The Ministry of Justice (Ministry) is inviting feedback on a proposal to amend the Privacy Act 2020 (Privacy Act) to broaden the notification requirements in the Privacy Act to also cover entities / agencies that collect personal information indirectly. If the Ministry proceeds with recommending these changes and the Privacy Act is amended as a result, it will be first major amendment to the Privacy Act since it came into effect nearly two years ago and will likely bring New Zealand in line with similar jurisdictions. Depending on the nature of the changes, they could also result in increased compliance costs for businesses.
What is suggested?
Under the Privacy Act, agencies are required (subject to limited exceptions) to collect information directly from the individuals concerned and to notify those individuals of, among other things, the purpose of collection and how their information will be used and disclosed when their personal information is collected directly from them.
The Ministry has identified a gap in the legislation where agencies indirectly collect personal information, but do not need to notify individuals. For example, if an individual provides personal information via a website, that website may (if the terms and conditions allow) share that personal information with another agency. Because that other agency did not collect the personal information directly then it is not currently required under the Privacy Act to notify the individual of, for example, the fact that the information is being collected and the purpose of collection. While the information (provided it is information about a New Zealand data subject) would still be subject to many of the protections in the Privacy Act, this gap could result in individuals not being able to exercise their full privacy rights (e.g. seeking access to and correction of their personal information).
The Ministry notes that a number of like-minded jurisdictions, like Australia and the United Kingdom, already have broad notification requirements. Crucially, the General Data Protection Regulation (GDPR) in the European Union provides that individuals should be clearly informed when their personal information is processed – regardless of whether that information is collected directly from individuals or indirectly.
The Ministry is considering the ways in which the notification requirements under the Privacy Act may be extended. Three specific changes under consideration are:
- Amending the Privacy Act so that the notification requirements apply where an agency collects personal information whether directly or indirectly from other sources.
- Amending the Privacy Act so that the individuals are to notified whenever their personal information is disclosed to a third party (regardless of whether the disclosure is authorised); or to narrow the exceptions provided in the Privacy Act to the direct collection requirement.
- Introducing a new Information Privacy Principle (in addition to the existing 13 principles) that would specifically deal with notification of indirect collection.
If the Privacy Act is amended in this way, then it will likely result in increased compliance costs for agencies handling personal information and doing business in New Zealand. The Ministry does suggest that one way of reducing these costs would be confine broader notification requirements to personal information that is collected indirectly from overseas individuals – meaning business operating exclusively in New Zealand should not incur further compliance costs. The Ministry is particularly interested in getting feedback on ways that compliance costs for businesses could be reduced.
The impetus for this change appears to be to align New Zealand data protection laws with those of other jurisdictions that New Zealand has close trading relationships with. It may also be related to our GDPR adequacy status – which permits flows of data from New Zealand to the EU without additional compliance requirements. This status is under constant review by the EU. These changes may also assist New Zealand in retaining this status – ensuring that our digital trade sector is not placed under pressure.
You can access the Ministry’s consultation document here. We will provide further updates on the consultation process and any resulting amendments to the Privacy Act. The deadline for feedback to the Ministry on the proposals is Friday 30 September 2022.