A Deep Dive into New Zealand’s New Privacy Law: Extraterritorial Effect, Cross-Border Data Transfers Restrictions and New Powers of the Privacy Commissioner
By Caroline Hopland, Hunter Dorwart and Gabriela Zanfir-Fortuna
Last week, on December 1st, the newly amended Privacy Act 2020 (Act) of New Zealand came into force. The act was passed by the New Zealand Parliament on June 20, 2020 and made significant changes to the 1993 law, Privacy Act 1993. The amendments cover a broad range of topics including the extraterritorial scope of the law, new mandatory data breach notification requirements, changes to “compliance notices” as a key enforcement tool of the Office of the Privacy Commissioner, to data subject access requests, restrictions on cross-border transfers of personal information, and the enforcement regime overall.
One key feature of the Act as compared to other comprehensive privacy and data protection laws around the world is how central the Privacy Commissioner is in shaping and enforcing the law, including with regard to being a necessary “stop” before a claim made by an individual or a representative action gets to the Human Rights Tribunal. The Act gives the Commissioner greater powers to ensure covered entities are complying with the law, to adopt “codes of practice”, and broad authority to issue sweeping compliance notices and prohibit cross-border transfers of personal information. Such broad discretion may initially create legal uncertainty regarding specific compliance requirements, as well as the scope of the rights of data subjects. For instance, the Commissioner at any time may issue clarification guidelines known as “codes of practice” that modify the baseline of obligations set out in the law and clarify the obligations of data controllers.
The law mentions the OECD Guidelines in multiple sections as a baseline for compliance, and explicitly recognizes other data protection regimes such as European Union’s General Data Protection Regulation (GDPR) as providing a comparable level of protection.
However, the Act diverges from the GDPR and other data protection laws inspired by it in terms of its smaller set of rights of the data subject, its lukewarm penalty structure for non-compliance and its original framework for individual redress. Under the updated law, individuals do not have a right to erasure (“right to be forgotten”), a right to data portability or any specific rights, such as objection, in relation to automated decision-making. In fact, profiling and automated decision-making are not specifically addressed, and the Commissioner may only fine companies up to $10,000 New Zealand dollars (app. 7,000 USD) for violations of the Act.
Notably, Commissioner John Edwards stated in a recent radio interview that this Act was deliberately designed to sit mid-range in the spectrum of privacy regulations around the world. He went on to note that in 2011, the New Zealand Law Commission contemplated whether the Commissioner could impose much larger fines to entities like in Europe. However, it decided to instead grant the Commissioner discretion to issue compliance notices to see if there is a change of behavior, and will assess its effectiveness in a few years.
It should be noted that New Zealand is one of the countries whose legal system received an “adequacy decision” from the European Commission allowing unrestricted transfers of personal data from the EU. New Zealand’s adequacy is set to be reassessed as part of the European Commission’s efforts to re-assess adequacy decisions in the light of the GDPR, and this assessment will be done on the basis of the new law (New Zealand’s adequacy was issued in 2012, under the former Data Protection Directive 95/46/EC).
Below we discuss some key changes of the Act, specifically 1) its broadened extraterritorial scope, 2) cross-border transfer restrictions, 3) the Information Privacy Principles and Codes of Practice that may detail and enhance them, 4) updated data access requests by data subjects, 5) the new data breach notification requirements, 6) “compliance notices” regarding breaches of the Act and the new penalties framework, 7) the private right of action enshrined by the law and possible class actions, and 8) rules on public sector data sharing, before reaching 9) conclusions.
1. Extraterritorial Scope of the Law
The Act expanded its scope to overseas organizations that carry out business in New Zealand, regardless of where they collect or hold data and where the data subjects are located. Under the Act, carrying on business in New Zealand extends beyond traditional commercial activities such as having a place of business in the country or receiving money for the supply of goods and services in the country. Therefore, the new scope of the law could in theory encompass a range of other potential overseas organizations, such as non-profits, as long as they carry out their activities in New Zealand.
