We would like to ensure that you are still receiving content that you find useful – please confirm that you would like to continue to receive ILO newsletters.
06 March 2018
The EU General Data Protection Regulation (GDPR) will come into full effect on May 25 2018 and will affect New Zealand businesses that do business with EU residents or entities or have a presence in the European Union.
In addition, the New Zealand privacy commissioner recently released a report(1) recommending that the Privacy Act 1993 be substantially amended (including to comply with the GDPR) and the Ministry of Justice has indicated that privacy reform is a key initiative.(2)
This update examines these changes and what they mean for New Zealand businesses in practice.
The GDPR sets out a data protection framework to be applied across the European Union, which substantially enhances individual data protection and privacy rights. The privacy commissioner has noted that "it is widely perceived as the most stringent and most influential privacy law in the world: the 'gold standard'".(3)
Consistent with New Zealand privacy legislation, the GDPR concerns the storage and use of personal information, which is information about an identifiable natural person.
The GDPR states that compliance with it is mandatory and applies worldwide to all entities (including those based in New Zealand) that hold or use data concerning people within the European Union. Non-compliant organisations risk fines of up to €20 million or 4% of their total worldwide annual turnover.
The key differences between the position under the GDPR and the current position in New Zealand are as follows:
Given the GDPR's extraterritorial reach, New Zealand businesses that do business with or have a presence in the European Union will need to review their systems and policies with regard to the processing of personal information to ensure that they comply with the GDPR in advance of the May 25 2018 deadline. The European Commission recently published guidance on the new rules.(10)
At present, New Zealand's privacy law is formally recognised by the European Union as providing an adequate level of data protection to meet the requirements of existing EU law and this recognition provides a legal basis for EU businesses to send data freely to New Zealand for processing. However, this formal recognition will be subject to ongoing review and with the more stringent EU standards set out in the GDPR coming into effect, there is a risk that New Zealand's status will be lost if its law is seen as falling below those standards.
In February 2017 the privacy commissioner published a report to the minister of justice under Section 26 of the Privacy Act, setting out the following recommendations for reform:
The Ministry of Justice is reviewing the Privacy Act at present and intends to present a new privacy bill to Parliament. It is anticipated that any new privacy bill will implement these recommendations and possibly introduce some of the other rights and obligations provided for in the GDPR to ensure that New Zealand's privacy laws meet internationally recognised standards.
Many EU data protection experts are predicting a material rise in privacy litigation following the introduction of the GDPR, as businesses struggle to adapt to new privacy obligations and individuals are afforded new rights of action for privacy breaches.
Article 82 of the GDPR provides individuals with a right to claim compensation for material and non-material damage resulting from privacy breaches. This is consistent with the existing position in New Zealand under Section 88 of the Privacy Act, which enables individuals to bring a claim to the Human Rights Review Tribunal for:
There is an international trend towards higher compensation awards for privacy breaches, with significant sums being ordered to compensate non-financial harm and provide a clear deterrent in an environment where personal information is increasingly valuable. The most significant award of damages in New Zealand to date was the NZ$168,000 ordered in the 2015 case Hammond v Credit Union Baywide,(12) which was more than three times the next highest award and increased the band guidelines for future cases.
There is also an international trend towards privacy-related class action litigation. On December 1 2017, following class action proceedings brought by 55,187 existing and former staff members, the English High Court found the supermarket chain Morrisons vicariously liable for the leaking of payroll information by one of its employees, despite also concluding that Morrisons had adequate and appropriate data security measures in place at the time.(13) There is nothing in the Privacy Act that would prevent similar claims being brought before the Human Rights Review Tribunal in relation to privacy breaches in New Zealand. Given the recent rise of class action litigation in New Zealand, similar privacy-related class actions are anticipated in the near future.
New Zealand businesses will need to review their data management processes to ensure compliance with changing international standards where applicable. Given the apparent inevitability of reform in New Zealand, there is no reason to wait for a change in law to begin examining such practices.
Businesses should consider:
For further information on this topic please contact Felicity Monteiro or Sam Holden at Wilson Harle by telephone (+64 9 915 5700) or email (firstname.lastname@example.org or email@example.com). The Wilson Harle website can be accessed at www.wilsonharle.com.
The materials contained on this website are for general information purposes only and are subject to the disclaimer.
ILO is a premium online legal update service for major companies and law firms worldwide. In-house corporate counsel and other users of legal services, as well as law firm partners, qualify for a free subscription.