaches are increased from up to $2k to up to $10k – however this is a long way off the civil penalties of up to $1million that the Commissioner recommended.
The Bill passed its second reading in August 2019 and is currently before the Committee of the Whole House. The Bill was intended to come into force on 1 March 2020, but this is now unlikely given progress appears to have stalled.
For further information or to discuss how privacy laws may impact your business, please contact one of the Jackson Russell business lawyers listed.