Home News Everything You Need to Know About NZ’s New Privacy Act 2020

Everything You Need to Know About NZ’s New Privacy Act 2020

American Cybersecurity Literacy Act

The New Zealand government introduced the New Privacy Act 2020 (NZ), on December 1, 2020, which brings several reforms in the way organizations collect, use, and manage users’ data. The new legislation will replace the existing Privacy Act 1993 (NZ).

The new privacy laws impose strict rules on data protection, it mandates businesses to report data breaches immediately. The New Privacy Act 2020 will apply to all organizations and cloud computing providers based in New Zealand as well as overseas companies that collect information related to New Zealanders.

What the New Privacy Act Covers

  • Whether the Privacy Act effectively protects personal information and provides a practical and proportionate framework for promoting good privacy practices
  • Whether individuals should have direct rights of action to enforce privacy obligations under the Privacy Act
  • The impact of the notifiable data breach scheme and its effectiveness in meeting its objectives
  • Whether a statutory tort for serious invasions of privacy should be introduced into Australian law
  • The effectiveness of enforcement powers and mechanisms under the Privacy Act and how they interact with other Commonwealth regulatory frameworks
  • The desirability and feasibility of an independent certification scheme to monitor and demonstrate compliance with Australian privacy laws

Penalty for Non-Compliance

As per the Privacy Act 2020, enterprises could be fined up to NZ$10,000 ($7,000) for violating the data protection laws. The Act allows the Office of the Privacy Commissioner (OPC) to raise the penalty to NZ$230,000 ($162,000). The OPC can also investigate an organization concerning security incidents or data protection practices.

Recently, the New Zealand government also launched its new data breach reporting tool “NotifyUs” to help organizations report data breaches and assess whether a security incident is notifiable or not.