May 29 — The New Zealand government May 28 released a
sheet detailing its intended proposals to update the country's data
protection regime, including the introduction of new controls on cross-border
disclosures and a requirement that companies and public agencies provide data
The government announced in 2012 that it would
repeal the Privacy Act 1993, but until now it hasn't provided details on the
content of the proposed replacement.
The government said it will consult
with stakeholders before introducing a replacement bill to Parliament.
“It's vital that New Zealanders have confidence in our privacy laws, and that
people know their information is in safe hands,” Justice Minister Judith
Collins said in a May 28 statement.
changes will “help ensure” that the European Union continues to find New
Zealand's data protection regime “adequate,” the fact sheet said. In December
2012, the European Commission announced that it considers New Zealand's data
protection regime to provide an adequate level of privacy protection to EU
citizens' data, meaning that EU data can be freely transferred to New Zealand
companies and organizations.
That adequacy finding “is a major advantage
to New Zealand business,” according to the fact sheet.
would oblige companies and agencies sending data overseas to ensure that the
recipient organization had “acceptable privacy standards,” according to the
The Office of the Privacy Commissioner—the country's data
protection authority—would be empowered under the proposals to publish a list
of countries with acceptable privacy laws to help businesses and agencies
determine whether overseas recipients are likely to have adequate measures in
place, the fact sheet said.
According to the fact sheet, the government will propose that businesses and
government agencies be required to notify the DPA of all “material” data
Factors to consider in determining whether a breach is
material include “the sensitivity of the information, the number of people
involved and whether there are indications of a systemic problem,” the fact
For more “serious breaches,” covered entities “will have to
take reasonable steps to notify affected individuals, if there is a real risk
of harm.” Determining whether a breach reaches the risk-of-harm threshold
requiring notification involves considering factors “such as actual or
potential loss, injury, significant humiliation or adverse effects on rights or
benefits,” the fact sheet said.
Companies may face fines of up to
NZ$10,000 ($8,483) for failure to notify the DPA of a material breach.
Government agencies that fail to notify the DPA of a breach will not face
fines. “For now, the Government considers that the prospect of being ‘named and
shamed' is the most effective deterrent to ensure public sector agencies report
breaches,” the fact sheet said.
The replacement law would also give the
DPA new enforcement powers to initiate investigations into possible privacy
violations and to issue compliance notices.
contact the reporter on this story: Murray Griffin in Melbourne at firstname.lastname@example.org
To contact the editor
responsible for this story: Donald G. Aplin at email@example.com
Full text of the “Privacy Act Review Q & A” document is available at http://op.bna.com/pl.nsf/r?Open=dapn-9kkkps.
To view additional stories from Privacy & Security Law
Report® register for a free trial now