Privacy Act 2020 comes into force

Tuesday 1 December 2020

Authors: Laura Littlewood and Tania Goatley

​​The long-awaited Privacy Act 2020 comes into force today, 1 December 2020. The updates in the new Privacy Act are intended to reflect changes in technology and the ways in which personal information is collected, stored and shared.

Key changes

The three key changes that you should be aware of are:

  1. It is now mandatory to notify the Privacy Commissioner and affected individuals of a privacy breach that is likely to cause serious harm. Failure to notify the Privacy Commissioner of a notifiable privacy breach, without reasonable excuse, is an offence with a fine of up to NZ$10,000. ​

  2. The new Privacy Act introduces a new Information Privacy Principle 12 (IPP12), which provides stronger protections for the transfer of personal information outside New Zealand to a foreign person or entity (other than a foreign person or entity that is an agent, such as a service provider).

  3. Businesses located outside New Zealand should be aware that the Privacy Act now applies to any action that it takes, in respect of personal information, in the course of “carrying on business in New Zealand". This means that the Privacy Act 2020 is likely to apply to platforms that target New Zealand customers, even if they do not have premises or employees here.

Please refer to Bell Gully's Guide to the Privacy Act 2020 for a list of all changes in the Privac​​y Act 2020.

Are your practices up to​ date?

You should now have your privacy practices up-to-date and be ready to comply with the mandatory reporting regime. If you have any questions or require any other guidance on the new Privacy Act, please contact our specialist privacy team or your usual Bell Gully advisor.

Bell Gully has also published the following resources that may be of assistance:

  • Guide to the Privacy Act 2020 and Mandatory Breach Reporting - this includes a practical checklist to ensure you are prepared.

  • Privacy Breach Chatbot - this can help you decipher whether you have a notifiable data breach.

  • Privacy Review - this provides an overview of a privacy review framework, if you are considering a full review of your privacy practices.

  • Update on IPP12 - this provides further information on the requirements applicable where you transfer personal information to a foreign person or entity.​


Disclaimer

This publication is necessarily brief and general in nature. You should seek professional advice before taking any action in relation to the matters dealt with in this publication.

For more information
  • Laura Littlewood

    Partner Auckland
  • Tania Goatley

    Partner Auckland
Related areas of expertise
  • Privacy and data protection
  • Information, communications and technology
  • Cyber security
  • Consumer law
  • Media