A new Privacy Bill – what does this mean?
On 20 March, the Government introduced a new Privacy Bill into the House of Representatives, intended to repeal and replace the existing Privacy Act 1993.
The current Privacy Act 1993 has been under consideration for the last 20 years, starting with the release of the Privacy Commissioner's statutory review of the operation of the Act in 1998, followed by the Law Commission's comprehensive review between 2008 and 2011, and the Government's response to the review in 2014. In that time, there have been rapid changes to the way we use personal information: the rise of the Internet, the creation of a digital economy and the utilisation of "big data". There have also been significant changes in the international privacy law sphere, including more recently the adoption of the EU General Data Protection Regulation in Europe.
The new Privacy Bill retains the existing Act's privacy principles and complaints system, but if enacted in its current form would introduce some significant changes, including:
- Mandatory reporting of privacy breaches: agencies would be required to notify the Privacy Commissioner and those affected of privacy breaches that pose a risk of harm as soon as practicable after the agency becomes aware of the breach. The harm threshold for notification is relatively low - not only does it include actual or potential loss or injury to the individual, but also actual or potential significant emotional distress. Notification is subject to some exceptions, including if notification would prejudice the maintenance of law or reveal a trade secret. Failing to notify the Privacy Commissioner would see the agency liable for a fine of up to $10,000.
- Compliance notices: the Privacy Commissioner could issue compliance notices that require an agency to do, or stop doing, something, in order to remedy a breach. However, compliance notices cannot be issued to require an agency to demonstrate its ongoing compliance with the Privacy Act, which was a recommendation the Privacy Commissioner made in February of this year.
- Strengthening cross-border protections: changes to Information Privacy Principle 11 (limits on disclosure of personal information) impose additional obligations on agencies disclosing personal information to overseas persons. Disclosure will now generally only be permissible if the individual consents, the overseas person is required to protect the information in a way comparable to New Zealand legislation, or the overseas person is in a country with comparable privacy legislation to New Zealand legislation.
- Access requests: the Privacy Commissioner will be able to require agencies to make information requested by an individual available, rather than the individual needing to take the matter to the Human Rights Review Tribunal.
- Information gathering powers: during investigations, the Privacy Commissioner would be able impose a time limit for the provision of information.
- New criminal offences: the Bill introduces new offences for misleading an agency in a way that affects someone else's information, and for knowingly destroying documents that contain personal information that is subject to an information request (with the penalty for these new offences, and existing offences in the Privacy Act, being a fine not exceeding $10,000, up from the current $2,000).
Also of note are some of the potential changes that have not been included:
- Changes to reflect the introduction of the EU General Data Protection Regulation: the Privacy Commissioner has been a proponent of a few features of this Regulation, such as a right to data portability (the ability for an individual to move information easily between agencies). This has not been picked up in the current Bill but we expect to see it being a topic of discussion during the Select Committee process.
- Penalties for serious breach: although the Privacy Commissioner has welcomed the proposed changes set out in the Bill, he has specifically reiterated his preference for the introduction of fines of up to $1 million for organisations, and $100,000 for individuals who seriously breach their obligations under the Privacy Act – a position he has advocated in previous reports made to the Government in November 2017 and February 2018. You can read his full response here – again, we expect to see this being raised by the Privacy Commissioner during the Select Committee process.
The full text of the Bill can be accessed here.
As this is the first iteration, it is likely to change once submissions have been received from interested parties – particularly from the Privacy Commissioner, who has indicated that given the Bill relied heavily on the Law Commission's report from 2011, there are more changes to be made as the world has moved on since then. There will be plenty of discussion about the Bill, especially once submissions are opened up, and we will watch the progression of this Bill with interest.
This publication is intended only to provide a summary of the subject covered. It does not purport to be comprehensive or to provide legal advice. No person should act in reliance on any statement contained in this publication without first obtaining specific professional advice. If you require any advice or further information on the subject matter of this newsletter, please contact the partner/solicitor in the firm who normally advises you, or alternatively contact one of the partners listed below.