March 15, 2019

You’ve been breached: New Zealand’s new privacy landscape

In a world of strengthening privacy laws and obligations, New Zealand has so far dodged an update to its privacy legislation – until now.

The Privacy Bill is set to overhaul New Zealand's privacy landscape.

The Justice Committee, one of the New Zealand Parliament's 12 subject-specific committees which examine and report on policy and proposed new laws, has published its final report on the Privacy Bill. If (and when) the Bill is passed into law, it will repeal and replace New Zealand's existing Privacy Act 1993.

To put the 1993 Act into perspective, it is a piece of legislation that was enacted a year before the first Presidential email exchange between President Bill Clinton and the Prime Minister of Sweden took place in 1994. It is safe to say that for world leaders, and those that elect them, emails are now part of everyday life – and they are one piece of the technology puzzle when it comes to modern privacy legislation.

This article is part of a series of Clyde & Co publications which set out a summary of the Justice Committee's final report, including the ways in which the Privacy Bill will overhaul New Zealand's privacy landscape.

A summary of the Committee’s Recommendations

Key takeaway

The Privacy Bill will introduce a 'notifiable privacy breach' scheme to New Zealand – similar to those now in place in Australia and the UK/EU. This is widely supported by the Justice Committee. While the Bill does not match the reach of Europe's stringent GDPR regulations, it will result in a vastly different privacy environment.

Who does it apply to?

The Justice Committee insisted that the Bill should clarify whether and when it would apply to agencies outside New Zealand. As such, the Committee recommended a new clause setting out that the Bill should apply to the actions taken by and all personal information collected or held by:

  1. New Zealand agencies, both inside and outside New Zealand; and

  2. Overseas agencies carrying on business in New Zealand, regardless of where the personal information is held.

This is significant, as the Privacy Bill is likely to apply beyond the shores of New Zealand.

Additional significant recommendations

The Committee also made several significant recommendations relating to the Bill, some of which include:

  • redefining the definition of ‘notifiable privacy breach’ with a higher threshold, to include a test for serious harm. This mirrors the current Australian test for an 'eligible data breach';

  • widening the definition of ‘news activity’. The Committee proposes that TVNZ and RNZ should be covered by the news media exemption while undertaking news activities and that emerging forms news media which are published on the Internet, such as blogging, are also captured by this exemption;

  • ensuring that in circumstances where information is stored or processed by one agency on behalf of another - such as in the case of cloud providers - that both agencies are held accountable in any privacy incident; and

  • amending Information Privacy Principle 1 - the purpose for collection of personal information - so that agencies may not collect by default a person’s identifying information unless it is necessary for the lawful purpose for which the information is collected.

The Human Rights Review Tribunal looks set to remain the battle ground for issues arising out of the Privacy Bill.

The full report of the Privacy Bill can be accessed here.

Recommendations Still Sought by the Privacy Commissioner

While certain proposed amendments sought by Privacy Commissioner, John Edwards, have been left out, the Commissioner welcomed the report as addressing 'some of the most pressing aspects of the modern digital economy'. Specifically:

  1. As the Bill currently stands, the main incentive imposed for compliance is the reputation harm and public embarrassment faced by individuals and organisations that contravene the Bill. The Commissioner has advocated for civil penalties of up to NZD 100,000 for individuals and up to NZD1 million for organisations in matters of serious breaches. However, even after the Select Committee’s recommendations, the most significant fines introduced by the Bill do not exceed NZD10,000.

  2. The Commissioner has historically advocated for a consumer right to data portability - being the ability to demand the transfer of personal information from one online provider to another—such as is enshrined in Article 20 of the EU General Data Protection Regulation. However, in its current form, the Bill does not create this right.

How might this impact businesses?

The Bill will apply to New Zealand and overseas businesses. Notably, the Commissioner may soon have the authority to make effective findings and impose fines against major multinational corporations operating in New Zealand.

Further, the higher threshold of ‘notifiable privacy breach’ ensures that businesses will only have to notify the commissioner and affected persons if the breach causes or is likely to cause serious harm. This is expected to reduce over-notification to the Privacy Commissioner and individuals, which should provide some comfort to New Zealand and overseas agencies concerned about strict reporting obligations.  

Where to from here?

The Justice Committee's recommendations will now be subject to a second and third reading in Parliament, with further amendments possible before the Bill passes into law. As such, there is still the possibility that the prescribed obligations and penalties under this drafting of the Bill will see change in the coming months.

In any event, the Privacy Bill is expected to pass into law by the end of 2019 and we anticipate an increase in privacy-related issues and claims for New Zealand companies, and overseas companies who operate in and do business with New Zealand.

How we can help?

With the largest, dedicated and rapidly expanding cyber incident response practice in Australia and New Zealand, our experienced team have dealt with over 500 data breach and cyber related incidents in recent times, including a number of the largest incidents in Asia Pacific to date.

From pre-incident readiness, breach response, through to assistance with regulatory investigations and proceedings, as well as recoveries, we're a one-stop-shop for assisting clients in New Zealand across the full cyber lifecycle.

You can contact our dedicated cyber incident response team via our 24 hour hotline or email:

Click here for more information about our capabilities in New Zealand