In addition, the act also applies to non-resident individuals, if, while in New Zealand, they either collect or hold personal information about anyone from anywhere in the world, even if the individual previously collected the information while outside of New Zealand. Lastly, the Act applies to “agencies” which refer to not only private companies and organizations but also certain public bodies such as government departments, both within and outside of New Zealand. “Agency” is somewhat of a nuanced term in the Act, which can find correspondents to both controllers and processors as defined under the GDPR (or “businesses” and “service providers” as defined by California Consumer Privacy Act – “CCPA”). While the Act does not contain a separate chapter laying out specific obligations for the subsequent processing of data by an organization on behalf of another organization, it does extend liability to “agents” of the “principal agency” which could encompass GDPR-processors/CCPA-business-providers. This widely expands the category of entities who have direct obligations under this Act.
2. Cross-Border Data Transfers
The Privacy Act includes a new Information Privacy Principle (IPP), IPP 12, which lays out rules for disclosing personal information outside New Zealand. According to this new principle, an agency may only disclose personal information to a foreign entity only if one of six grounds is satisfied:
(a) express and informed consent of the individual in the cases where the exporter informs them that the importer may not be required to protect their personal information in a comparable manner with the protection afforded in the Privacy Act;
(b) in the course of the importer carrying out business in New Zealand and the exporter reasonably believing that the importer is subject to the Privacy Act;
(c) the exporter reasonably believing that the importer is subject to comparable privacy laws to the Privacy Act;
(d) the exporter reasonably believing that the importer is a participant to a “prescribed binding scheme”;
(e) the exporter reasonably believing that the importer is subject to privacy laws of a “prescribed country”; and
(f) the exporter reasonably believing that the importer is required to protect the information in a comparable way to the Privacy Act, such as for example pursuant to an agreement between the two. Both countries and binding schemes can be “prescribed” through action by the Governor-General by Order in Council.
It is interesting to note how New Zealand’s Privacy Act solved a couple of the big questions stemming from GDPR’s rules on international data transfers: consent of the individual may be considered a valid mechanism for cross-border transfers only where the data importer is not subject to similar obligations to those in the jurisdiction of the data exporter; if the privacy law of the exporter applies to the importer by virtue of its extraterritorial effect, then no additional safeguards are required for the personal information being transferred. Another point to note is that the GDPR “essential equivalence” standard has a correspondent in the seemingly more straight-forward “comparable laws” standard under the Privacy Act.
The Privacy Act also gives the Commissioner broad authority to prohibit cross-border transfers of personal information outside of New Zealand, similar to the provisions in the old law. If the recipient country does not provide legal safeguards comparable to those covered in the Act and the transfer would likely contravene the basic principles set out in Part Two of the OECD Guidelines and in Schedule 8 of the Act, the Commissioner may issue a transfer prohibition notice to the company in question. This does not apply to transfers that receive authorization from the Commissioner or are otherwise authorised by “any enactment”, or that occur on the basis of an internationally binding convention.
The Commissioner will consider broad factors to determine whether to prohibit transfers. These include:
- the likelihood the transfer would harm any individual;
- the general desirability of facilitating the free flow of information; and
- any existing or developing international guidelines relevant to cross-border data flows such as the OECD Guidelines and the GDPR.
Entities transferring data abroad must receive a transfer prohibition notice in order for the Commissioner to effectuate the prohibition. Before becoming effective, each notice must meet a series of requirements such as the nature of the prohibition, the personal information the prohibition applies to, and the grounds for prohibition. The Commissioner must reply within 20 days to any request to vary or cancel the notice and must provide a reason if the request is refused.
Organizations may appeal to the Human Rights Review Tribunal (Tribunal) the decision of the Commissioner to issue a transfer prohibition notice against all or any part of the notice or against the refusal by the Commission to vary or cancel the notice. The Tribunal must allow an appeal if it considers that the Commissioner’s decision violates the law or if the decision results from an inappropriate use of the Commissioner’s discretion. On appeal, the Tribunal may modify the notice to exclude any statement that it finds does not have effect.
The law imposes a penalty for any person who without reasonable excuse fails or refuses to comply with a transfer prohibition notice up to $10,000 New Zealand dollars.
