New Zealand updated its data protection law with the Privacy Act 2020, which came into force on December 1, 2020. This law replaces the Privacy Act 1993 and introduces some significant changes to align with international standards and best practices. In this blog post, we will explore some of the key features of the Privacy Act 2020 and compare them to the General Data Protection Regulation (GDPR), which is the main data protection law in the European Union (EU) and the European Economic Area (EEA).
What is the Privacy Act 2020?
The Privacy Act 2020 is a law that governs how organisations and businesses can collect, store, use and share personal information of individuals in New Zealand. Personal information is any information about an identifiable individual, such as name, address, email, phone number, health records, financial details, etc. The Privacy Act 2020 aims to protect the privacy rights of individuals and ensure that their personal information is handled in a fair, transparent, and secure manner.
The Privacy Act 2020 is based on 13 privacy principles that set out the rules for how personal information should be collected, used, disclosed, stored, and accessed. The principles cover topics such as:
- – Purposefulness and lawfulness of collecting personal information;
- – Collection of personal information preferably from the individual concerned;
- – Notice and consent requirements for collecting personal information;
- – Security measures against loss, misuse, and disclosure;
- – Access and correction rights;
- – Assuring accuracy and quality of information before using and disclosing it;
- – Limits on using and retaining personal information based on necessity;
- – Conditions for disclosing and transferring personal information, in particular overseas;
- – Limiting the use of unique identifiers.
The Privacy Act 2020 also establishes the role and functions of the Privacy Commissioner, who is an independent authority that oversees the compliance with the law, investigates complaints, issues guidance, conducts audits, enforces sanctions, and promotes education and awareness.
It has an outstandingly informative website with great resources, such as a section-by-section comparison of the 1993 and 2020 act, and summaries of each principle with real-life examples of the law’s application.
What is the GDPR?
The GDPR is a regulation that aims to harmonise national data privacy laws throughout the EU and the EEA. It also applies to any organisation outside the EU and the EEA that either offers goods or services to individuals in the EU or the EEA, or monitors their behaviour. The GDPR came into effect on May 25, 2018 and is considered one of the most comprehensive and strictest data protection laws in the world.
The GDPR is based on seven principles that set out the rules for how personal data should be processed. Personal data is any information relating to an identified or identifiable individual, such as name, address, email, phone number, health records, financial details, etc. The principles are:
- – Lawfulness, fairness, and transparency of processing personal data
- – Purpose limitation
- – Data minimisation
- – Accuracy and quality of personal data
- – Storage limitation
- – Security, integrity, and confidentiality of personal data
- – Accountability and responsibility of data controllers and processors
The GDPR further places significant emphasis on rights of individuals to control their own data by establishing the right to access, rectify, erase, restrict, object to the processing of their personal data, and the right to data portability. In order to allow for the exercise of these rights, transparency is required from those processing personal data.
It also establishes the role and functions of the European Data Protection Board (EDPB), which is a body composed of representatives from national data protection authorities that oversees the consistency and cooperation among EU member states. The EDPB issues guidelines, opinions, decisions, and recommendations on various aspects of the GDPR. The GDPR also empowers national data protection authorities to enforce the law, investigate complaints, conduct audits, impose fines and sanctions, and promote education and awareness.
How do they compare?
The Privacy Act 2020 and the GDPR share some common objectives and features, such as:
- – Enhancing the protection of individuals’ privacy rights and empowering them with more control over their personal information;
- – Simplifying the regulatory environment for businesses and organisations that handle personal information across borders;
- – Promoting transparency, accountability, and security in processing personal information; and
- – Providing mechanisms for oversight, enforcement, and redress.
However, there are also some notable differences between the two laws, such as:
Scope: The Privacy Act 2020 applies to any organisation that collects or holds personal information in New Zealand or transfers it outside New Zealand. There is a different act in New Zealand that applies specifically to health information and modifies several of the 13 privacy principles, and another one that regulates credit reporters. The GDPR applies to any organisation that offers goods or services to individuals in the EU or EEA or monitors their behaviour, regardless of where they are located. Article 9(4) provides for the EU member states to regulate health data as they see fit, so that the GDPR is merely a minimum standard when it comes to the processing of health data.
Anonymization: New Zealand’s Privacy Act does not define the concepts of anonymized or de-identified data. However, it permits the use of personal information for secondary purposes and to be disclosed to another person or organization if it is “used in a form in which the individual concerned is not identified.” Whether this simply requires stripping the data of direct identifiers or something stricter than that is unclear. Since personal information is defined as “information about an identifiable individual,” it would stand to reason that “not identified” and not “identifiable” mean something different, because if the individual was not identifiable, the Privacy Act does not apply and no specific exception permitting secondary uses or disclosure would be required. The GDPR, on the other hand, explicitly distinguishes between pseudonymized and anonymized information, making it clear that anonymization must be irreversible and would then render the GDPR inapplicable. The GDPR further clarifies that when determining whether an individual is identifiable, “account should be taken of all the means reasonably likely to be used.”
Consent: The Privacy Act 2020 does not require consent (called “authorization”) as a basis for collecting or using personal information, not even for sensitive information, although the Privacy Commissioner says a higher standard of care applies to sensitive personal information. It is also one of the exceptions to the rule that information must be collected from the individual themselves, rather than from a third party, to the rule that personal information may not be used for a purpose other than those for which it was collected, and to the rule that personal information may not be disclosed to a third party and to a foreign jurisdiction. The default basis for processing of personal information is its necessity for the function the organization performs. Consent must be informed, voluntary, specific, and unambiguous. The GDPR requires consent as one of the 6 lawful bases for processing personal data. Consent must be freely given, informed, specific, unambiguous, and explicit for sensitive data.
Rights: The Privacy Act 2020 provides individuals with the right to access and correct their personal information. The GDPR provides individuals with more extensive rights, such as the right to erasure (also known as the “right to be forgotten”), the right to restriction of processing, the right to data portability, and the right to object to processing.
Breach notification: The Privacy Act 2020 requires organisations to notify the Privacy Commissioner and affected individuals of a privacy breach that it is reasonable to believe has caused serious harm. The GDPR requires organisations to notify the national data protection authority and affected individuals of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals.
Sanctions: The Privacy Act 2020 allows the Privacy Commissioner to issue compliance notices and impose fines up to NZD 10,000 for non-compliance. The GDPR dwarfs these fines as it allows national data protection authorities to impose fines up to EUR 20 million or 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher, for non-compliance.
While the Privacy Act 2020 and the GDPR share some common objectives and features, they also have some notable differences. Organisations that operate in both New Zealand and the EU/EEA need to understand and comply with both laws. It is recommended to seek legal advice to ensure compliance with all applicable data protection laws.
Private AI is well equipped to facilitate compliance by automating the categorization and de-identification of personal data (even in free text, audio, images, and documents) across 49 languages. Using the latest advancements in Machine Learning, the time-consuming work of redacting data with high accuracy becomes three lines of code. To see the tech in action, try our web demo, or request an API key to try it yourself on your own data.