New Zealand modernises information privacy legislation – how will this impact your Australian business?
New Zealand's Privacy Act 2020 (Privacy Act) commenced on 1 November 2020. It levelled-up on information privacy obligations and introduced a new notifiable privacy breaches scheme.
Similar to New Zealand's previous 1993 privacy legislation, the new Privacy Act's central tenants are its set of IPPs. The IPPs have been modernised and expanded to 13 IPPs, including a new privacy principle (IPP 12) concerning disclosure of personal information outside of New Zealand.
The new changes bring New Zealand’s privacy framework into closer alignment with internationally recognised privacy obligations.
The Privacy Act applies to organisations who conduct business in New Zealand, regardless of:
This includes organisations who make digital platforms available to individuals in New Zealand, regardless of whether the business or its servers are located.
The policy will need to include the appointment of your Privacy Officer, and criteria for assessing whether a data incident is a notifiable privacy breach.
The Privacy Act also introduced an obligation for your business to ensure that an overseas recipient of personal information operates with similar levels of privacy protection to those in New Zealand.
The Privacy Act now includes a mandatory privacy breach notification scheme.
Similar to the Australian notifiable data breaches scheme, not all privacy breaches are notifiable – a breach is reportable only if it creates a likelihood of serious harm for the affected individuals.
If a notifiable privacy breach has occurred, your business will need to notify the New Zealand Privacy Commissioner and the affected individuals.
The main difference between the Australian and New Zealand schemes is the timeframe for assessing and reporting a notifiable breach: "as soon as practicable" in New Zealand, versus 30 days in Australia.
The Privacy Act now provides for increased intervention and enforcement powers, including higher financial penalties up to $10,000 for a breach of a Commissioner compliance order or destruction of requested documents containing personal information.
While these are not high-value penalties by international standards, they do represent a significant change in the New Zealand privacy regime.
If you would like help in reviewing your privacy documentation or service contracts, or if you have questions about how the new Privacy Act impacts on your Australian business’ activities in New Zealand, please contact our Privacy and Data Protection team.