Discussions around reform for the 1993 Act began as early as 1998. The commencement of the new Act on 1 December 2020, will be a welcome change for many. With a greater reliance on technology in the modern era, the concept of privacy has changed greatly. Information and data are becoming more valuable than ever and the Privacy Act 2020 strengthens privacy protections by promoting early intervention and enhancing the role of the Privacy Commissioner (Commissioner).
The new Act introduces a number of changes to bring New Zealand’s privacy laws closer to international best practice. Importantly, the Act now has a clear extra-territorial effect and applies to overseas agencies carrying on business in New Zealand. The Act introduces a number of other changes which are discussed below.
New refusal grounds
Under the existing Privacy Act, agencies may refuse to disclose personal information in accordance with the prescribed grounds. This includes, for example, where the information would be an unwarranted disclosure of another person’s affairs or the information is evaluative material.
4 Although the new Act introduces new grounds for refusal, each ground has a particularly high threshold. The new grounds provide agencies the ability to refuse to disclose information where doing so would create a serious threat to health or safety, create a significant likelihood of serious harassment or cause significant distress to a victim of an offence. Essentially, the new grounds afford agencies a greater ability to refuse disclosure, where it could have a negative effect on a third party.
Notifiable privacy breaches
Agencies are required to notify the Office of the Commissioner as soon as practicable when a privacy breach occurs that causes or is likely to cause serious harm. This is termed a ‘notifiable privacy breach’ under the Act and brings New Zealand more in line with international best practice.
The Act sets out a non-exhaustive list of considerations an agency must have when determining whether a privacy breach is likely to cause serious harm. Helpfully, the Commissioner has recently released a new online tool, NotifyUs, which guides agencies through a number of questions to determine whether a breach is notifiable. The tool does not ask for any information which could identify the user but merely provides a platform for assessing whether a breach is notifiable.
If a notifiable privacy breach occurs, the agency must notify the affected individuals(s) as soon as practicable. If it is not reasonably practicable for the agency to notify an affected individual or to notify each member of a group of affected individuals, the agency must give public notice of the breach. Failing to notify affected individuals through either of these means can amount to an interference of privacy under the Act.
An agency may be exempt from notifying affected individual(s) or may be permitted to delay public notification in certain circumstances. It is important to note that this does not affect the agency’s obligation to notify the Office of the Commissioner.
Among other things, an agency may delay notification or giving public notice, if the agency believes, on reasonable grounds, that notification/notice would have risks for the security of personal information held by the agency and those risks outweigh the benefits of informing the affected individuals. This includes circumstances where the notification or public notice could risk increasing the number of affected individuals. In such circumstances, an agency may delay notification for the period where the risks outweigh those benefits.
It is an offence to fail to notify the Office of the Commissioner of a notifiable privacy breach without reasonable excuse. An agency convicted of this offence is liable to a fine not exceeding $10,000. However, the Act expressly recognises that it is a defence to a charge of failing to notify the Office of Commissioner if the agency did not consider the privacy breach to be a notifiable privacy breach, provided it was reasonable to do so in the circumstances.
Increased powers for the Privacy Commissioner
The new Act provides the Commissioner with an increased ability to enforce compliance with the Act. This includes the ability to issue compliance notices to agencies who interfere with privacy or who breach the Act. A compliance notice can require an agency to take or refrain from taking an action and can be issued at any time, including concurrently with the Commissioner utilising other means of addressing breaches under the Act.
A compliance notice will describe the steps that the Commissioner considers are required to remedy non-compliance and will specify a date by which the agency must make the necessary changes. The Commissioner may publish the details of a compliance notice if the Commissioner believes it is desirable to do so in the public interest.
The Commissioner will also be able to direct agencies to provide individuals access to their personal information. This will allow faster resolution of complaints relating to access of personal information.
If an agency does not comply with the direction, the individual may apply to the Human Rights Review Tribunal for an access order. The failure to comply with an access order without reasonable excuse could lead to a fine of up to $10,000.
Controls of the disclosure of information overseas
One of the more significant changes of the New Act is the introduction of information privacy principle (IPP) 12 – Disclosure of personal information outside New Zealand. This principle regulates the way that personal information is sent overseas and sets out controls when doing so.
The purpose of IPP 12 is to ensure that an agency may only disclose personal information to a foreign agency, if that foreign agency is subject to comparable safeguards to those in the Act. If the foreign agency is not subject to similar safeguards, the individual concerned must be advised their personal information may not be adequately protected, and then must consent to the disclosure.
Importantly, the use of foreign data storage providers or processors will not be considered a “use or disclosure” under the Act, unless that foreign provider uses or discloses the information for its own purposes. This is an important exception given major storage providers do not have datacentres in New Zealand.
Practically, agencies may ensure that foreign agencies are subject to comparable safeguards through contract. The Commissioner has produced model contract clauses designed to assist agencies comply with IPP 12.
In producing these model clauses, the Commissioner considered the recent decision of the European Court of Justice, Data Protection Commissioner v Facebook Ireland and Max Schrems. This case considered the international transfer of data between the EU and the USA under an agreed ‘privacy shield’. Interestingly, the Court considered that programmes enabling access by US authorities to personal data transferred from the EU for national security purposes meant that there was a lack of equivalent protection in the USA.
The Court also looked at the transfer of personal data under contract. The Court emphasised the parties’ obligation to verify whether the contractual obligations could be performed without impediment and if not, the parties should explore additional contractual measures.
While this case doesn’t affect the transfer of personal between New Zealand and the EU (as New Zealand is covered by an adequacy decision), it does serve to highlight potential considerations when disclosing information offshore and determining whether a foreign agency is subject to comparable safeguards.
New Criminal offences and penalties
The Act creates new criminal offences and increases the maximum fines under the Act. Specifically, the Act makes it an offence to:
(a) Mislead an agency to obtain access to someone else’s personal information; and
(b) Destroy a document which is subject to an information request.
On conviction, an agency could be liable for a fine not exceeding $10,000. While the Act increases the maximum fine from the current maximum penalty of $2000, this is still a drop in the ocean compared to potential fines under legislation in other jurisdictions. For example, the maximum fine under Australian privacy laws is $2 million, and €20 million under the General Data Protection Regulation.
Certainly, many submissions for the Privacy Bill expressed the desire to significantly increase the maximum fines under the new Act. The Commissioner’s own submission was to create a civil fine for serious or sustained breaches of the Act which carried a maximum penalty of $1 million.
The traditionally low fines under the Privacy Act 1993 have seen it described as a “toothless tiger”. Submissions for increased penalties under the new Act were largely based on the desire to incentivise compliance with the Act and create a pyramid of regulatory response.
The Act also allows representatives other than the Director of Human Rights Proceedings to bring a claim in the Human Rights Review Tribunal on behalf of a class of aggrieved individuals who have been affected by a breach of privacy. The Tribunal can award damages up to a maximum of $350,000 for each aggrieved individual.
Preparing for the new Act
Businesses and organisations should ensure they are prepared for these changes and ensure they are familiar with new reporting obligations. To do so, businesses and organisations should consider training, creating and updating policies and procedures for identifying, assessing and reporting breaches of the Act and reviewing contractual arrangements with third party data holders.
The cost for non-compliance under the Act has increased and agencies should have in place policies and procedures to minimise exposure. Regardless of how many teeth the new Act has, businesses and organisations should ensure that they are not bitten.