On 1 December 2020, the New Zealand Privacy Act 2020 will come into operation and repeal and replace the Privacy Act 1993.
The Privacy Act 2020 modernises New Zealand’s privacy laws and seeks to keep pace with international standards and technology. While New Zealand’s new privacy legislation is not as onerous as other international privacy laws, such as the GDPR, it still introduces significant changes including:
- mandatory data breach notification;
- new investigative and regulatory powers for the New Zealand Privacy Commissioner; and
- new criminal offences and penalties, including fines of up to $10,000.
Information about the Privacy Act 2020 can be found on the New Zealand Privacy Commissioner’s website.
Importantly, overseas businesses will be expressly required to comply with New Zealand’s privacy laws as the Privacy Act 2020 has extraterritorial effect. Any actions taken by an overseas organisation in the course of carrying on business in New Zealand in respect of personal information collected or held by the organisation will be caught by the Act. An overseas business or organisation may be treated as carrying on a business in New Zealand, even if it does not have a physical presence in New Zealand.
If your organisation carries on a business in New Zealand it should familiarise itself with the new Privacy Act, if it has not done so already. Time is passing quickly and 1 December is just around the corner. However, it is not too late to assess if you must comply with the Privacy Act 2020 and update your processes, policies and procedures to be compliant.