On 1 December 2020, the Privacy Act 2020 came into force in New Zealand. The new Privacy Act significantly enhances New Zealand’s privacy laws and sees the introduction of additional obligations and compliance requirements. In particular, the extraterritorial scope of the Privacy Act means that overseas businesses or organisations ‘carrying on business’ in New Zealand will be subject to the Act’s privacy obligations, even if they do not have a physical presence in New Zealand. This will particularly affect online businesses.
The changes to New Zealand’s privacy laws have brought the New Zealand and Australian laws more in line with each other and closer to the EU’s General Data Protection Regulation (GDPR).
The New Zealand Privacy Act now includes a new privacy principle (IPP 12) in relation to disclosure of personal information overseas which is similar to the Australian Privacy Principle 8. In both jurisdictions the Privacy Act restricts the transfer of personal information overseas without the individual’s express consent unless certain requirements are met. For example, the overseas receiving organisation must be subject to safeguards comparable to those set out in the relevant Privacy Acts.
Businesses and organisations in New Zealand are now subject to a mandatory obligation to notify the Privacy Commissioner where there has been a data breach. In line with Australia’s laws, the obligations will apply when the breach is likely to result in serious harm to any of the individuals to whom the affected information relates.
New Zealand has also introduced compliance mechanisms and offences which strengthen their enforcement ability closer to what is currently applicable in Australia and the EU.
However, despite the changes to New Zealand’s privacy law, there are still several areas in which it differs from Australia’s privacy law.
Australia has a special category of personal information, being ‘sensitive information’ which includes information about: racial or ethnic origin, political opinions, religious or philosophical beliefs and affiliations, sexual orientation or practices, criminal record, health information, genetic information, biometric information and other particular information. The New Zealand Privacy law has a similarly wide definition of personal information — although it does not include opinions like Australia’s definition does and it does not have a separate category of sensitive information to which special restrictions apply.
The Australian Privacy Act contains a special exemption for employee records which provides that personal information about an employee, held by an employer is exempt from the Australian Privacy Principles. This exemption does not exist in New Zealand and employee records are subjects to the same requirements as all other forms of personal information.
Penalties in Australia under privacy legislation can be much more severe than those in New Zealand. In Australia individuals can face penalties of up to AU$450,000, while fines for corporations can be as high as AU$2.1 million. In New Zealand however, fines under the Privacy Act only go up to NZ$10,000, with the option of referring matters to the Human Rights Tribunal which can award damages of up to NZ$350,000.
While there is significant overlap between the Australian privacy principles (APPs) and New Zealand’s information privacy principles (IPPs), there are some areas which are covered in either the APPs or IPPs, but not in the other. For example — restrictions on use of unsolicited personal information and use of personal information for direct marketing are provided in the APPs, but not in the IPPs. Additionally, the principle in relation to unique identifiers in Australia (APP 9) only restricts how and when private organisations can use government issued identification numbers, while in New Zealand, IPP 13 restricts the use of any unique identifiers.
This article was written by Jennifer Huby, Partner and Michael Graziano, Law Graduate.