Watchdog backs $1m fines for privacy breaches
Privacy Commissioner John Edwards is recommending fines of up to $1 million for serious privacy breaches.
Both public and private sector organisations could face such a fine, which would be more in line with Australia, while individuals would face a maximum civil penalty of $100,000.
‘‘In light of international trends and current conditions, privacy enforcement sanctions no longer appear adequate to deal with serious breaches,’’ Edwards said.
The recommendations come in the commissioner’s latest report on the viability of the Privacy Act, which the Government planned to reform.
As well as being able to apply for the fines, Edwards recommended the introduction of data portability as a consumer right, giving them the ability to transfer personal information between things like social networks or cloud services.
The report cited recent privacy breach penalties in the UK, such as when the British Pregnancy Advice Service was fined £200,000 (NZ$344,000) after thousands of personal files were revealed to a malicious hacker.
‘‘Internationally, the trend is towards privacy and data protection regulators having a variety of sanctions in order to respond effectively and meaningfully to the range of breaches and noncompliance that arise.
‘‘This includes the potential for large civil sanctions to be imposed for those rare, sufficiently serious cases that require them.’’
Privacy law reform has been considered since 1998, and between 2008 and 2011 there was a Law Commission review on the subject.
But Edwards said a lot had changed since then. There were gaps and weaknesses which needed to be addressed if the proposed modernisation of the Privacy Act was to be effective.
‘‘Important developments since 2011 that impact on the operation and adequacy of the privacy legislation include developments in data science and information technology, and new business models built on data-driven enterprise.
‘‘These developments have highlighted the importance for both the public and private sectors to optimise trust in the digital economy.’’
His report also suggested an update to protection against the risk of individuals being unexpectedly identified from supposedly anonymised data, the power to require an agency to show its compliance with the law, narrowing the defences available, and providing for the suppression of personal information in public registers when there is a safety risk.
In January, the Department of Corrections agreed to change its CCTV policy following a reprimand from the Privacy Commissioner over a case involving a prisoner who was severely beaten.
Edwards found that Corrections interfered with the prisoner’s privacy after it refused to release footage of him being assaulted.
Last September, Edwards said a hack of Yahoo, from which Spark said 130,000 Xtra email addresses were ‘‘at risk’’, showed the need for a New Zealand law to force companies to own up to data breaches.
He praised Spark, but questioned Yahoo’s response after the 2014 hack only came to light last year.