On June 26, 2020, New Zealand Justice Minister Andrew Little announced that the bill to repeal and replace New Zealand’s existing Privacy Act 1993 (the “Privacy Bill”) had passed its third reading in Parliament. The Privacy Bill received royal assent on June 30, 2020.

The Privacy Bill retains certain aspects of the Privacy Act 1993, but includes some significant changes. Key reforms include:

  • Scope/Applicability. The Privacy Bill applies to all agencies (defined to include individuals, public sector agencies and private businesses) carrying out business in New Zealand, regardless of whether they have a physical presence in the country.
  • Mandatory Data Breach Notification. The Privacy Bill introduces a mandatory requirement for businesses to report certain data breaches (i.e., those that pose a risk of harm, loss or damage to affected individuals) to the New Zealand Privacy Commissioner and affected individuals. In contrast, under the Privacy Act 1993 data breach notification is not mandatory, though nonbinding guidance from the Privacy Commissioner encourages businesses to report breaches to the Privacy Commissioner and affected individuals.
  • Cross-Border Data Transfers. The Privacy Bill imposes restrictions on cross-border transfers of personal information. Specifically, agencies will be required to take reasonable steps to ensure that personal information transferred outside New Zealand is protected by comparable privacy standards to the Privacy Bill.
  • Enforcement. The Privacy Bill enhances the powers of the Privacy Commissioner by shortening the timeframes in which an agency must comply with investigations and increasing penalties for non-compliance with the law from $2,000 to $10,000 NZD. The Privacy Bill also allows for class actions in certain circumstances and introduces potential criminal penalties for certain violations of the law.

The Privacy Bill is projected to come into force on December 1, 2020.