Bell Gully Partner Tania Goatley and Senior Associate Kristin Wilson discuss the Justice Select Committee’s Report on the Privacy Bill, following the consultation with submitters. The Bill is at the Second Reading stage in Parliament.
The amendments proposed are moderate and do not represent a major shift from the Bill as it was introduced, however, the report provides more insight into what the final legislation may look like when passed, and clarifies how the amended law will work in practice. The Select Committee has proposed the following key amendments to the Bill:
The Committee recommends that the Bill be amended so that it is made clear that the Privacy Act applies to any actions by a New Zealand entity, whether these actions occur inside or outside of New Zealand. The legislation will apply to all personal information collected or held by New Zealand entities, regardless of where the information was collected and where the person to whom the information relates resides.
The Bill will also apply to any actions taken by an overseas entity in the course of carrying on business in New Zealand. An entity may be treated as carrying on business in New Zealand whether or not it charges any monetary payment for goods or services, or makes a profit from its business or has a physical presence in New Zealand.
Relevantly, the offence provisions of the legislation will apply to all entities, including those outside New Zealand, if any act or omission forming part of the offence, or any event necessary to the completion of the offence, occurred in New Zealand.
This recommendation represents a huge change to the jurisdictional impact of the Privacy Act, and provides important clarification as to how the legislation applies to entities based outside of New Zealand. Entities that conduct business in New Zealand will need to ensure that their privacy policies and practices comply with New Zealand law. By way of example, entities may need to review their policies to ensure affected individuals are given all of the information required by Information Privacy Principle (‘IPP’) 3. Entities will also need to be familiar with how to deal with access requests from individuals.
News media exemptions
Like the current Privacy Act, the proposed Bill will not apply to news media. The Select Committee has recommended that the definition of “news activity” be expanded from “preparation or compiling of articles or programmes” to instead refer to “publishing” news, observations on news, and current affairs. This will mean that publications in books or on the internet can now come under the “news activity” exemption. It will remain to be seen how the assessment of what constitutes “news, observations on news and current affairs” is treated given the information age in which the media now operate and the blending of traditional news and current affairs with reporting on matters of interest to the public.
Only organisations that are subject to independent standards of conduct, including privacy standards and a complaints procedure, can be considered a news entity for the purposes of the Act (for example, entities that are subject to the Broadcasting Standards Authority or the New Zealand Media Council). In the Bill as introduced, Radio New Zealand and Television New Zealand were to be held to a higher standard than other media since they are Crown entities. The Select Committee has recommended that this be amended so that RNZ and TVNZ are brought within the media exemption along with other outlets.
Disclosing information to an agency overseas
The Select Committee recommends that a new IPP should be introduced to specifically regulate the disclosure of personal information outside New Zealand.
In most cases an entity that wants to disclose personal information to a foreign person or entity would need to satisfy at least one of the criteria set out in the proposed IPP 12(1), which includes (for example) that the agency believes on reasonable grounds that the foreign person or entity must protect the information in a way that, overall, provides comparable safeguards to those outlined in the bill.
This constitutes a material change from the status quo, in that businesses transferring personal information overseas will now need to proactively consider what privacy laws or safeguards apply to the entity to which information will be disclosed. This goes further than the general obligation currently provided for by IPP 5 to keep the information safe and secure.
Notification of breaches
As introduced, the Bill provided that notification to the Privacy Commissioner would be required if a breach caused harm or posed a risk of harm to an individual. The Select Committee has agreed with submitters that this threshold is too low and may result in over-notification and data-breach complacency, and instead recommends that breaches should be notifiable if “it is reasonable to believe that the breach may have caused serious harm to affected individuals, or is likely to do so”.
The Select Committee has suggested including factors in the legislation that entities must consider when assessing whether a privacy breach is likely to cause serious harm. These include:
- any actions taken by the agency to reduce the risk of harm;
- whether the information is sensitive;
- the nature of the potential harm;
- who has obtained or may obtain the information; and
- whether the information is protected by security measures.
Notification of a breach may be delayed in some circumstances where it is sensible to do so, for example if an entity’s security systems remained vulnerable following a privacy breach, and notification needs to be delayed to prevent the risk of more harm.
While it will be an offence not to notify the Commissioner of a notifiable privacy breach, the Select Committee has recommended that there should be a defence to this charge if it was reasonable for the entity to consider that the breach was not a notifiable breach.