3. Information Privacy Principles and Codes of Practice
The Act sets forth IPPs that impose broad obligations on entities for their processing activities and serve as a benchmark for the Commissioner to implement further guidance through legally binding codes of practice. These principles relate to different dimensions of information processing such as purpose, manner of collection, storage and security, access, correction, accuracy, and limits on use and disclosure.
Many of the IPPs have not changed from the previous version of the law. For instance, IPP 3 specifies that entities collecting personal data must take reasonable measures to inform the individual of specific facts such as the purpose of collection and the intended recipients of the information. If the collection is authorized or required by a separate law, the entity must inform the individual of such law and explain whether the supply of the information is voluntary or required. IPP 3 also lists grounds that excuse an entity from providing such information to the individual.
Notable changes to the IPPs compared to the previous law include heightened fairness requirements for entities that collect information from children or young persons (IPP 4) and a purpose limitation principle (IPP 1) that requires entities to collect identifying information from people only when necessary. IPP 1 also specifies that information must be collected for a lawful purpose connected with the act of processing.
The Act does not explicitly specify lawful grounds nor provides for a general consent requirement for all processing activities. It does, however, impose limits on the disclosure of personal information without consent or another valid justification such as protecting public safety, upholding the legitimate and reasonable activities of law enforcement, or facilitating the execution of a contract as a going concern. In fact, the IPPs and, generally, the other provisions of the Act differentiate among “collection”, “use” and “disclosure” of personal information, proposing a different set of rules for each of them. Note that the Act does not specify what are “lawful means” of collection, only that entities collecting data must use one. The Commissioner can issue further modification or guidance through a code of practice to impose further requirements on these baseline provisions.
In addition, IPP 10 imposes limits on the use of personal data but provides some exceptions such as when the data has been de-identified or will be used for statistical or research purposes in a form that will not reasonably lead to the identification of an individual. Publicly available data, data used in the furtherance of law enforcement, or data used to prevent or lessen substantial injury to an individual or the public health, may also trigger an exception to the general purpose limitation rule.
Note that an agency does not breach the IPPs in relation to information held overseas if the action is required by law of any country other than New Zealand.
The Act acknowledges a range of situations in which certain IPPs do not apply such as a household exemption similar to the one provided in the GDPR, information collected before 1993, the activities of intelligence and security agencies, information gained during an investigation initiated by the Commissioner or an Ombudsman, and information collected by Statistics New Zealand. Under certain circumstances, the Commissioner may authorize the processing of personal information otherwise in breach of certain IPPs if the Commissioner determines that the public interest in granting authorization substantially outweighs the possibility of adverse effect on the individuals concerned.
As stated above, the Commissioner has broad discretion to issue codes of practice in relation to the IPPs to modify and clarify the application of the law. These codes of practice may prescribe a broad list of measures including:
- how companies must comply with the IPPs;
- specific requirements for types of information, businesses, industries or activities;
- technical controls relating to specific processing activities;
- guidelines and fee structures; and
- review and monitoring mechanisms.
The Act specifies that failure to comply with a code of practice amounts to a breach of an IPP. The Commissioner may issue a compliance notice (see below) for agencies that violate any code of practice or any of the baseline IPPs set forth in the law.
4. Rights of Individuals: Access and Correction Requests
The IPPs also specify the rights of the individuals whose personal information is collected and used vis-a-vis processing entities, including the right to access and correct personal information. Individuals or representatives of individuals may issue an IPP 6 access or an IPP 7 correction request to which the entity receiving the request must promptly respond by either granting or refusing the request with reasons for the decision. If an entity does not hold the information and believes that another entity does, it must promptly transfer the request to the other entity unless good cause exists to believe that the data subject does not want the request to be transferred. Under this scenario, the entity must then notify the data subject of its decision.
The Act expanded the range of withholding grounds that entities may rely on to refuse an access request, compared to the old law. Notably, companies may now refuse access to protect an individual if disclosure would likely pose a serious threat to 1) life, health (including both mental and physical) or safety of an individual, or 2) to public health and public safety. Companies may also refuse to disclose information of an individual under 16 years old if they determine such disclosure would be contrary to the interests of the individual. Other withholding grounds include: 1) protection of security, 2) defense and international relations, 3) protection of trade secrets, 4) inability of the entity to locate the data, 5) the use of data law enforcement, or 6) rejection of frivolous requests.
