The select committee has played safe on the Privacy Bill, recommending only modest changes. While this will make for an easy transition in the short term, it may also mean further reform is needed in a few years' time.
In particular, the Bill falls well short of the European Union (EU) General Data Protection Regulation (GDPR), which sets the standard for EU engagement – an outcome that could create compliance costs for some New Zealand businesses.
Raising the threshold for privacy breach notification
An agency would only need to notify the Privacy Commissioner and affected individuals of a privacy breach where it is reasonable to believe the breach is likely to cause “serious harm”.
This is a higher threshold than originally proposed, responds to concerns raised by submitters, and aligns New Zealand with Australian and European law.
The Bill would apply to all New Zealand agencies collecting personal information (regardless of where it is collected or held), overseas agencies that collect personal information in the course of carrying on business in New Zealand, and non-resident individuals who collect personal information while in New Zealand.
Additional requirements when sending data offshore
The Bill requires an agency disclosing personal information to a “foreign person or entity” to meet one of six grounds the effect of which is to provide safeguards comparable to those in New Zealand.
While the intention of this change is laudable, the provisions (including the definition of “foreign person or entity”) may create added complexity without a clear need for change.
That said, the Bill has been amended to clarify that “disclosure” does not include sending information to a cloud service provider or other party that holds the information solely as agent.
Agencies not to collect identifying information unless necessary
The Bill would expand IPP 1 (collection for lawful and necessary purposes) to prohibit collection of “identifying information” if not necessary for the purposes for which the information is being collected.
We understand that this change is intended to nudge agencies towards allowing individuals to interact anonymously with them, but what counts as “identifying information” is unclear, and in any case it will be a rare occurrence where an agency is unable to find at least some purpose (however speculative) that justifies collection.
Removal of the Public Register Principles
The public register privacy principles have been removed as recommended by both the Law Commission and the Privacy Commissioner. This is on the basis that appropriate protections are better addressed by the legislation that governs use and public access to the applicable register.
Changes the Privacy Commissioner wanted but did not get
The Privacy Commissioner argued for a number of changes which the committee has not delivered. Principal among these were a power to seek civil penalties, rights of erasure for individuals (sometimes referred to as “a right to be forgotten”), data portability, and transparency for algorithmic decisions.
The Ministry of Justice departmental report indicates further reform along these lines may be needed to maintain EU adequacy.
The Privacy Commissioner issued a statement saying that the Bill “addresses some of the most pressing aspects of the modern digital economy” but that he would continue to make the case for more civil enforcement powers and “other modernising reforms to ensure that New Zealand’s privacy framework is robust, fit-for-purpose and comparable to those of its trading partners”.
Implications of the Bill for business
For most businesses, the two most noteworthy features of the Bill are the requirement to notify privacy breaches to the Privacy Commissioner and affected individuals (now subject to a higher threshold before notification is required), and the obligation to ensure safeguards are in place when sending data offshore.
Both these features will require businesses to put in place new processes in order to comply, although the burden is likely to be modest, especially for those organisations that already have good privacy practices embedded in their operations.
The Bill is proposed to come into force on 1 March 2020.
Our thanks to David Smith for writing this Brief Counsel.