While the UK investigates alleged privacy breaches by firm Cambridge Analytics, potentially affecting millions of Facebook users, the New Zealand Government is working to refresh our privacy laws to better protect information gathered and stored digitally.
The proposed legislation, simply called the Privacy Bill, acts on a 2011 recommendation from the Law Commission. It would grant significant powers to the Privacy Commissioner and strengthen existing privacy laws, by repealing and replacing the Privacy Act of 1993.
“I’m pleased the Government has moved so promptly in its term to address the immediate need for stronger privacy protections and enforcement powers," says Privacy Commissioner John Edwards.
The Bill will regulate the collection, use and disclosure of information about New Zealanders, with extra protections to acknowledge the speed at which information can be gathered and shared in the digital age.
As part of that, it will require agencies to take additional steps to ensure any information crossing our borders adheres to our privacy laws.
The Bill will also give the Privacy Commissioner the ability to make binding decisions on information access requests and issue compliance notices that will be enforceable by the Human Rights Tribunal
It also makes it compulsory to report any privacy breaches.
However, Mr Edwards says more significant punishments for privacy breaches are still needed to stop "rogue agencies thumbing their noses at the regulation."
In 2016, he advised the Government to impose penalties of up to $1m for serious breaches of the Privacy Act.
The key changes in the Privacy Bill are:
Mandatory reporting of privacy breaches: Privacy breaches that pose a risk of harm to people must be notified to the Privacy Commissioner and to affected individuals.
Compliance notices: The Commissioner will be able to issue compliance notices that require an agency to do something, or stop doing something, in order to comply with privacy law. The Human Rights Review Tribunal will be able to enforce compliance notices and hear appeals.
Strengthening cross-border data flow protections: New Zealand agencies will be required to take reasonable steps to ensure that personal information disclosed overseas will be subject to acceptable privacy standards. The Bill also clarifies the application of our law when a New Zealand agency engages an overseas service provider.
New criminal offences: It will be an offence to mislead an agency in a way that affects someone else’s information and to knowingly destroy documents containing personal information where a request has been made for it. The penalty is a fine up to $10,000.
Commissioner making binding decisions on access requests: This reform will enable the Commissioner to make decisions on complaints relating to access to information, rather than the Human Rights Review Tribunal. The Commissioner’s decisions will be able to be appealed to the Tribunal.
Strengthening the Privacy Commissioner’s information gathering power: The Commissioner’s existing investigation power will be strengthened by allowing him or her to shorten the time frame within which an agency must comply, and increasing the penalty for non-compliance.
The Privacy Commissioner wants the public to make submissions as this Bill moves through the house to ensure that the legislation is "fit for purpose for 2019 and beyond".
"I will be asking Parliament, and the Government, to make the most of this once-in-a-generation opportunity to modernise our privacy framework."