The Act also specifies the means by which an entity can make information available to a data subject under an access request. Entities must make available information in a manner preferred by the requestor unless doing so would be overly burdensome or contrary to any legal duty of the entity.
For IPP 7 correction requests, the Act specifies that an individual may either request the entity to correct personal information or attach a statement of correction, but does not specify that an individual can request the entity to erase the personal information. The Act does not include a right to be forgotten nor a right to data portability.
Finally, the Act specifies that the Commissioner cannot modify or restrict the entitlements under IPP 6 or 7 for access and correction requests. The Act, however, does not facially preclude the Commissioner from expanding the scope of these rights or the obligations of entities in relation to these rights through codes of practices. Given the broad discretion the Act gives to the Commissioner, an interesting legal question arises as to whether the Commissioner could have the authority to require companies to provide for portability or erasure.
5. Data Breach Notifications
The Act introduces mandatory data breach notification requirements for organizations when a notifiable privacy breach has occurred having affected individuals. Entities will be under a legal duty to notify the Commissioner and any affected individuals if the breach could cause serious harm to anyone; and a failure to do so is a criminal offense, punishable as a fine up to $10,000 New Zealand dollars.
The Act defines a privacy breach, in relation to personal information held by an agency, as an 1) unauthorized or accidental access to, or disclosure, alteration, loss, or destruction of, the personal information; or 2) an action that prevents the agency from accessing the information on either a temporary or permanent basis; whether or not it is ongoing, was caused by a person inside or outside it, or is attributable in whole or in part to any action by it.
The Act defines a notifiable data breach as 1) a privacy breach that it is reasonable to believe has caused serious harm to an affected individual or individuals or is likely to do so; but 2) does not include a privacy breach if the personal information that is the subject of the breach is held by an entity who is an individual and the information is held solely for the purposes of, or in connection with, the individual’s personal or domestic affairs.
According to the Act, an affected individual is one whose personal information relating to them was the subject of a privacy breach; and is an individual inside or outside New Zealand, and can even be deceased if 1) a sector-specific code of practice applies to deceased persons, and 2) to the extent that the code of practice applies one or more IPPs to that information.
An organization must consider several elements when assessing whether a privacy breach is likely to cause serious harm in order to decide whether the breach is notifiable, such as any action it took to reduce the risk of harm following the breach or whether the personal information is sensitive. If unsure whether a breach is notifiable, an organization can use the Office of the Privacy Commissioner’s NotifyUs tool to determine whether it has a legal duty to report it.
Further, it must notify the Commissioner and affected individuals as soon as practicable after learning that a notifiable privacy breach occurred. Both the notification to the Commissioner and the notification to data subjects must contain a list of specific information defined by the law, including a description of steps that the organization took in response to the privacy breach.
The entity can also identify the person or body, if known, that has obtained or could obtain the affected individual’s personal information, if it reasonably believes that identification is necessary to prevent or lessen a serious threat to the life or health of the affected individual or another individual. It can also provide this information incrementally, as it becomes known, in order to comply with the requirements around providing any new or available information as soon as practicable. It must not include, however, any particulars about any other affected individuals.
Moreover, if it is not reasonably practicable to notify each affected individual, the organization must instead give public notice of the breach in a way that no affected individual is identified.
An entity is not required to notify an affected individual or give public notice under certain circumstances, such as if it believes it would endanger someone’s safety, reveal a trade secret, the affected individual is under the age of 16 and the entity believes that notice would be contrary to the individual’s interests, or if, after consultation with an individual’s health practitioner (where practicable), it believes that the notice would likely prejudice that individual’s health. Further, an organization may also delay notifying affected individuals or giving public notice of the breach under certain circumstances.
An entity who fails to notify the Commissioner of a notifiable data breach can be liable and fined up to $10,000 New Zealand dollars.
Specific employees, agents and members of agencies who fail to comply with these procedures, (notifying the Commissioner and affected individuals, or giving public notice) will not be personally liable, and their acts or knowledge of the breach will be treated as being done and known by the employer or entity.
