Privacy Act 2020: A welcome step in a digital world

Those concerned about their personal privacy will be celebrating when the Privacy Act 2020, enacted earlier this year, comes into force today, December 1.

Many agencies have been preparing for the new law for several months and the Office of the Privacy Commissioner (OPC) has published numerous resources on its website and undertaken a media campaign highlighting the major changes. It is to be hoped, in the spirit of Christmas, the OPC will accord a reasonable grace period to agencies before deploying the new powers granted it by the Act. However, such forbearance cannot be taken for granted.

The 2020 Act replaces and repeals the 1993 legislation which has lasted almost three decades. These are decades which have seen emergence of the Fourth Industrial Revolution, the Age of Data and phenomena such as the Internet, Big Data and massive interconnectivity of people, devices and locations.

It is likely those responsible for drafting the 1993 Act would have struggled to even imagine many of these developments.

Nonetheless, the earlier Act was innovative and ground-breaking. It used technology-neutral terminology such as “information” regardless of how it is stored (information held in people’s memory has been found to be accessible) and rules were worded as principles capable of being extended to new situations.

The new law builds on the strengths of the old and retains many of its original features. There are now 13 information privacy principles instead of the original 12 and even though most are recognisable from the old act, there have been some tweaks.

For example, while Principle 1 has always required that an agency can only collect personal information in relation to its legitimate purposes and not unrelated ones, it now also forbids collecting identifying information altogether where it is possible to provide a service without doing so. (In this context, the term “agency” means any person, business, government departments or organisation in the public or private sector.)

Similarly, Principle 4 which covers the manner of collecting personal information, requires specific consideration to be given on whether it is appropriate when collecting information from children or young people.

Principle 12 relates to sending information outside New Zealand. Due diligence is needed to ensure the information will be protected by similar standards as in New Zealand. The Government is expected to prescribe a list of countries with comparable protections and the OPC provides other tools such as model contractual terms with an overseas recipient.

Principle 12 does not apply when using, say, a cloud service to store data where the overseas service provider is not using the data for its own purposes. In those conditions, the New Zealand agency remains responsible.

Overseas agencies doing business in New Zealand are also now subject to the Act, which ensures a level playing field. Although some might question how the OPC can enforce the Act against the likes of Facebook, it is likely there will be increasing coordination with overseas privacy authorities. This occurred, for instance, between Australia and Canada with the 2015 data breach investigation of online adult ‘discreet affair’ dating site, Ashley Madison.

The most important additions in the new Act are the duty to notify affected individuals of breaches when they may suffer serious harm and OPC’s power to issue compliance notices against agencies. These are underpinned by fines. It is important to note, however, that failure to notify when required also provides individuals with recourse to complain and ultimately bring an action for monetary damages which can be up to a maximum of $350,000. Class actions are also now possible.

It is unlikely the new Act will be seen in world-leading terms like its predecessor was in 1993. The latest European Privacy Regulation, for instance, goes much further, giving individuals the right to erasure. However, it is a step in the right direction and New Zealanders should welcome it.