Commissioner misses out on two privacy wishlist items
Privacy Commissioner John Edwards has got some items on his Privacy Bill wishlist, but missed out on others as the Justice Select Committee delivered its report.
Edwards, who was recently reappointed for another five-year term, says he’ll continue to push for wider enforcement powers and other tweaks as the legislation continues its journey through Parliament.
He had wanted the power to levy fines of up to $100,000 for individuals and up to $1 million for organisations who ignore breach notices. But as the bill stands, he’ll have to settle for writing strongly-worded remonstrations, and the power of publicity to embarrass those to violate privacy law.
The commissioner had also sought “data portability”, a provision that would have put people in charge of their personal data and shift it with them as they changed, for example, insurance companies. For now, that’s not on the table. Lawmakers did meet Edwards’ demand for mandatory data breach disclosure. Once the Privacy Bill becomes law, organisations that lose customer data through a hack or negligence will have to let people to know it is at risk. The commissioner had worried about a “cry wolf” syndrome, where constant warnings become like wallpaper.
The select committee has raised the notification threshold for privacy breaches so that notification is only required where the breach has caused, or is likely to cause, serious harm to affected people.
The committee also tweaked the Bill so that if an overseas organisation is doing business in New Zealand, the act will apply to any action and all personal information collected or held by that organisation — regardless of where that may be — in the course of carrying out business in NZ.
In practical terms, that will make it easier for the Privacy Commissioner as he grapples with Facebook and other multinationals — many of them online operators that did not exist when the Privacy Act was last updated in 1993.
The select committee also said that the news media’s exemption from the act should be expanded to cover all forms of media including new media such as bloggers, and TVNZ and RNZ when they undertake news activities.
It also qualified that the news media exemption should only apply to those who are under the oversight of the Broadcasting Standards Authority or the New Zealand Media Council.