Privacy Act 2020 – new laws restricting overseas disclosure of personal information

Introduction

As cyber-attacks grow in number and sophistication, and as more employees and businesses use third-party software and remote network access (e.g. work from home) to work and communicate, people are becoming more concerned about the security of their personal information with up to three-quarters of New Zealanders concerned about how businesses handle their personal information.[1]

The most significant concern for consumers around data privacy is the possibility of their data being hacked and their personal information stolen, followed by the concern their data will be shared or sold to other companies.[2] 

These concerns (and related cyber-security risks) highlight the importance for organisations to be aware of and comply with New Zealand’s privacy laws. The Privacy Act 2020 (“the Act”) came into force on 1 December 2020, replacing the Privacy Act 1993.

In this Article, we discuss one of the key changes to the Act (compared to the Privacy Act 1993) regarding disclosure of personal information to overseas entities (including social media organisations) and how organisations can comply with the Act’s requirements for overseas disclosures of personal information.

Overseas disclosure of personal information

The Act introduced restrictions on overseas disclosure of personal information. Personal information is any information about an identifiable individual and includes, without limitation, names, addresses, phone numbers, email addresses and IP addresses.

Unless the relevant individual has authorised disclosure outside New Zealand and knows their personal information may not be given the same protection as provided by the Act, organisations need to ensure that personal information will be protected by safeguards comparable to New Zealand’s privacy laws before transferring any personal information overseas.

Organisations can achieve this by:

  • Imposing contractual data protection obligations on the overseas recipient comparable to the protections in the Act; or
  • Ensuring the overseas recipient is subject to laws of another jurisdiction that provide comparable protection to the Act.

This is an important change given the significance of free-flowing data globally and because organisations use (and often disclose personal information to) a number of third party service providers in its day to day operations. For example, organisations use third party service providers for the following reasons: 

  • Interest-based advertising;
  • Network monitoring and website hosting;  
  • Data processing, storage and management;
  • Data collaboration, analysis and report automation (including sales/conversion statistics);
  • To create, manage and send emails (EDM Marketing) and surveys to people for advertising and marketing; and
  • User account and password management, storage and security.

These third party service providers will often receive, transfer or process information in countries outside New Zealand, where there may be differences in privacy laws.   

For example, Salesforce is a cloud based customer relationship management service provided by Salesforce.com, Inc. and its subsidiaries (for New Zealand, SFDC Australia Pty Limited) which process and store New Zealand user data in the United States.  

However, if organisations transfer personal information to an overseas organisation (e.g. a cloud storage provider like Google Drive) to hold or process as their ‘agent’, this will (usually) not constitute an overseas disclosure if the agent does not use the information for its own purposes. This is an important exception given that none of the major cloud service providers have datacentres in New Zealand. However, Microsoft has announced plans to establish its first Azure datacentre region in New Zealand.[3] Further, DCI Data Centers is building New Zealand’s largest cloud data centre in Auckland.[4]

One of the key issues for New Zealand organisations is whether its overseas business partners and suppliers are using personal information provided from New Zealand for its own purposes, and not just as the agent for the organisation. We discuss this issue next.

Agent using information for own purposes

Organisations commonly use social media plugins on their website e.g. Facebook and Instagram, and internet based advertising and analytics and advertising providers such as Google Analytics. These social media platforms and third party service providers often use personal information provided by the organisation for their own purposes, and not just as the agent for the New Zealand organisation.

For example, if a person visits an organisation’s website that contains a Facebook plugin, their browser establishes a direct connection to the Facebook servers. By integrating with the plugins, Facebook receives the information that the person’s browser has accessed the corresponding page of the organisation’s website, even if they do not have a Facebook account or are currently not logged in to Facebook. This information (including their IP address) is transmitted from their browser directly to a Facebook server in the United States and stored there. If the person is logged in to Facebook, Facebook can assign the website visit directly to their Facebook account. If they interact with the plugins, for example by pressing the "LIKE" or "SHARE" button, the corresponding information is also transmitted directly to a Facebook server and stored there. Facebook may use this information for the purpose of advertising, market research and tailoring Facebook pages. For this purpose, Facebook uses user, interest and relationship profiles (for example, to evaluate use of an organisation’s website, the effectiveness of advertisements displayed on Facebook, to inform other Facebook users about activities on an organisation’s website and to further inform them about the use of related services).

In that light, the Act requires that New Zealand organisations take reasonable steps to ensure that personal information sent overseas (e.g. through the person interacting with the organisation’s social media plug-in on its website) is protected by comparable privacy standards to the Act or the person visiting the organisation’s website has authorised disclosure of their personal information outside New Zealand and knows their personal information may not be given the same protection as provided by the Act.

So how can organisations comply with the Act’s new requirements for overseas disclosure of personal information?

Compliance with the Act

Organisations can comply with the Act by informing all persons accessing its website and/or using its services, and any persons providing personal information to it (“Users”) how it collects, uses, discloses or transfers personal information, including disclosing any third parties that will use personal information for its own purposes, and obtaining consent from Users for the collection, storage, use and disclosure of its personal information.

Organisations can achieve this by:

1. Adopting a privacy policy that:

  • Discloses the organisation’s use of overseas third party service providers, and describes the use of personal information by those overseas suppliers (particularly where those third parties may not protect the information in a way that, overall, provides comparable safeguards to those in the Act); and
  • Authorises the disclosure of personal information to those third parties; and

2. Ensuring all Users have expressly agreed to the privacy policy. For example, to obtain authorisation, organisations can implement a pop-up on its website (or equivalent e.g. banner) so that, when any person first visits its website, they are provided a link to its privacy policy and are required to ‘accept’ the privacy policy.

There are a number of consequences if an organisation breaches the Act, including reputational damage as well as harming an organisation’s relationship with staff or clients. Further, the Privacy Commissioner has the power to fine organisations up to $10,000 for serious breaches of the Act.

Clendons has considerable experience advising on privacy and data transfer issues, and can assist New Zealand organisations with their disclosure and compliance obligations on these issues.

Disclaimer

This article is provided to assist clients to identify legal issues on which they should seek legal advice, and by its nature cannot be comprehensive and cannot be relied on as advice. Please consult the professional staff of Clendons for advice specific to your situation. The professional staff of Clendons include Privacy Professionals registered with the Office of the Privacy Commissioner (NZ), and members of the Data and Privacy practice group within international law firm network Mackrell International.