Insights

New Zealand's privacy law has changed - a global comparison

Legal Development 8 December 2020 8 December 2020
Asia Pacific, UK & Europe
Cyber Risk

What happened?

On 1 December 2020, the long anticipated Privacy Act 2020 (Privacy Act) came into force in New Zealand. The Privacy Act significantly enhances New Zealand's privacy regime and sees the introduction of additional privacy obligations and compliance requirements. The extraterritorial scope of the Privacy Act is an issue relevant for all organisations operating in New Zealand, regardless of where they are headquartered.

What's new?

Key changes include the following:

Extraterritorial scope – the Privacy Act clarifies that foreign organisations who "carry on business" in New Zealand will be subject to the Privacy Act in the same way that New Zealand based organisations are. Importantly, the definition of "carry on business" is broad. For example, this means organisations do not need to have a physical presence in New Zealand in order to be subject to the obligations imposed under the Privacy Act.

Mandatory data breach reporting – in line with global trends, the Privacy Act enforces a mandatory obligation for entities to notify the regulator and affected individuals where a notifiable privacy breach occurs (the triggers for notification are discussed in greater detail, below).

Restrictions on overseas transfers – the Privacy Act restricts the transfer of personal information outside of New Zealand unless certain requirements are met. For example, Information Privacy Principle (IPP) 12 sets out that organisations are restricted from disclosing personal information outside of New Zealand unless the receiving organisation is subject to safeguards comparable to those set out in the Privacy Act.

Criminal Offences – the Privacy Act introduces new offences and fines where obligations under the Privacy Act are not complied with. For example, where misleading statements are made about how personal information will be handled. Unlike the massive penalty regimes privacy laws have imposed in Australia and the European Union (EU), the maximum fine for offences under New Zealand's Privacy Act is NZD$10,000; and

Regulatory powers – the New Zealand Office of the Privacy Commissioner (OPC) will also be able to issue compliance notices if the OPC believes agencies are not complying with the obligations of the Privacy Act. These compliance notices are issued to require them to do something, or cease doing something, in order to comply with the Privacy Act.

What is considered to be a data breach in New Zealand and how does it compare to other jurisdictions?

Similar to the existing Australian and EU privacy regimes, the Privacy Act introduces an obligation on organisations to notify the OPC and affected individuals if a privacy breach has caused (or is likely to cause) serious harm to those individuals.

The difference, however, that makes this new scheme in New Zealand stand out from the rest, is the way that the Act defines a "privacy breach".

The existing Australian and EU counterparts generally refer to unauthorised access, disclosure or loss of personal information. However, the Privacy Act goes one step further to include an action that prevents the agency from "accessing the information on either a temporary or permanent basis". This will automatically bring ransomware incidents within the definition of "privacy breach" where under the existing Australian and EU regimes, further investigation is required to assess whether there has been access to or exfiltration of personal information as a result of that ransomware event.

These changes are a big shift from the previous voluntary reporting scheme that operated in New Zealand. Organisations will need to consider what steps and expertise it has in place in order to identify, respond and manage data breaches. Our specialist cyber team (see contact details below) are available to have a chat with you to discuss these steps, or to advise on any breach (or potential breach) more generally.

The Privacy Act compared

To summarise the similarities and key differences between the Australian, EU and New Zealand privacy regimes, below is a comparative snapshot of some of the key elements of each regime.

