Regulating Tech in 2020 Series | “Modernising” the Privacy Act

Technology is an increasingly large part of the lifeblood of our social interactions and economy. This year we are likely to see tech play an even greater role, as the global COVID-19 outbreak forces people through digital channels and upends some traditional business models.  

As the presence and influence of new technology models (and businesses that provide them) grows, so too does the scope and complexity of technology and data regulation around the world.

Even in New Zealand, which has traditionally taken a light-touch approach to tech regulation, times are changing. 2020 is likely to be a bumper year for new regulation in this space – as industry developments are pushing the Government to act in many different areas.  

In this series we'll be giving you a run-down of some big items on the tech regulation agenda in Aotearoa this year, which includes:  

1. “Modernising” the Privacy Act

2. New Zealand’s ‘Consumer Data Right’?  

3. Preventing Violent Extremist Content Online  

4. Classifying Content on “Video On-Demand” Services  

5. Big Changes Ahead for Copyright Law  

6. Unfair Contract Terms in B2B Contracts  

In this post, we address “Modernising” the Privacy Act

Without doubt, the upcoming changes to the Privacy Act 1993 will be some of the most high-profile tech regulation in New Zealand this year. Many (including the Privacy Commissioner) believe the new Privacy Bill does not go far enough to modernise New Zealand’s privacy regime and bring it into line with international equivalents such as GDPR. However, it does make some important changes, including:

• Bringing in mandatory reporting of privacy breaches which cause (or are likely to cause) serious harm;
• Allowing the Privacy Commissioner to issue compliance notices to make agencies do something, or stop doing something, to comply with privacy law (these notices will be enforceable by the Human Rights Review Tribunal);
• Providing greater protection for data moving overseas by preventing overseas transfers unless certain safeguards are in place (e.g. specific consent, similar laws in the overseas country, or contractual mechanisms to ensure protection of the information);
• Empowering the Privacy Commissioner to make binding decisions on requests by individuals to access their information;
• Creating new criminal offences (including misleading an agency to access someone else’s personal information, and destroying a document containing personal information knowing a request has been made for it);
• Increasing the maximum fines for offences under the Act from $2,000 to $10,000 (still very small by international standards).

While the Bill does not have the teeth of international equivalents, the Privacy Commissioner has shown an intention to take an activist enforcement approach with the new tools at his disposal. Businesses will – more than ever before – need to consider the reputational and operational impact of failing to comply with privacy law.  

If passed in its current form, the new Privacy Act will come into force on 1 November 2020