Once passed, the Bill will repeal and replace the existing 25-year-old Privacy Act. The Bill is an attempt to reflect the vast changes in technology that have occurred during recent decades and to better align New Zealand’s privacy law with international developments.

The Bill stipulates that the changes will come into force on 1 July 2019. This date may need to be updated during the legislative process as a 6 months’ transitional period is also proposed under the Bill.

You can read the full text of the Bill here.

Key changes made in the Bill

The Bill implements most of the Law Commission’s recommendations made in 2011. Key changes under the Bill include:

• Mandatory reporting of privacy breaches: Unauthorised or accidental access to, or disclosure of, personal information that poses a risk of harm must be notified to the Privacy Commissioner and to affected individuals.
• Compliance notices: The Privacy Commissioner will be able to issue compliance notices that require an agency to do or prevent a certain action. The Human Rights Review Tribunal will be able to enforce compliance notices and hear appeals.
• Strengthening cross-border data flow protection: New Zealand agencies will be required to take reasonable steps to ensure that personal information disclosed overseas will be subject to acceptable privacy standards. The Bill also clarifies the application of New Zealand law when a New Zealand agency engages an overseas service provider.
• New criminal offences: It will be an offence (with a fine not exceeding $10,000) to mislead an agency in a manner that will affect another person’s information and to knowingly destroy documents containing personal information where a request has been made for it.
• Privacy Commissioner making a binding decision on access request: The Privacy Commissioner will be able to make decisions on complaints relating to access to information. The Commissioner’s decisions will be able to be appealed to the Human Rights Review Tribunal.
• Strengthening the Privacy Commissioner’s information gathering power: The Privacy Commissioner will have increased investigation powers which allows him or her to shorten the timeframe within which an agency must comply, and increase the penalty for non-compliance.

The Privacy Commissioner’s response to the Bill

While the Privacy Commissioner welcomed the timely introduction of the Bill, he also argued in a Privacy Commission blog post for additional civil enforcement powers and to shift the privacy functions of the Director of Human Rights Proceedings into the Privacy Commission office in order to streamline the privacy complaints process.

If you would like a specific briefing on the Bill, or what it may mean for your business, please contact Hayley Miller, Hayden Wilson, Amy Jardine or Campbell Featherstone or contact the Corporate and Commercial Team on CorporateAndCommercial@kensingtonswan.com or our Banking and Financial Markets team on financialmarkets@kensingtonswan.com.