On December 1, 2020, updates to New Zealand's data privacy laws came into force, replacing the previously established 1993 Privacy Act. The new Privacy Act 2020 is a modern adaptation of the previous law and includes amendments that bring about stricter data protection rules that organizations "carrying on business in New Zealand" must follow, even if they don't have a physical presence in the country.
Notable changes include:
- Mandatory data breach notification is required immediately if there is a risk of harm, including data leaked from an organization or public body, when used in identity theft, or when accidentally posted on the internet.
- New investigative and regulatory powers for the New Zealand Privacy Commissioner.
The law must be abided by any organization that handles, collects, or stores information pertaining to New Zealand citizens, regardless of where the business operates. This law also includes overseas service providers. Moreover, the transfer of personal information abroad is only allowed if the country to which the data is being sent has privacy laws that are on par with New Zealand’s.
How to report a breach
Part of complying with the rejuvenated privacy act means that organizations are expected to employ privacy officers who will be responsible for reporting the breach to the authorities. The New Zealand government has created a ‘NotifyUs’ tool, which is a source of information and a guideline for organizations on whether a breach needs to be reported and how to do so.
Failure to comply with certain provisions of New Zealand’s Privacy Act may be deemed criminal offenses and result in fines of up to 10,000 NZD (approx. 7,000 USD as of Feb 2021). Additionally, individuals as well as classes of individuals who are affected by breaches can issue complaints to the Human Rights Review Tribunal which may result in damages being awarded to each aggrieved individual.
How does the Privacy Act 2020 compare to other privacy laws?
More and more jurisdictions are beginning to acknowledge data privacy as a human right, and these developments showcase New Zealand’s determination to deploy data privacy laws and standards that are more in line with other global regulations like GDPR in Europe, the Digital Charter Act in Canada, CCPA in the US, and Brazil’s LGPD.
While the New Zealand Privacy Act 2020 is not as onerous as other internationally recognized data privacy standards, it is an indicator that New Zealand is taking a forward-thinking approach to data security and privacy which does include components that can be found within the aforementioned data privacy regulations.
The implementation of the Privacy Act should be a reminder for organizations to have the appropriate data security and privacy controls in place to protect data throughout its lifecycle and wherever it resides. Compliance shouldn’t be an afterthought and nor should data security and organizations will benefit from adopting data-centric security methods that can provide cross-regulatory compliance.