On 30 June 2020, the long-awaited Privacy Bill received Royal Assent, with the changes coming into effect on 1 December 2020.
Privacy Commissioner John Edwards has said “The new Privacy Act provides a modernised framework to better protect New Zealanders’ privacy rights in today’s environment.”
Some of the key changes include:
• All agencies will be required to report serious privacy breaches to the Office of the Privacy Commissioner. If the breach is likely to cause serious harm, the people affected must also be informed. This is consistent with international best practice.
• If an agency uses service providers based outside New Zealand, they will need to make sure the providers meet New Zealand privacy laws.
• Criminal offences will be introduced. An agency could be fined up to $10,000 for misleading an agency about someone’s personal information and/or intentionally destroying requested personal information.
• The Privacy Commissioner will have the power to make binding decisions when someone requests access to their personal information. These decisions may be appealed to the Human Rights Tribunal.
• International digital platforms that obtain New Zealanders’ personal information through business in New Zealand must comply with New Zealand privacy law, regardless of where the servers are based.
• The Privacy Commissioner will have the power to issue compliance notices. Non-compliance with the notice could result in a fine of up to $10,000.