The requirement to notify based in the threshold of “serious harm” would bring the threshold for notification in line with that used in Australia, although there are some differences in the factors to be considered when determining if the threshold is met. At present there are some differences as to how the notification process will work in practice in New Zealand, in particular in respect of the proposed ability to delay notification in some circumstances.
Other key recommendations
A storing or processing agency that used or disclosed information for its own purposes should be accountable to the affected individual and will also be treated as holding information.
The transfer of data between an entity and a cloud service provider would not be a disclosure for the purpose of the IPPs.
When collecting personal information from children and young persons, an agency must take into account their vulnerability.
The Bill should allow for possible future participation by New Zealand in binding cross-border privacy schemes.
Entities must take reasonable steps to ensure that a unique identifier is only assigned to an individual whose identity is clearly established.
The risk of a misuse of a unique identifier must be minimised, for example by showing truncated account numbers on receipts or in correspondence.
Entities can presently refuse access to information if the disclosure would be likely to endanger the safety of an individual. The Select Committee has suggested that a request should also be able to be refused if there is a serious threat to public health or safety, or the life or health of any individual.
An entity should be required to refuse access to information if it has reasonable grounds to believe the request was made under duress.
The Commissioner should be given a general discretion to decide not to investigate any claims made under the legislation.
The Human Rights Review Tribunal should be given the express power to close proceedings when necessary to hear and determine an access complaint.
It will be made clear that an entity’s privacy officer can be appointed externally to the agency.
The Select Committee has not adopted all of the changes recommended by the Privacy Commissioner. In particular, the Select Committee has not recommended that a right to erasure, also known as the “right to be forgotten” be introduced in New Zealand. The possible financial penalties for breaching the Act also remain relatively low, contrary to the Commissioner’s recommendations, although in practice the reputational risk that arises if the Act is breached is generally sufficient to ensure compliance by most New Zealand entities.
Our privacy team is closely monitoring the progress of the Privacy Bill and will continue to provide updates as new information comes to light. Please see our previous articles about privacy law reform and the Privacy Commissioner’s submission on the bill.
Disclaimer: If you have any questions about these proposed amendments, please get in touch with the authors. This publication is necessarily brief and general in nature. You should seek professional advice before taking any action in relation to the matters dealt with in this publication.
Partner Tania Goatley advises on all aspects of advertising promotions, including impacts of the Gambling Act, Fair Trading Act and Privacy Act. She is also experienced in advising on food and wine labelling issues, involving advice on the Food Standards Australia New Zealand (FSANZ) Code, the Food Act, the Wine Act and related regulations and industry codes. She has a strong media law background, advising on defamation claims, appearing in Court on name suppression issues, and providing media law training to journalists. She advises on all aspects of intellectual property law, including copyright, passing off and trade mark infringement disputes and litigation. In addition to her particular areas of expertise, Tania provides general advice on commercial and contractual disputes and litigation with successful outcomes for her clients. Tania is recommended for intellectual property by The Legal 500 Asia Pacific 2019, which notes her specialties as media, advertising, privacy law and IP matters. Contact Tania at email@example.com
Senior Associate Kristin Wilson is an experienced litigator with particular expertise in advertising, food law, privacy (including cyber security), media law and intellectual property. She prides herself on providing pragmatic, commercial and timely advice to clients. She regularly provides legal advice to clients as to how to best comply with the Fair Trading Act, Gambling Act, Privacy Act and Advertising Standards Authority codes. She is experienced in vetting advertisements and promotions, drafting terms and conditions, and responding to Advertising Standards Authority complaints. She advises on a wide range of food law issues, including marketing, export and import requirements, and regulatory compliance including advising on the Food Standards Australia New Zealand (FSANZ) Code, the Food Act, the Wine Act and related regulations and industry codes. She regularly assists clients with product formulation and labelling queries, advertising and marketing considerations and contractual issues including licensing and complex distribution agreements. She has represented media interests in the District Court, High Court and Court of Appeal, and regularly provides advice and representation regarding name suppression and media access to the courts. Kristin is also very experienced in advising national and international clients on privacy law and data protection issues. In addition, Kristin provides general advice on commercial and contractual disputes and litigation with successful outcomes for her clients. Contact Kristin at firstname.lastname@example.org or connect via LinkedIn .