A bill that would amend New Zealand’s 25-year-old privacy legislation has been introduced into Parliament, with the privacy commissioner John Edwards saying it does not have sufficiently robust penalties for data breaches.
In a blog post Edwards welcomed the new bill saying that, if it became law it would: “empower my office to issue a compliance notice in the event of a breach of the Act; … to issue a determination when a person has requested access to personal information and has been refused; and [introduce] mandatory reporting of harmful privacy breaches.”
However he added: “Without real and meaningful consequences for non-compliance, rogue agencies will continue to thumb their nose at the regulation, meaning responsible organisations will disproportionately bear the cost of compliance, while cowboys will ignore their obligations.”
Edwards said he had asked, in 2016, to be given power to apply for fines of up to $1 million for organisations, and $100,000 for individuals who seriously breach their obligations. This, he said, “would bring New Zealand into line with Australia, and would begin to approach the sanctions available to my counterparts in Europe, Asia and elsewhere in the world.”
However there seems to be some uncertainty in the bill as to the level of penalties it would introduce. In a LinkedIn post on the bill Frith Tweedie, digital law leader at EY Law, said: “Failure to comply with mandatory reporting requirements could see companies fined up to $10,000. But it is unclear whether each affected individual will be treated as a separate breach, potentially increasing fines significantly, or whether all breaches relating to one incident will be treated collectively.”
Tweedie said the bill did not represent a major shift in New Zealand’s privacy legislation. “One of the notable features of the BILL is the lack of significant change. There is little sign in the bill of the major changes overseas jurisdictions are making to their privacy laws. New Zealand’s principles-based approach, which has worked well for the past 25 years, is retained, albeit with an IPP (Information Privacy Principles) acronym being formalised in the bill in a nod to the 21st century.”