	New Zealand - Privacy Act 2020	Australia - Privacy Act 1988 (Cth)	European Union - General Data Protection Regulation (GDPR)
Who regulates these laws?	The Office of the Privacy Commissioner.	The Office of the Australian Information Commissioner.	The application of the GDPR is monitored by the relevant "supervisory authority" in each EU (and European Economic Area) member state. For example, the United Kingdom's Information Commissioner's Office.
Who do these laws apply to?	Agencies, being any public or private sector organisation. Some exceptions exist, including for news media while gathering and reporting news.	APP entities, being agencies or an organisation with an annual turnover of more than AUD 3 million, or which fall under the Privacy Act because of the type of services provided (e.g. health services).	Data controllers, being any natural or legal person, public authority, agency or other body which determines the purposes and means of processing personal data; and Data processors, which process personal data on behalf of the controller.
Do these laws apply outside the country or jurisdiction's borders?	The Act applies to New Zealand agencies regardless of where the information is collected or held; and overseas agencies collecting and holding personal information during the course of carrying on business in New Zealand.	The Act applies to organisations: incorporated in Australia; or organisations or operators that carry on business in Australia and collect or hold personal information in Australia i.e. where there is an "Australian link" (this is a similar concept to the "carrying on business" requirement in the NZ Privacy Act).	The GDPR applies to controllers which: are established within the EU; are not established in the EU but which offer goods or services to individuals based within the EU; or are not established in the EU but which monitor the behaviour of individuals in the EU.
What rights do individuals have?	Individuals rights generally include the right to: access their personal information; or have their data corrected (which may be made by way of a deletion), rectification, or update).	Individuals rights generally include the right to: access their personal information; or have their data corrected (which may be made by way of a deletion), rectification, or update).	Individuals rights generally include the right to: be informed about the processing of their personal data; access their personal data; have their personal data corrected; have their data erased; have their personal data ported to a third party; restrict the use of their personal data; or object to the use or their personal data.
What amounts to a reportable data breach?	A notifiable privacy breach occurs when there is an: unauthorised or accidental access to, or disclosure, alteration, loss, or destruction of, the personal information; or an action that prevents the agency from accessing the information on either a temporary or permanent basis; and it is reasonable to believe that this will cause serious harm (or is likely to cause serious harm).	An eligible data breach occurs where there is an: unauthorised access to, unauthorised disclosure of, or loss of, personal data held by an entity; and the relevant entity has reasonable grounds to believe that the access, disclosure or loss is likely to result in serious harm to any of the individuals to whom the information relates.	A breach of security leading to: the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed; and the breach is likely to result in a risk to the rights and freedoms of the individuals concerned.
Reporting timeline	Agencies must notify the Privacy Commissioner as soon as practicable after becoming aware that a notifiable privacy breach has occurred.	APP entities have up to 30 days to carry out a reasonable and expeditious assessment (subject to some exceptions). Once an organisation determines that the breach is notifiable, the entity must notify the OAIC and individuals as soon as practicable (this is separate to the obligation to complete the assessment within the 30 days).	Controllers must notify the relevant supervising authority without undue delay and where feasible within 72 hours from awareness of the personal data breach. While there is no prescribed timeline for notifying individuals (in high risk cases). However, the notification must be made without undue delay.
Maximum penalty	NZD$10,000.	AUD$2.1 million (this is currently under review).	The higher of either: €20 million; or 4% of the organisation's total worldwide annual turnover of the preceding financial year.

What do you need to do?

Organisations currently operating in New Zealand (or with plans to enter the market) must have an understanding of the Privacy Act and the impact that its obligations may have on their operations.

This includes mapping key data assets and implementing processes to maintain compliance and respond to a security incident or a privacy breach.

How we can help?

Clyde & Co has the largest cyber incident response practice in Australia and New Zealand and works with our global offices to provide a full incident response service.

Our specialist team have dealt with a number of the largest and most complex incidents in Asia Pacific region to date. This includes advising on 1,000+ data breach, ransomware and cyber related incidents impacting a wide range of industries.

Our team provides expert advice on how to identify compliance risks, navigate the crisis response and respond to data protection issues across the full cyber incident lifecycle. This includes advising on:

incident response management and vendor coordination;
ransomware response and recovery;
extortion negotiations and threat intelligence;
payment misdirection fraud, funds tracing and funds recovery;
email and social media account takeover response;
communications strategy and stakeholder management;
data breach assessment and notification, including coordination of global and multi-party data breaches across 100+ jurisdictions;
e-safety, image based abuse and cyber bullying;
regulatory response, including dealing with the OAIC, NZOPC, ASIC, APRA, the ACCC and other regulators across 50+ jurisdictions;
third party disputes;
recovery litigation against wrongdoers; and
class action risk relating to privacy breaches (an evolving space).