News & Thinking

Do you need to update your privacy policies before the new regulations bite?

Contributed by:

Mark Gavin

Read more from
Mark Gavin

Traditionally, privacy compliance has been perceived as relatively low risk – NZ businesses have not necessarily sought to comply with our privacy laws, typically because our Privacy Commissioner “lacked teeth”.  


That’s about to change. The Privacy Bill is currently before the Select Committee (the Justice Committee), with the Committee’s report to the House due by 13 March 2019.


The new laws working their way through the Committee stage will have some impacts that cannot be ignored. At this point, every business that handles personal information should be taking proactive steps to review their internal privacy policies and procedures ahead of the law change.


The likely impacts include:

  • New powers for Privacy Commission:  The Privacy Commission will gain the power to make decisions on complaints relating to an individual’s access to information – currently this is undertaken by the Human Rights Review Tribunal.  The existing investigative powers of the Privacy Commission will also strengthen – e.g. shorter timeframes for compliance with their investigations, increased penalties for non-compliance, and the power to issue Compliance Orders and binding decisions that require the relevant businesses to take specific remedial steps
  • Mandatory reporting of data breaches:  this has definitely caught people’s attention.  Essentially, privacy breaches will be notifiable to the Privacy Commissioner and to affected individuals, in some cases.  This is a potential PR nightmare, as businesses weigh the requirement to report breaches against the harm that over-reporting might cause to that business’s reputation in the market.
  • Transferring data outside of NZ:  these days, NZ businesses are likely to utilise software or services physically located in other countries, to process their data.  Where personal information is among that data, our new privacy laws will require the NZ business to take “reasonable steps” to ensure that the overseas recipient operates to acceptable standards.
  • New criminal offences: the new law adds a number of new criminal offences, including misleading an agency or the Privacy Commissioner in a way that gains access to or affects someone else’s information, or knowingly destroying documents containing personal information after the information was requested.
  • The impact of technology:  the new privacy laws in the EU, Australia and (now) NZ are driven primarily by the advancements in technology and the increasing speed at which personal information can be gathered and shared (think ‘Social Media’ and search engines). In the EU, privacy law has gone as far as to give people the “right to be forgotten” – essentially, a right to demand that the data controller or data processor (e.g. Facebook, Google, etc) deletes your personally identifiable information.  Closer to home, Australian privacy law (and now NZ privacy law) is introducing a requirement to report data/privacy breaches (as above).
  • Closer alignment with Australian privacy law:  it seems likely that NZ will implement new steps and procedures that are based very closely on Australia’s approach.  This means businesses that operate in NZ and Australia will be able to ‘harmonise’ their data/privacy practices to a greater extent and, for instance, have one single Privacy Policy (with only minor differences) across both countries.
  • Still falls short of Europe’s privacy law:  despite introducing new steps and procedures, NZ privacy law will continue to fall short of some of the more comprehensive obligations and fines/penalties under the EU’s General Data Protection Regulation (GDPR).


In preparation for these new laws, we’ve been assisting our clients with:

  • general data privacy impact assessments – looking at the flow of personal information through a business, and determining where the privacy risks lie;
  • reviewing and updating Privacy Policies – a key document to ensure proper authorisation and consent is obtained from each individual;
  • advising on privacy compliance issues that may arise, when personal information is transferred offshore; and
  • implementing a ‘best practice’ approach to privacy – which broadly covers contractual arrangements with individual customers/clients, developing privacy compliance manuals, framing and implementing Privacy Policies, developing internal procedures for the management of personal information, and so on.


We are here to help if you have any questions about these law changes.


0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply