Privacy Commissioner John Edwards welcomed the Justice Select Committee’s report on the Privacy Bill.
“The Committee has listened to submitters and the reported back Bill contains measures to ensure the law addresses some of the most pressing aspects of the modern digital economy.
The law will now explicitly set out when agencies that collect, process and use New Zealanders’ personal information will have to comply with New Zealand law – regardless of whether these agencies have a brick-and-mortar presence on our islands.
While the Bill doesn’t include all the things we were seeking, we are grateful for the diligent work of the Select Committee and look forward to making the most of the changes for the benefit of all New Zealanders.”
The Bill now clarifies the extent to which the Privacy Act will apply to overseas agencies or overseas activities:
- For a New Zealand agency, the Act will apply to any action taken and all personal information collected or held by it, both inside and outside New Zealand.
- For an overseas agency, the Privacy Act will apply if the agency is carrying on business in New Zealand. The Act will apply to any action and all personal information collected or held by the agency (regardless of where that may be) in the course of carrying on business in New Zealand.
Other key changes made during the select committee process include:
- raising the notification threshold for privacy breaches so that notification is only required where the breach has caused, or is likely to cause, serious harm to affected people. Criteria are given for assessing whether or not serious harm has, or is likely, to occur.
- amending the news media exemption to ensure it covers all forms of media, including “new” media such as bloggers
- limiting the news media exemption to those media that are subject to the oversight of an appropriate regulatory body (currently the Broadcasting Standards Authority or the New Zealand Media Council, with ability to add other appropriate oversight bodies by regulation)
- extending the news media exemption to include TVNZ and RNZ when they undertake “news activities”
- expressly providing that agencies may not require a person’s identifying information unless it is necessary for the lawful purpose for which the information is collected
- removing the public register privacy principles on the understanding that they are now outdated and unnecessary.
When enacted the new Privacy Act will:
- empower the Privacy Commissioner to issue a compliance notice in the event of a breach of the Act
- empower the Privacy Commissioner to issue a determination when a person has requested access to personal information and has been refused
- introduce of mandatory reporting of harmful privacy breaches – bringing New Zealand into line with international best practice
- regulate the movement of personal information out of the jurisdiction with a new cross border disclosure principle.
Mr Edwards says he will continue to make the case for more civil enforcement powers and other modernising reforms to ensure that New Zealand’s privacy framework is robust, fit-for-purpose and comparable to those of its trading partners.