New Zealand to Require Breach Notice, Strengthen Cross-Border Transfer

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Murray Griffin

May 29 — The New Zealand government May 28 released a fact sheet detailing its intended proposals to update the country's data protection regime, including the introduction of new controls on cross-border disclosures and a requirement that companies and public agencies provide data breach notification.

The government announced in 2012 that it would repeal the Privacy Act 1993, but until now it hasn't provided details on the content of the proposed replacement.

The government said it will consult with stakeholders before introducing a replacement bill to Parliament.

“It's vital that New Zealanders have confidence in our privacy laws, and that people know their information is in safe hands,” Justice Minister Judith Collins said in a May 28 statement.

EU Adequacy Status

The changes will “help ensure” that the European Union continues to find New Zealand's data protection regime “adequate,” the fact sheet said. In December 2012, the European Commission announced that it considers New Zealand's data protection regime to provide an adequate level of privacy protection to EU citizens' data, meaning that EU data can be freely transferred to New Zealand companies and organizations.

That adequacy finding “is a major advantage to New Zealand business,” according to the fact sheet.

The proposals would oblige companies and agencies sending data overseas to ensure that the recipient organization had “acceptable privacy standards,” according to the fact sheet.

The Office of the Privacy Commissioner—the country's data protection authority—would be empowered under the proposals to publish a list of countries with acceptable privacy laws to help businesses and agencies determine whether overseas recipients are likely to have adequate measures in place, the fact sheet said.

Mandatory Breach Notification

According to the fact sheet, the government will propose that businesses and government agencies be required to notify the DPA of all “material” data breaches.

Factors to consider in determining whether a breach is material include “the sensitivity of the information, the number of people involved and whether there are indications of a systemic problem,” the fact sheet said.

For more “serious breaches,” covered entities “will have to take reasonable steps to notify affected individuals, if there is a real risk of harm.” Determining whether a breach reaches the risk-of-harm threshold requiring notification involves considering factors “such as actual or potential loss, injury, significant humiliation or adverse effects on rights or benefits,” the fact sheet said.

Companies may face fines of up to NZ$10,000 ($8,483) for failure to notify the DPA of a material breach.

Government agencies that fail to notify the DPA of a breach will not face fines. “For now, the Government considers that the prospect of being ‘named and shamed' is the most effective deterrent to ensure public sector agencies report breaches,” the fact sheet said.

The replacement law would also give the DPA new enforcement powers to initiate investigations into possible privacy violations and to issue compliance notices.

To contact the reporter on this story: Murray Griffin in Melbourne at

To contact the editor responsible for this story: Donald G. Aplin at

Full text of the “Privacy Act Review Q & A” document is available at

Request Bloomberg Law Privacy and Data Security