sb-nz logo
Story image

Privacy Bill may limit breach fines to $10,000

14 Mar 2019

Newly-reappointed Privacy Commissioner John Edwards has welcomed the Justice Select Committee’s report on the proposed Privacy Bill, which will repeal and replace the Privacy Act 1993.

Edwards says that the Select Committee has listened to people who have submitted feedback on the Bill and now introduces more measures to address the collection, processing, and use of New Zealanders’ personal information.

This will apply to all agencies that collect personal information from New Zealanders, regardless of whether they have a physical presence in the country.

The Bill makes two amendments regarding overseas agencies and overseas activities.

For a New Zealand agency, the Act will apply to any action taken and all personal information collected or held by it, both inside and outside New Zealand.

For an overseas agency, the Privacy Act will apply if the agency is carrying on business in New Zealand.

The Act will apply to any action and all personal information collected or held by the agency (regardless of where that may be) in the course of carrying on business in New Zealand.

The Privacy Act will also give the Privacy Commissioner more powers to pull businesses into line when they have demonstrated breaches of the Act.

The Privacy Commissioner will now be able to issue a compliance notice in the event of a breach of the Act; and issue a determination when a person has requested access to personal information and has been refused.

The Privacy Act will also introduce mandatory reporting of ‘harmful’ privacy breaches – a move that brings New Zealand into line with international best practice, as well as countries like Australia.

However, the Select Committee steered away from giving the Privacy Commissioner the ability to issue civil penalties in the case of serious breaches, which would have amounted to $100,000 in the case of an individual and up to $1 million in the case of a body corporate.

Instead, breach fines will be capped at a maximum of $10,000 if businesses do not comply with the Bill’s mandatory notification requirements.

The Act will also regulate the movement of personal information out of the jurisdiction with a new cross border disclosure principle.

The Privacy Commissioner had also lobbied to introduce data portability as a consumer right, however the Select Committee has seemingly ignored that.

The Select Committee process also raised a number of other key changes, according to the Privacy Commissioner. They include:

  • raising the notification threshold for privacy breaches so that notification is only required where the breach has caused, or is likely to cause, serious harm to affected people. Criteria are given for assessing whether or not serious harm has, or is likely, to occur.
  • amending the news media exemption to ensure it covers all forms of media, including "new" media such as bloggers
  • limiting the news media exemption to those media that are subject to the oversight of an appropriate regulatory body (currently the Broadcasting Standards Authority or the New Zealand Media Council, with ability to add other appropriate oversight bodies by regulation)
  • extending the news media exemption to include TVNZ and RNZ when they undertake "news activities"
  • expressly providing that agencies may not require a person’s identifying information unless it is necessary for the lawful purpose for which the information is collected
  • removing the public register privacy principles on the understanding that they are now outdated and unnecessary.  

“While the Bill doesn’t include all the things we were seeking, we are grateful for the diligent work of the Select Committee and look forward to making the most of the changes for the benefit of all New Zealanders,” says Edwards.

Read the Select Committee’s report here.

Read more about our coverage on the Privacy Bill and privacy in New Zealand:

Story image
The three-pronged security approach that confronts security breaches head-on
Having these three processes working in tandem is key to cushioning the blow of a breach - which, if insufficiently protected, can take on average 279 days to contain and costs an average of almost US$4 million.More
Story image
IBM Security completes industry first with updates to Cloud Pak for Security solution
"With these updates, we will be the first in the industry to bring together external threat intelligence and threat management alongside data security and identity."More
Story image
Surfshark rolls out WireGuard open source VPN protocol
When there is less code in a VPN, it is less susceptible to security vulnerabilities due to easier configuration and management, according to Surfshark.More
Story image
Why zero trust could fail due to lack of understanding​, not technology
Security architects are being forced to re-examine the concept of identity, with many turning to a zero trust security model to provide a better architecture for protecting their sensitive resources.More
Story image
Video: 10 Minute IT Jams - protecting data with user behaviour analytics
In this video, Forcepoint senior sales engineer and solutions architect Matthew Bant discusses the company's DLP solution, the importance of integrating compliance into security solutions, and why cybersecurity strategies should take a more people-based approach.More
Story image
Insider threat report reveals deception in the workforce
Insider threats come from people inside an enterprise, whether they divulge proprietary information with nefarious intentions, or are just careless employees that unwittingly share sensitive data, writes Bitglass product marketing manager Juan Lugo.More