Updated Privacy Act New Zealand

5 Years of isafe (7).png

Late last year, the Privacy Act 2020 (NZ) (New Zealand’s revamped privacy legislation) came into effect. This important piece of legislation has a number of significant differences to its earlier iteration and these differences are important to be aware of both for businesses operating in New Zealand and those across the pond in Australia.  

Extra territorial reach  

A primary difference is the clearly articulated extra territorial scope of application. By regulating information that is transferred out of New Zealand, overseas businesses (including those based in Australia) will be subject to the privacy obligations set out in the Act.   

These obligations include only permitting certain data transfers where the relevant foreign country has privacy laws and safeguards comparable to those enforced in New Zealand.  

This scope is also specified as to include overseas businesses (such as those that are based in Australia) who “carry on business” in New Zealand. This is a broad definition and can cover an Australian company without it necessarily having a physical place of business in New Zealand, receiving payment for goods or services, or intending to make a profit in New Zealand.  

Reporting obligations 

There is also now a positive obligation for businesses to notify the Privacy Commissioner (of New Zealand) and affected individual or individuals after being aware of a notifiable privacy breach. There is some ambiguity as to what classifies as a “notifiable breach”. The only guidance the legislation provides is: one that has caused serious harm to an affected individual or is likely to do so. The legislation lists factors that may be considered in determining if a privacy breach is likely to cause “serious harm” however there is no clear definition.  

This notification to the Privacy Commissioner must also be carried out as soon as practicable and carries a fine of up to $10,000 NZD (roughly $9,500 AUD) if breached.  

This new requirement mirrors similar obligations in Australia and those under the EU’s General Data Protection Regulation framework.  

Expanded Commissioner powers 

The Privacy Commissioner is now also granted additional powers to investigate any complaints. These include the power to summon a relevant person to be examined under oath or to produce information and documents.  

Australian businesses? 

Given the legislation has only been in operation for a few months, the full scale of its impact may be difficult to fully appreciate at this stage. Nevertheless, it is clear that significant ripple effects will be felt by many companies that do business with New Zealand and handle personal information as a result.   

Alicja Gibert