Review your content’s performance and reach.
Become your target audience’s go-to resource for today’s hottest topics.
Understand your clients’ strategies and the most pressing issues they are facing.
Keep a step ahead of your key competitors and benchmark against them.
add to folder:
Questions? Please contact [email protected] 
Law and the regulatory authority
Summarise the legislative framework for the protection of personally identifiable information (PII). Does your jurisdiction have a dedicated data protection law? Is the data protection law in your jurisdiction based on any international instruments on privacy or data protection?
The protection of PII is primarily governed by the Privacy Act 2020 (the Act). The Act operates to regulate the collection, storage, security, access and correction and other dealings with personal information by both public and private agencies. The Act adopts a principle-based framework centralised around 13 information privacy principles (IPPs). These IPPs originate from the Organisation for Economic Cooperation and Development Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, which was adopted in 1980.
Which authority is responsible for overseeing the data protection law? Describe the investigative powers of the authority.
The Office of the Privacy Commissioner is responsible for overseeing data protection law in New Zealand and gains its authority through the Act.
The privacy commissioner can instigate an investigation of an agency’s dealings with personal information on their own initiative. Also, the commissioner may (but is not obliged to) instigate an investigation of an agency’s dealings with personal information as a result of a submitted complaint.
When investigating an agency’s dealings with personal information, the commissioner can regulate their own procedure as they see fit (subject to the Act and its regulations).
When requested to do so by any agency (being any person or legal entity excluding certain government authorities), the commissioner can conduct an audit of personal information maintained by that agency to ascertain whether the information is maintained according to the IPPs. The commissioner may also commence investigations, on the commissioner’s own initiative, into any matter in respect of which a complaint may be made under the Act.
The privacy commissioner can issue compliance notices to require an agency to either do or stop doing something and has certain powers around information gathering, such as shortening the timeframe in which an agency must comply with investigations. The penalty for failing to comply can be up to NZ$10,000.
Are there legal obligations on the data protection authority to cooperate with other data protection authorities, or is there a mechanism to resolve different approaches?
There is no express legal obligation under the Act for the Office of the Privacy Commissioner to cooperate with international data protection authorities. Further, New Zealand is not a party to any binding cross-border privacy schemes, such as the Asia-Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules System.
Under the Act, the privacy commissioner may refer matters to an overseas privacy enforcement authority where the complaint relates to a matter that is more properly within its jurisdiction.
The privacy commissioner as a matter of good practice continues to engage with the premier global network of privacy commissioners as a founding member of the Global Privacy Enforcement Network and a participant in the APEC Cooperation Arrangement for Cross-Border Privacy Enforcement. The privacy commissioners of New Zealand and Australia signed a memorandum of understanding (MOU) in 2008 to facilitate cooperation between their offices on privacy-related issues (including information sharing). However, the MOU is not intended to be legally binding but rather to provide a practical means of meeting the co-operation targets set out in the APEC Privacy Framework.
Can breaches of data protection law lead to administrative sanctions or orders, or criminal penalties? How would such breaches be handled?
Under the Act, the Human Rights Review Tribunal can award damages for interference with an individual’s privacy. The privacy commissioner has the authority to make binding decisions on complaints about information access requests, not the Human Rights Review Tribunal (although such decisions will be subject to a right of appeal to the tribunal).
Following an investigation of any privacy complaint by the Office of the Privacy Commissioner, if the alleged interference cannot be settled between the relevant parties, proceedings can be brought in the tribunal and remedies that are sought can include damages. The tribunal may award damages in respect of the interference with the privacy of an individual to appropriately compensate them for the humiliation, loss of dignity and injury to feelings caused by serious breaches, as well as the loss of any benefit (monetary or other) that the individual might reasonably have expected to obtain if the interference had not occurred.
Criminal penalties are not available in respect of any breach of the Act. However, under the Crimes Act 1961, criminal penalties are available in respect of the unlawful interception of private communications, as well as certain unlawful monitoring and surveillance activities.
Scope
Does the data protection law cover all sectors and types of organisation or are some areas of activity outside its scope?
The Privacy Act 2020 (the Act) does not apply to the collection and reporting of news and current affairs. However, this exclusion does not extend to include ‘citizen journalists’, such as bloggers. The Act also does not apply to:
While New Zealand’s intelligence and security agencies are not excluded wholesale from the application of the Act, non-compliance with certain information privacy principles is permitted under the Act to the extent the non-compliance is necessary to enable an intelligence and security agency to perform any of its functions.
Does the data protection law cover interception of communications, electronic marketing or monitoring and surveillance of individuals? If not, list other relevant laws in this regard.
The Act does not expressly cover interception of communications, electronic marketing or monitoring and surveillance of individuals although the information privacy principles will apply in respect of the collection and processing of any personal information collected through monitoring and surveillance activities. The relevant law in this regard is as follows.
Under the Crimes Act 1961, a person faces up to two years’ imprisonment if they intentionally intercept any private communications through an interception device (eg, recording device), other than when they are authorised to do so under other legislation (eg, the Search and Surveillance Act 2012, the Intelligence and Security Act 2017 or the International Terrorism (Emergency Powers) Act 1987). Any intentional disclosure of private communication, the substance or meaning of that communication or intentional disclosure of the existence of private communication could result in up to two years’ imprisonment.
The Unsolicited Electronic Messages Act 2007 prohibits:
The Crimes Act 1961 imposes criminal penalties for certain restricted monitoring and surveillance activities, including intimate visual recordings. Under the Crimes Act 1961, any individual that intentionally or recklessly makes, possesses (in certain circumstances) and publishes, imports or sells intimate visual recordings of another person is liable to imprisonment. The Search and Surveillance Act 2012 regulates police powers and their ability to monitor compliance with the law and their power to carry out investigations and the prosecution of offences.
Identify any further laws or regulations that provide specific data protection rules for related areas.
Under the Act, the Office of the Privacy Commissioner can issue specific codes of practice that have the effect of modifying the practical operation of the provisions of the act in particular industries. Codes of practice regulating credit reporting, health information, information sharing by the civil defence during national emergencies, telecoms information, superannuation information and justice sector unique identifiers have been issued in New Zealand to date.
What forms of PII are covered by the law?
All forms of PII are covered by the Act. Any information that falls within the definition of ‘personal information’ under the Act (ie, information about an identifiable individual) is protected.
Is the reach of the law limited to PII owners and processors of PII established or operating in the jurisdiction?
The Act aims to regulate:
Under the Act a ‘New Zealand agency’ includes:
The Act aligns its application to extra-territorial agencies with the position under the EU General Data Protection Regulation (GDPR). Some overseas entities may be deemed to be agencies carrying on business in New Zealand regardless of whether or not they:
Is all processing or use of PII covered? Is a distinction made between those who control or own PII and those who provide PII processing services to owners? Do owners’, controllers’ and processors’ duties differ?
The Act provides that a person remains accountable for PII that is held by another person as its agent (ie, those who provide PII processing services). Accordingly, persons who provide services to the original owner of the PII as its agent (ie, cloud providers and other service providers that process information on behalf of others) will be held accountable for the PII that they hold, store and process to the extent that the agent uses or discloses the information for its own purposes.
Law stated date
Give the date on which the information above is accurate.
26 May 2021.
add to folder:
If you would like to learn how Lexology can drive your content marketing strategy forward, please email [email protected].
© Copyright 2006 – 2022 Law Business Research