We are very excited about today’s introduction of a new Privacy Bill. The Bill will modernise the 25 year old Privacy Act and implement many of the changes recommended by the Law Commission in 2011.

The pathway to this overdue and urgent reform package actually began back in 1998 with the release of the first Privacy Commissioner’s report Necessary and Desirable.

That the Government has made privacy law reform a significant priority amongst its busy work programme reflects the privacy concerns of a majority of New Zealanders - something which has been borne out in regular opinion surveys undertaken by my office.

The Bill introduced today is based on decisions announced by the previous Government in 2014 and has involved a lot of work by officials from the Ministry of Justice, Parliamentary Counsel Office, and my Office in the intervening four years.

However, it is important for the public, civil society and industry to take an interest, make submissions and ensure that the law that comes out the other end of the Parliamentary process is fit for purpose in 2019 and beyond.

Much has changed in the world since the Law Commission reported in 2011. New Zealand’s once world leading privacy law has slipped behind developments in a number of jurisdictions we compare ourselves to. Better privacy and data protection regulation is a growing trend in OECD countries which include Britain, Canada and Singapore. Australia has already reformed its Privacy Act and in Europe, the General Data Protection Regulation (GDPR) is set to take effect in May this year.

The new Bill includes moves in that direction by:

• empowering my office to issue a compliance notice in the event of a breach of the Act;
• empowering my office to issue a determination when a person has requested access to personal information and has been refused; and
• the introduction of mandatory reporting of harmful privacy breaches – bringing New Zealand into line with international best practice.

But without real and meaningful consequences for non-compliance, rogue agencies will continue to thumb their nose at the regulation, meaning responsible organisations will disproportionately bear the cost of compliance, while cowboys will ignore their obligations.

If New Zealand citizens and industry are to reap the benefits of a digital economy, they need to have confidence that their regulatory regime is robust, and that their personal information will be kept safe, and used responsibly.

I will be asking Parliament, and the Government, to make the most of this once-in-a-generation opportunity to modernise our privacy framework. My aim is to keep compliance costs for industry down, to reward good behaviour, punish the cavalier, and provide New Zealanders with easy access to remedies when their rights are breached.

I’ll be pointing to the report I made to the Government in 2016 in which I made six recommendations including a power to apply for fines of up to $1 million for organisations, and $100,000 for individuals who seriously breach their obligations. This would bring us into line with Australia, and would begin to approach the sanctions available to my counterparts in Europe, Asia and elsewhere in the world.

We will also argue for the Law Commission’s recommendation to shift the privacy functions of the Director of Human Rights Proceedings into the Privacy Commissioner’s office in order to streamline the handling of privacy complaints.

We thank the Minister of Justice for taking action on this important and long delayed law reform, and look forward to the public conversation about getting our Privacy Act working well for industry and individuals for the next 25 years.

Image credit: The Beehive in June 2012 - via Wiki Commons.