6. Compliance Notices, Appeals and Fines
For any breaches of this Act, including the IPPs, interference with the privacy of an individual under another Act, breaches of any codes of practice or a code of conduct under another Act, the Commissioner may issue a “compliance notice” to the breaching entity. This grants the Commissioner greater discretion to require entities to act or refrain from certain behaviors. Compliance notices are enforced through the Tribunal, and a failure to comply is a criminal offense, resulting in fines up to $10,000 New Zealand dollars.
The Commissioner will consider a number of factors prior to issuing a compliance notice to an entity, such as the seriousness of the breach, the number of people affected, and the likely costs to the entity in order to comply with the notice. Prior to issuing a compliance notice, the Commissioner must also send the organization a written notice about the breach, any particular steps the organization should take to remedy it and dates to do so, and allow the organization a reasonable opportunity to respond.
A compliance notice then issued by the Commissioner will describe the breach, citing the relevant statutory provisions, require the entity to remedy it, and inform it of its appeal rights. The notice might also require the entity to take particular steps to remedy the breach, conditions that the Commissioner considers appropriate, dates the entity must remedy the breach or report to the Commissioner, or other useful information.
Once the compliance notice has been issued, the entity must, within a “practicable time”, take steps to comply with the notice and any particular steps specified within it, and remedy the breach by the date stated in the notice. The Commissioner, believing it is within the public’s interest, can publish 1) the entity’s identity, 2) details about the notice or the breach, or 3) a statement or comment about the breach.
6.1 Appeal of Compliance Notice
Businesses should be aware of the option to appeal a compliance notice, but also the potential of enforcement proceedings or interim orders brought and issued against them with respect to failing to comply with the notice. An entity may appeal to the Tribunal, 1) all or part of a compliance notice issued against it, or 2) the Commissioner’s decision to amend or cancel the notice. The appeal must be filed within 15 working days from the day on which the compliance notice was issued or the notice of the decision is given to the entity.
However, the Tribunal cannot cancel or modify a notice simply because 1) the breach was unintentional or without negligence on the part of the agency, or 2) the organization took steps to remedy the breach, unless there is no further reasonable step it could take to do so.
6.2 Enforcement of Compliance Notice
The Commissioner may also bring enforcement proceedings to the Tribunal for an agency’s noncompliance with a notice. The Commissioner can bring enforcement proceedings if, after the statutory period, no appeal has been filed against a notice, and, if either 1) the Commissioner has reason to believe that the entity did not, or will not, remedy the breach (if applicable, by the date stated in the notice), or 2) it failed to report to the Commissioner the steps it took to remedy the breach by the date stated in the notice. The entity may object to enforcement of the notice only on the ground that it believes it has fully complied with the notice. The Tribunal can determine whether the notice has been fully complied with, or order the entity to comply with the notice or perform an act specified in the order.
6.3 Remedies, Costs, and Enforcement
In the enforcement proceedings brought by the Commissioner, the Tribunal may grant an order requiring the entity to 1) comply with the notice by a date specified in the order (which may vary from the original date stated in the notice), 2) perform any act specified in the order by a date specified in the order (for example, reporting to the Commissioner on progress in complying with the notice), and 3) award costs it considers appropriate. In an appeal brought by the agency, the Tribunal may grant an order that 1) confirms, cancels, or modifies the notice and 2) confirms, overturns, or modifies the decision, and 3) award costs it considers appropriate.
An award of costs may be enforced in the District Court as if it were an order of that Court. An entity that, without reasonable excuse, fails to comply with the Tribunal’s decisions above can be fined up to $10,000 New Zealand dollars. Lastly, the Commissioner is entitled to appear or be represented by a lawyer or an agent during these proceedings.
6.4 Liability and Penalties
The Act imposes a $10,000 New Zealand dollars maximum fine on persons that fail to comply with any lawful requirement of the Commissioner or without reasonable excuse, obstructs, hinders or resists the Commissioner or any other person exercising authority under the law.
In addition, the Act also penalizes persons up to $10,000 New Zealand dollars who 1) knowingly make a false statement to the Commissioner or any other person exercising power under the Act; 2) misrepresent any authority they hold under the Act; 3) mislead companies by impersonating or pretending to be acting under the authority of an individual for the purpose of unlawfully obtaining access and using that individual’s information; or 4) destroy any document containing personal information knowing that it is subject to a data subject request.
