Yesterday the Justice Select Committee released its report on the Privacy Bill, following consultation with submitters.
The amendments proposed are moderate and do not represent a major shift from the Bill as it was introduced, however the report provides more insight into what the final legislation may look like when passed, and clarifies how the amended law will work in practice. The Select Committee has proposed the following key amendments to the Bill:
The Committee recommends that the Bill be amended so that it is made clear that the Privacy Act applies to any actions by a New Zealand entity, whether these actions occur inside or outside of New Zealand. The legislation will apply to all personal information collected or held by New Zealand entities, regardless of where the information was collected and where the person to whom the information relates resides.
The Bill will also apply to any actions taken by an overseas entity in the course of carrying on business in New Zealand. An entity may be treated as carrying on business in New Zealand whether or not it charges any monetary payment for goods or services, or makes a profit from its business or has a physical presence in New Zealand.
Relevantly, the offence provisions of the legislation will apply to all entities, including those outside New Zealand, if any act or omission forming part of the offence, or any event necessary to the completion of the offence, occurred in New Zealand.
This recommendation represents a huge change to the jurisdictional impact of the Privacy Act, and provides important clarification as to how the legislation applies to entities based outside of New Zealand. Entities that conduct business in New Zealand will need to ensure that their privacy policies and practices comply with New Zealand law. By way of example, entities may need to review their policies to ensure affected individuals are given all of the information required by Information Privacy Principle ('IPP') 3. Entities will also need to be familiar with how to deal with access requests from individuals.
News media exemptions
Like the current Privacy Act, the proposed Bill will not apply to news media. The Select Committee has recommended that the definition of "news activity" be expanded from "preparation or compiling of articles or programmes" to instead refer to "publishing" news, observations on news, and current affairs. This will mean that publications in books or on the internet can now come under the "news activity" exemption. It will remain to be seen how the assessment of what constitutes "news, observations on news and current affairs" is treated given the information age in which the media now operate and the blending of traditional news and current affairs with reporting on matters of interest to the public.
Only organisations that are subject to independent standards of conduct, including privacy standards and a complaints procedure, can be considered a news entity for the purposes of the Act (for example, entities that are subject to the Broadcasting Standards Authority or the New Zealand Media Council). In the Bill as introduced, Radio New Zealand and Television New Zealand were to be held to a higher standard than other media since they are Crown entities. The Select Committee has recommended that this be amended so that RNZ and TVNZ are brought within the media exemption along with other outlets.
Disclosing information to an agency overseas
The Select Committee recommends that a new IPP should be introduced to specifically regulate the disclosure of personal information outside New Zealand.
In most cases an entity that wants to disclose personal information to a foreign person or entity would need to satisfy at least one of the criteria set out in the proposed IPP 12(1), which includes (for example) that the agency believes on reasonable grounds that the foreign person or entity must protect the information in a way that, overall, provides comparable safeguards to those outlined in the bill.
This constitutes a material change from the status quo, in that businesses transferring personal information overseas will now need to proactively consider what privacy laws or safeguards apply to the entity to which information will be disclosed. This goes further than the general obligation currently provided for by IPP 5 to keep the information safe and secure.
Notification of breaches
As introduced, the Bill provided that notification to the Privacy Commissioner would be required if a breach caused harm or posed a risk of harm to an individual. The Select Committee has agreed with submitters that this threshold is too low and may result in over-notification and data-breach complacency, and instead recommends that breaches should be notifiable if "it is reasonable to believe that the breach may have caused serious harm to affected individuals, or is likely to do so".
The Select Committee has suggested including factors in the legislation that entities must consider when assessing whether a privacy breach is likely to cause serious harm. These include:
any actions taken by the agency to reduce the risk of harm;
whether the information is sensitive;
the nature of the potential harm;
who has obtained or may obtain the information; and
whether the information is protected by security measures.
Notification of a breach may be delayed in some circumstances where it is sensible to do so, for example if an entity's security systems remained vulnerable following a privacy breach, and notification needs to be delayed to prevent the risk of more harm.
While it will be an offence not to notify the Commissioner of a notifiable privacy breach, the Select Committee has recommended that there should be a defence to this charge if it was reasonable for the entity to consider that the breach was not a notifiable breach.
The requirement to notify based in the threshold of "serious harm" would bring the threshold for notification in line with that used in Australia, although there are some differences in the factors to be considered when determining if the threshold is met. At present there are some differences as to how the notification process will work in practice in New Zealand, in particular in respect of the proposed ability to delay notification in some circumstances.
Other key recommendations
A storing or processing agency that used or disclosed information for its own purposes should be accountable to the affected individual and will also be treated as holding information.
The transfer of data between an entity and a cloud service provider would not be a disclosure for the purpose of the IPPs.
When collecting personal information from children and young persons, an agency must take into account their vulnerability.
The Bill should allow for possible future participation by New Zealand in binding cross-border privacy schemes.
Entities must take reasonable steps to ensure that a unique identifier is only assigned to an individual whose identity is clearly established.
The risk of a misuse of a unique identifier must be minimised, for example by showing truncated account numbers on receipts or in correspondence.
Entities can presently refuse access to information if the disclosure would be likely to endanger the safety of an individual. The Select Committee has suggested that a request should also be able to be refused if there is a serious threat to public health or safety, or the life or health of any individual.
An entity should be required to refuse access to information if it has reasonable grounds to believe the request was made under duress.
The Commissioner should be given a general discretion to decide not to investigate any claims made under the legislation.
The Human Rights Review Tribunal should be given the express power to close proceedings when necessary to hear and determine an access complaint.
It will be made clear that an entity's privacy officer can be appointed externally to the agency.
The Select Committee has not adopted all of the changes recommended by the Privacy Commissioner. In particular, the Select Committee has not recommended that a right to erasure, also known as the "right to be forgotten" be introduced in New Zealand. The possible financial penalties for breaching the Act also remain relatively low, contrary to the Commissioner's recommendations, although in practice the reputational risk that arises if the Act is breached is generally sufficient to ensure compliance by most New Zealand entities.
Our privacy team is closely monitoring the progress of the Privacy Bill and will continue to provide updates as new information comes to light. Please see our previous publications on privacy law reform and the Privacy Commissioner's submission on the bill.
If you have any questions about these proposed amendments, please get in touch with the authors or your usual Bell Gully advisor.
This publication is necessarily brief and general in nature. You should seek professional advice before taking any action in relation to the matters dealt with in this publication.