Privacy Bill: Select Committee Report

Thursday 4 April, 2019

Almost a year after the Privacy Bill was first introduced, the Select Committee has provided its much awaited report.  The Select Committee has made some significant changes to the Bill, including additional changes to the Privacy Principles and clarifications around the transfer of personal information offshore.

A number of changes have been recommended to better align New Zealand privacy principles with comparable jurisdictions.  That said, the GDPR’s ‘right to erasure’ and data portability requirements have not been captured in the Select Committee’s recommendations.

We have summarised below some of the key recommendations. 

Extraterritorial effect

The Select Committee’s report recommends that the Privacy Bill is updated to ensure that there is clarity about whether and when the privacy legislation should apply to agencies outside New Zealand.  To that end, the Report recommends that the Bill applies to any actions by:

• a New Zealand agency, whether inside or outside New Zealand; and/or
• an overseas agency in relation to personal information that it collects or holds in the course of carrying on business in New Zealand.

An overseas agency is to be treated as “carrying on business in New Zealand” whether or not it has a physical place of business in New Zealand, charges any monetary payment for goods or services, or makes a profit from its business here.  For an overseas agency, the Bill is to apply regardless of where the information is collected or held and where the person to whom the information relates is located.  

The Bill will also apply to an individual who does not ordinarily reside in New Zealand, but who is present in New Zealand.

The offence provisions are to apply to all people (including those outside New Zealand) if any offence or any event relating to the offence occurred in New Zealand – although the enforceability of this recommendation on overseas agencies without a presence in New Zealand is unclear.

Cloud Providers and Cross Border Issues

The Report confirms the position that agencies will remain accountable for personal information held by another agency as its agent (such as a cloud provider).  However, the Select Committee Report goes a step further and recommends that, if the storage or processing agency uses or discloses information for its own purposes, that agency should also be accountable to the affected individual.  Therefore, both agencies will, in effect, be treated as holding the information.

In addition, there is a new Privacy Principle proposed (to become IPP12) that addresses the disclosure of personal information outside New Zealand.  This new IPP12 is to expand on an existing principle in the Privacy Act to allow disclosure to a foreign person or entity where that foreign person or entity is part of a “prescribed binding scheme”.  The amendment is to support future participation by New Zealand in binding cross-border privacy schemes.  The Commissioner is also to have an expanded role to assist on cross-border issues.

Higher threshold for mandatory breach reporting

The Privacy Bill was drafted to include new privacy breach reporting requirements, with agencies required to report on any breaches that harmed or posed a risk of harm to an individual.  A large number of submissions on the Privacy Bill identified the risk that, as drafted, this reporting requirement would lead to over-reporting by agencies and raise compliance costs. 

With the intent to provide more certainty and to better align the Bill with overseas jurisdictions, the Select Committee has proposed a higher threshold of “serious harm” for notifiable privacy breaches – amending the definition of “notifiable privacy breach” to be a privacy breach that it is reasonable to believe has caused serious harm (or is likely to do so).  Guidance is also provided on the factors to be considered by an agency in determining whether a breach is a “notifiable privacy breach”, including the sensitivity of the information and the nature of the harm that may be caused.

In addition, the Select Committee has recommended some exemptions and other amendments to the notification regime, including allowing agencies to delay notifications to the affected individuals (but not the Privacy Commissioner) where such notification could reveal a security risk.  

It is also worth noting that agencies that outsource their data storage or processing to another agency (such as a cloud provider) will remain responsible for informing individuals of any notifiable breach, regardless of which agency caused the breach.  The Select Committee recommended an amendment to the Bill to ensure that it is clear that, if a service provider knows about a privacy breach, the outsourcing or principal agency is also treated as knowing about it.  It is therefore critical that agreements between an agency and outsourcing agency include terms that set out when the service provider will notify the principal agency about a privacy breach.    

“Name and shame” compliance notices

The Privacy Bill allows the Commissioner to issue compliance notices to make an agency do something (or stop doing something) to comply with privacy law.  The Select Committee has added an additional limb to allow the Commissioner to publish the fact that such compliance notice has been issued, including the identity of the agency (unless it would cause the agency undue harm that outweighs the public interest).  This “name and shame” approach may promote greater compliance depending on how the Commissioner uses this new power.

If you would like further detail on how this may impact your business, please contact a member of our Commercial & Corporate team to discuss.