You can read the final report of the Justice Select Committee here, our commentary on the earlier draft of the Bill here, and our submission to the Justice Select Committee here.
Key changes from the Select Committee report
The Select Committee report implements a number of unanimous changes to the Bill, including the following:
- Territorial effect: Overseas agencies will now expressly be subject to the reach of the Bill. Specifically the Bill will apply to the actions of, and all personal information collected or held by, an ‘overseas agency’ in the course of ‘carrying on business’ in New Zealand. The Bill’s definition of ‘carrying on business’ is wide and is likely to capture a number of businesses. In particular, the definition is not predicated on where the business is physically located, nor whether the business charges for products or services, or makes a profit from its New Zealand business.
- Threshold raised for data breach notification: The initial draft Bill introduced a mandatory notification regime in the event of a ‘notifiable data breach’. Following numerous submissions – including by Kensington Swan – the Bill has been amended to raise the threshold for notification so that it is only required where it is ‘reasonable’ to believe that the privacy breach has or is likely to cause ‘serious harm’. Such a change means the standard of a privacy breach is an objective assessment (rather than one that requires an assessment of the individual’s personal circumstances).
- Publication of compliance orders: The Bill has been amended so the Privacy Commissioner must publish information following the issue of a compliance notice, unless an agency can convince the Commissioner that the publication would result in undue hardship to the agency, and such hardship outweighs public interest in the publication. Notably, the Privacy Commissioner has a broad discretion to publish any details about the compliance notice or breach that s/he considers should be published, and a statement where appropriate.
Many changes to privacy law requested by the Privacy Commissioner and other submitters did not make their way into the revised Bill. In particular:
- there is no ‘sharpening’ of the Privacy Commissioner’s ‘teeth’ with respect to the imposition of commercially significant fines (the Privacy Commissioner had previously called for the ability to apply to the court for a civil penalty of $1,000,000 for body corporates)
- the Bill does not include the right of data portability (that is the right for an individual to receive their personal information in a commonly-used machine readable format), nor does it include the ‘right to be forgotten’ or ‘right of erasure’ – both concepts that are found in the GDPR.
The revised Bill will now be heard and debated by the New Zealand Parliament in the second reading, at which time further amendments may be introduced. A date for this second reading is yet to be scheduled.
We will regularly be publishing updates on the Privacy Bill as it progresses through the New Zealand legislature. If you would like specific advice on what the Bill – including the changes above – will mean for your business, please contact Hayley Miller, Hayden Wilson, Gretchen Fraser, or Campbell Featherstone.
Our thanks to Emily Tombs, Solicitor in the Commercial team, for writing this newsflash.