Popular search terms
Click each term for related articles
Asia Pacific, UK & Europe
Cyber Risk
On 1 December 2020, the long anticipated Privacy Act 2020 (Privacy Act) came into force in New Zealand. The Privacy Act significantly enhances New Zealand's privacy regime and sees the introduction of additional privacy obligations and compliance requirements. The extraterritorial scope of the Privacy Act is an issue relevant for all organisations operating in New Zealand, regardless of where they are headquartered.
Key changes include the following:
Similar to the existing Australian and EU privacy regimes, the Privacy Act introduces an obligation on organisations to notify the OPC and affected individuals if a privacy breach has caused (or is likely to cause) serious harm to those individuals.
The difference, however, that makes this new scheme in New Zealand stand out from the rest, is the way that the Act defines a "privacy breach".
The existing Australian and EU counterparts generally refer to unauthorised access, disclosure or loss of personal information. However, the Privacy Act goes one step further to include an action that prevents the agency from "accessing the information on either a temporary or permanent basis". This will automatically bring ransomware incidents within the definition of "privacy breach" where under the existing Australian and EU regimes, further investigation is required to assess whether there has been access to or exfiltration of personal information as a result of that ransomware event.
These changes are a big shift from the previous voluntary reporting scheme that operated in New Zealand. Organisations will need to consider what steps and expertise it has in place in order to identify, respond and manage data breaches. Our specialist cyber team (see contact details below) are available to have a chat with you to discuss these steps, or to advise on any breach (or potential breach) more generally.
To summarise the similarities and key differences between the Australian, EU and New Zealand privacy regimes, below is a comparative snapshot of some of the key elements of each regime.
New Zealand - |
Australia - |
European Union - |
|
Who regulates these laws? |
The Office of the Privacy Commissioner. |
The Office of the Australian Information Commissioner. |
The application of the GDPR is monitored by the relevant "supervisory authority" in each EU (and European Economic Area) member state. For example, the United Kingdom's Information Commissioner's Office. |
Who do these laws apply to? |
Agencies, being any public or private sector organisation. Some exceptions exist, including for news media while gathering and reporting news. |
APP entities, being agencies or an organisation with an annual turnover of more than AUD 3 million, or which fall under the Privacy Act because of the type of services provided (e.g. health services). |
Data controllers, being any natural or legal person, public authority, agency or other body which determines the purposes and means of processing personal data; and Data processors, which process personal data on behalf of the controller. |
Do these laws apply outside the country or jurisdiction's borders? |
|
The Act applies to organisations:
|
The GDPR applies to controllers which:
|
What rights do individuals have? |
Individuals rights generally include the right to:
|
Individuals rights generally include the right to:
|
Individuals rights generally include the right to:
|
What amounts to a reportable data breach? |
A notifiable privacy breach occurs when there is an:
|
An eligible data breach occurs where there is an:
|
A breach of security leading to:
|
Reporting timeline |
Agencies must notify the Privacy Commissioner as soon as practicable after becoming aware that a notifiable privacy breach has occurred. |
APP entities have up to 30 days to carry out a reasonable and expeditious assessment (subject to some exceptions). Once an organisation determines that the breach is notifiable, the entity must notify the OAIC and individuals as soon as practicable (this is separate to the obligation to complete the assessment within the 30 days). |
Controllers must notify the relevant supervising authority without undue delay and where feasible within 72 hours from awareness of the personal data breach. While there is no prescribed timeline for notifying individuals (in high risk cases). However, the notification must be made without undue delay. |
Maximum penalty |
NZD$10,000. |
AUD$2.1 million (this is currently under review). |
The higher of either:
|
Organisations currently operating in New Zealand (or with plans to enter the market) must have an understanding of the Privacy Act and the impact that its obligations may have on their operations.
This includes mapping key data assets and implementing processes to maintain compliance and respond to a security incident or a privacy breach.
Clyde & Co has the largest cyber incident response practice in Australia and New Zealand and works with our global offices to provide a full incident response service.
Our specialist team have dealt with a number of the largest and most complex incidents in Asia Pacific region to date. This includes advising on 1,000+ data breach, ransomware and cyber related incidents impacting a wide range of industries.
Our team provides expert advice on how to identify compliance risks, navigate the crisis response and respond to data protection issues across the full cyber incident lifecycle. This includes advising on:
Our 24 hour cyber incident response hotline or email allows you to access our team directly around the clock. For more information, contact us on:
Australia: + 61 2 9210 4464
New Zealand: 0800 527 508
End