New Zealand strengthens its data protection law

New Zealand’s Parliament has passed the Privacy Bill, which replaces the 27-year-old Privacy Act of 1993. The Act comes into effect on 1 December 2020.

Privacy Commissioner, John Edwards announced the adoption of the new law on 26 June and said: “I am grateful for the cross-party support of Parliament on this issue. It is an endorsement of the significance of privacy as a universal human right that the Bill was passed with the multi-party support of the House.”

Some of the significant reforms in the Privacy Act include:

  • Mandatory notification of harmful privacy breaches.
  • Organisations that carry out business in New Zealand will have to comply with the law whether or not they have a legal or physical presence in the country. If an international digital platform is carrying on business in New Zealand, with New Zealanders’ personal information, there will be no question that they will be obliged to comply with New Zealand law regardless of where they, or their servers are based.
  • Requirements for international transfers; organisations need to ensure that there is a similar level of privacy protection to that in New Zealand.
  • Introduction of compliance orders. The Commissioner may issue compliance notices to require compliance with the Privacy Act. Failure to follow a compliance notice could result in a fine of up to $10,000.
  • Binding access determinations. If an organisation or business refuses to make personal information available upon request, the Commissioner will have the power to demand release.
  • New criminal offences. It will be an offence to mislead an organisation or business in a way that affects someone’s personal information or to destroy personal information if a request has been made for it. The maximum fine for these offences is $10,000.

See - Privacy Commissioner - Parliament passes modernised Privacy Act