By Andrew Comer, James Cochrane & Olga Garin – Stace Hammond (stacehammond.co.nz)
The Privacy Act 2020 (“Act”) will come into force on 1 December 2020.
The Act’s content is a mix of old and new and will impact organisations (i.e. ‘agencies’) that collect, store and use personal information.
The Act reflects recent foreign legislative measures, particularly in Australia, the United States and the European Union, to revisit and strengthen data protection laws. Once in force, New Zealand and Australia’s privacy laws will be closely aligned; both will have a mandatory reporting regime for serious privacy breaches. The Act falls short, however, of aligning our privacy laws with those of the United States and the European Union. The California Consumer Privacy Act (US) and the General Data Protection Regulation (EU), for example, give individuals ‘erasure’ and ‘portability’ rights – that is, the right to have personal information deleted (which is discussed in further detail below) and the right to have information transferred between agencies. Most of the foreign legislation also has substantial penalties in place for breaches of that legislation.
In this article, we take a quick look at some of the key changes under the Act and what you can do to prepare for them.
For completeness, and in light of the current global health crisis, we also look at COVID-19 and its implications for privacy rights under the current Privacy Act.
The most significant change under the Act is the mandatory obligation on agencies to report a ‘notifiable privacy breach’.
A ‘notifiable privacy breach’ is a breach that has caused (or could cause) ‘serious harm’ to an individual.
In deciding whether a privacy breach could cause ‘serious harm’, an agency must consider certain factors. They include the information security measures in place, the nature of the information disclosed, the nature of the harm, who the information was disclosed to and the steps taken to minimise the risk of harm. (To illustrate, contrast the unauthorised disclosure of a person’s sensitive medical information, with the unauthorised disclosure of a person’s email address. If, for example, the disclosure was in a widely-read publication, arguably the former disclosure would be a ‘notifiable privacy breach’, whereas the latter would likely not be. However, would the assessment made in the first example be the same if the disclosure was localised and resolved immediately?)
Agencies must notify the affected individual(s) and the Privacy Commissioner of the breach. Failure to do so is an offence, punishable by a fine of up to $10,000.
The Act applies to overseas agencies ‘carrying on business in New Zealand’.
This is the case, regardless of where the personal information is collected or held, where the individual concerned is located, whether or not the agency has a physical place of business in New Zealand, whether or not the agency supplies goods or services for payment, or whether the agency intends to profit from its business in New Zealand.
This means that overseas companies, without domicile in New Zealand but which do business here (e.g. Google LLC, Facebook, Inc.), can no longer say New Zealand’s privacy laws don’t apply to them. (Whether this will have any real impact though is questionable. This is because the Act says an agency won’t breach the Act if its actions are authorised, or required, by foreign law. However, those companies can still question how such jurisdiction would be enforced, as a New Zealand court will have little ability to enforce decisions against non-New Zealand companies.)
Agencies will only be allowed to disclose personal information outside New Zealand in specific circumstances.
They include where: (i) the individual authorises disclosure, after being ‘expressly informed’ the recipient might be subject to a lesser standard of protection required under the Act; or (ii) the recipient is carrying on business in New Zealand and the agency reasonably believes the recipient is subject to the Act; or (iii) the agency reasonably believes the recipient is subject to privacy laws with comparable safeguards to those in the Act; or (iv) the agency reasonably believes the recipient is either a participant in an internationally recognised privacy protection scheme, is subject to privacy laws of a country specified in regulations, or is otherwise required to protect the information in a manner with comparable safeguards to those in the Act.
The Act makes it clear that if an ‘agent’ holds information on an agency’s behalf (e.g. for safe custody or processing), the agency will still be the one accountable to individuals. It’s irrelevant if the agent is outside New Zealand or holds the information outside New Zealand (e.g. an ‘agent’ will include a ’cloud’-based service provider).
If, however, the agent uses or discloses the information for its own purposes, the agent will then also be accountable to affected individuals.
The Privacy Commissioner will have an expanded set of enforcement powers.
It will be able to issue ‘compliance notices’ to agencies it considers are in breach of the Act. If the Commissioner exercises this power, it has to publish the offending agency’s identity and details of the compliance notice (unless that would cause undue hardship to the agency).
The Commissioner will also have new powers regarding information access requests by individuals – if an agency has refused a request by an individual for information, the Commissioner can demand release of that information. This will hopefully provide more teeth to the current regime, whereby the Commissioner can only issue a letter for the complainant to present to the Human Rights Tribunal.
The Act also creates new criminal offences. These include:
The maximum fine for these offences under the Act is $10,000, up from the current maximum of $2,000.
Interestingly, penalties under the Act are still significantly lower than in jurisdictions such as Australia (where the maximum fine is AUD $1m) and Europe (where fines are capped at the greater of either €20 million or 4% of the annual worldwide turnover of the previous financial year).
It is also worth considering that the offences are based around the after-events of a breach (i.e. notifications or refusing access to personal information). There is no offence for the act of breaching someone’s privacy, though remedies for that may be possible in tort.
Some jurisdictions have a right allowing for a person’s privacy to be further protected through the removal of their identity from online Internet searches. The most notable example of this is in Europe, where Google has removed millions of web pages at the request of hundreds of thousands of online users. The issue with this, though, is that such requests only extend as far as the local territorial jurisdiction, so any impact on privacy is regional and not global.
The Act doesn’t include these rights for individuals in New Zealand. There has been commentary within our courts that such a right should be part of New Zealand’s common law and / or the Privacy Act. However, despite this, such rights, should they be enforced, may be in conflict with other legislation, such as section 14 of the New Zealand Bill of Rights removing the media’s right to publish court decisions. Similarly it could be used to remove criticism online. This would be a fundamental change to one of the established rights and freedoms long enjoyed in this country; the right to freedom of expression.
We recommend you take the following steps now to help ensure you comply with the Act, when it becomes law:
It is worth noting, in the current climate, the implications of COVID-19 on privacy rights under the current Privacy Act.
Questions have been raised as to whether an employer can alert staff to another staff member’s health status (i.e. whether that other staff member has contracted COVID-19).
While individual privacy is protected under the Privacy Act, there are some exclusions. For instance, Information Privacy Principle 10(1)(d) in the Privacy Act says:
“An agency that holds personal information that was obtained in connection with one purpose shall not use the information for any other purpose unless the agency believes, on reasonable grounds,—
(d) that the use of the information for that other purpose is necessary to prevent or lessen a serious threat (as defined in section 2(1)) to—
(i) public health or public safety; or
(ii) the life or health of the individual concerned or another individual; or
If an employer is aware that one of its employees has contracted an infectious disease, and that by notifying other staff they will prevent or lessen a threat to their health, then the individual’s privacy rights may be overlooked. This should be approached with care and caution, and the extent of the information being disclosed should be limited to just those people whose health may be at threat. Ideally, in the current climate, such infected staff will be isolated, but any staff members, client or third parties, who have had contact with them should be contacted, and the infection disclosed, without it amounting to a breach of the Privacy Act. Each particular case will turn on its facts so it is important to seek specific legal advice.
The above overview has been provided for general information purposes only. It is not, nor is it intended to be treated as, legal advice, or an exhaustive list of all changes under the new Privacy Act 2020 or how you should prepare for such changes, and is subject to change without notice.