Our website uses cookies so we can analyse our site usage and give you the best experience. Click "Accept" if you’re happy with this, or click "More" for information about cookies on our site, how to opt out, and how to disable cookies altogether.

We respect your Do Not Track preference.

News

By Privacy Commissioner, Michael Webster.
8 May 2023

Thirty years ago, that catchy ear-worm Nature by The Muttonbirds was at the top of the charts, shoulder pads were bigger than big, and New Zealand got its first dedicated Privacy Act. The Act has since been updated, and with the pace of technology and change there’s already a need to strengthen our legislation. It is my view that legislative changes are needed to ensure New Zealand’s privacy law is fit-for-purpose in the digital age.

My ideal, as Privacy Commissioner, would be to see a country where our people are confident that their privacy is protected. A place where agencies (businesses and organisations) take their privacy obligations as seriously as health and safety, and where personal information is valued as taonga.

My office’s research shows that three out of five New Zealanders are concerned about businesses sharing their personal information without their permission. A recent study by Internet NZ showed that one of our top concerns online is threats to privacy. And in the past 12 months, two thirds of New Zealanders have chosen not to use at least one online service because of security or privacy concerns.

New Zealanders are clearly not entirely convinced that their personal information is being protected and respected by the public and private sector organisations that hold it. That’s fair; there was a 41 percent increase in privacy breaches between the 2021/22 and 2022/23 years.
It’s my job to lead an office that helps New Zealanders better understand their privacy rights, and help agencies understand and meet their obligations in a way that makes good business sense.

Recent developments internationally show that other countries are acting to strengthen their privacy law in a range of areas. In New Zealand, we need to consider whether to strengthen protections around children’s privacy online and ensure we can handle uniquely digital concerns such as people’s ‘right to erasure’ (also known as the ‘right to be forgotten’).
There’s work to be done around how we regulate artificial intelligence, and we need to look at how organisations that fail to protect people’s privacy are held to account.

You might be surprised to learn that the New Zealand Privacy Act does not contain a civil penalty regime, and that the low-level criminal offences in the Act only target specific non-compliance such as an agency failing to report a serious privacy breach to me, rather than penalising a serious breach that has inconvenienced thousands of Kiwis and in some cases caused them serious harm.

In contrast, following the significant data breaches experienced by Optus and Medibank in Australia, the government there moved quickly to significantly increase the penalties for privacy breaches. For serious or repeated interferences with privacy, Australian agencies can now be fined up to $50million. Food for thought when New Zealand is currently experiencing its biggest privacy breach by numbers affected (Latitude Financial), at around 20 percent of our population. Having the full range of effective tools in the regulatory toolbox is increasingly essential for privacy regulators, including ones that can be used for the most serious privacy breaches.

My privacy, your privacy, has been, and will continue to be, under threat and we need to continually evolve our legal protections to stay ahead of the curve.

To watch the Commisioner's inaugural Privacy Week speech, visit our YouTube page here