{"id":4459,"date":"2020-10-29T01:31:10","date_gmt":"2020-10-29T01:31:10","guid":{"rendered":"https:\/\/insight.thomsonreuters.com.au\/legal\/?p=4459"},"modified":"2022-08-03T16:03:41","modified_gmt":"2022-08-03T05:03:41","slug":"new-zealands-2020-privacy-act-lifts-compliance-standard-in-region","status":"publish","type":"post","link":"https:\/\/insight.thomsonreuters.com.au\/legal\/posts\/new-zealands-2020-privacy-act-lifts-compliance-standard-in-region","title":{"rendered":"New Zealand’s 2020 Privacy Act Lifts Compliance Standard in Region"},"content":{"rendered":"\n

From 1 December 2020, the Privacy Act 2020 (NZ) will repeal and replace the current Privacy Act 1993, representing a once-in-a-generation overhaul of New Zealand’s privacy laws. The new Privacy Act 2020 introduces important changes with extraterritorial reach. These include regulating the sending of personal information overseas, New Zealand\u2019s first data breach notification regime, new criminal offences and much more. <\/h4>\n\n\n\n

Whether you are a business operating exclusively in New Zealand, or an Australian business with a presence in New Zealand, the new Privacy Act 2020 (PA 2020) will impact your business as a new era of privacy regulation dawns in New Zealand. Tyrilly Csillag and Andrew McDonald (Practical Law, Australia) caught up with Abigail Milburn (Practical Law, New Zealand) and Louise Sinclair (Practical Law, Australia) to take a closer look at the changes. <\/p>\n\n\n\n

Extraterritorial reach  <\/h2>\n\n\n\n

The extraterritorial impact of the PA 2020 is now expressly stated, meaning that an overseas business or organisation conducting business in New Zealand will be subject to the obligations imposed by the new law (section 4, PA 2020). <\/p>\n\n\n\n

Country’s first mandatory data breach notification regime <\/h2>\n\n\n\n

For the first time, New Zealand businesses will be required to notify the Privacy Commissioner as soon as reasonably practicable after becoming aware that a notifiable privacy breach has occurred (section 114, PA 2020). A notifiable privacy breach broadly means a breach that causes (or is likely to cause) serious harm to an affected individual or individuals (section 112(1), PA 2020).<\/p>\n\n\n\n

\u201cBusinesses operating in New Zealand will have a lot at stake if they fail to update their data breach response plan. Employees and business leadership need to get up to speed now on compliance with the new Privacy Act 2020 as we enter this new phase of data protection.\u201d <\/p>– Abigail Milburn, Senior Writer, New Zealand, Practical Law <\/cite><\/blockquote>\n\n\n\n

Failure to notify the Privacy Commissioner will be an offence that will potentially result in a conviction and fine of up to NZD 10,000, unless there is a reasonable excuse for failing to notify (section 118, PA 2020). <\/p>\n\n\n\n

New Zealand businesses will also need to notify affected individuals as soon as practicable after becoming aware that a notifiable privacy breach has occurred, unless an exception applies (section 115(1), PA 2020).  <\/p>\n\n\n\n

Restrictions on sending personal information outside of New Zealand <\/h2>\n\n\n\n

The PA 2020 introduces new Information Privacy Principle 12<\/em> (IPP 12), which lists circumstances in which an agency may disclose personal information to a foreign person or entity. This includes, for example, where the receiving foreign person or entity is subject to privacy laws comparable to those in New Zealand (paragraph (1)(c) of IPP 12, section 22, PA 2020).<\/p>\n\n\n\n

Criminal offences update<\/h2>\n\n\n\n

New offences with fines of up to NZD 10,000 will be introduced, including the offence of misleading an agency in order to gain access to another person’s personal information (section 212(2)(c), PA 2020), and the offence of a business destroying personal information in response to a request from an individual to seek access to that personal information (section 212(2)(d), PA 2020). <\/p>\n\n\n\n

Other new criminal offences in section 212 include (in summary): <\/p>\n\n\n\n