Finally, the Act also sets out liability for companies for actions taken by their employees or agents. Unless the company does not know of the employee’s actions or has not given express or implied authority to its agents, it may be liable for any violation listed above carried out by such employees or agents. The Act offers an affirmative defense for companies that take reasonably practicable steps to prevent their employees or agents from violating the law.
Note that the law does not contain offenses punishable by imprisonment for officers or individuals that contravene its provisions.
7. Limited Private Right of Action, Class Actions
As far as the IPPs are concerned, they “do not confer on any person any right that is enforceable in a court of law”, except for the right of access (IPP6(1)) and only in relation to public sector agencies (see Section 31). However, individuals may challenge before the Human Rights Review Tribunal a Commissioner’s decision or failure of the company to comply with such a decision.
An individual may bring multiple complaints to the Privacy Commission on behalf of multiple aggrieved parties for an “interference with the privacy of an individual.” The Act defines an interference broadly as a breach of the Act or a private contract that could cause damage to the individual, adversely affect the rights of the individual or result in significant humiliation of the individual. An interference also includes decisions by companies to improperly refuse an access request or otherwise fail to respond timely to such requests.
After receiving the complaint, the Commissioner must consider the complaint and decide to either not investigate, refer the complaint to another person or overseas privacy enforcement agency, explore the possibility of securing settlement between the parties, or conduct an investigation. The Commissioner has wide authority to decide between any of these routes, but must respond to the complainant as soon as practicable with the reason for decision. Notably, the Commissioner may also refer a complaint directly to the Director of Human Rights Proceedings, as appointed under the New Zealand Human Rights Act, without conducting an investigation if it is unable to secure a settlement or discovers parties to a settlement have failed to comply with the terms of the settlement.
The Act gives the Commissioner discretion to collect information in the course of an investigation and regulate its own procedure. The Commissioner must conduct the investigation in a timely manner but has the authority to act upon the investigation in any manner the Commissioner finds satisfactory. After completing the investigation, the Commissioner may decide that it has no merits and dismiss the complaint.
When the complaint does have merits, the Commissioner must first attempt to secure settlement or obtain assurances between the parties before acting otherwise. If this fails, the Commissioner has broad discretion to either direct the company take remedial action with respect to an access request, refer the complaint directly to the Director, or take any other action the Commissioner considers appropriate.
Aggrieved individuals may appeal to the Human Rights Review Tribunal a Commissioner’s decision or failure of the company to comply with such a decision. Appeals may be commenced by the individual, a representative of the aggrieved individual or a representative lawfully acting on behalf of a class of aggrieved individuals. On appeal, the Tribunal may impose broad remedies to correct the interference, including actual and expected damages as well as damages for humiliation suffered by the individual. Companies may also appeal decisions reached by the Commissioner including enforcement of access.
8. Public Sector Data Sharing
The Act also sets forth provisions governing data sharing agreements between public entities in New Zealand. While the amendments did not change this section of the law, it is worth noting that New Zealand has its own regime governing the sharing of information between its public sector institutions. Each agreement pursuant to the law must meet certain transparency requirements including notifying any individual of an adverse action against them resulting from the agreement. These agreements help agencies access information to facilitate the execution of their legal duties and obligations.
Finally, the Act establishes provisions governing information matching programs. These programs allow entities to compare personal information as long as the parties meet a set of requirements including heightened notice, reporting and transparency obligations.
The New Zealand Privacy Act of 2020 is an interesting framework on the global privacy map, characterized by great responsibility in the hands of the Privacy Commissioner to breath life into the law and keep it up to date in the digital era. While being marginally inspired by GDPR provisions, and being able thus to contribute to interoperability of privacy regimes around the world, it stays true to New Zealand’s decades-old history of regulating privacy and data protection.
This blog is part of a series of overviews of new laws and bills around the world regulating the processing of personal data, coordinated by Gabriela Zanfir-Fortuna, Senior Counsel for Global Privacy ([email protected]).