Kia ora koutou,
Every year, the Office of the Privacy Commissioner appears before the New Zealand Parliament's Justice Committee. As an independent crown entity, the OPC is independent of government, which is critical given its role in regulating the privacy practices of both the public and private sectors.
These appearances are an important opportunity for Parliament to hear from the regulator about its activities in the previous year and plans for the year ahead. But, they are also an opportunity for the OPC to put forward its views and concerns, including in relation to the sufficiency of the legislation it is charged with enforcing.
This year was no exception, and a strong focus of Privacy Commissioner Michael Webster's briefing to the committee was the insufficiencies of New Zealand's current privacy law to drive better privacy practice, keep pace with the overseas regulatory approach, and address the increasing challenges presented by new technology and artificial intelligence.
In his briefing, Webster said some organizations "simply don’t care" about privacy. Despite the growing risks presented by digital and technological innovation, organizations are still not managing privacy well. This is due in part to the lack of consequences for poor privacy practices.
The New Zealand Privacy Act has no civil penalties regime for major noncompliance. The meager fines for a limited set of rather obscure criminal offenses do nothing to remediate this deficiency. For example, an organization may be fined up to NZD10,000 — yes, you read that correctly — for failing to notify the OPC of a privacy breach, but there is no penalty for having caused the breach in the first place.
By contrast, other jurisdictions are introducing or steadily increasing financial penalty regimes. Our nearest neighbor Australia, for example, recently lifted the penalty for serious breaches of the Australian Privacy Act to a whopping AUD50 million or three times the value of the benefit obtained from the data processing. We are already witnessing an uplift in privacy focus by Australian organizations as a result of this change.
Webster said this is not just an issue he is focused on — it is an issue business leaders are calling for too, in part because poor privacy practice by one sector player can affect the reputation of all players in that sector.
This deficiency creates real risk in the context of digital change. The OPC would like to do more in the AI space. While there are efforts to better regulate in this area — including the establishment of the Digital Regulators Forum, which comprises the OPC, the Commerce Commission, the Ministry of Business, Innovation and Employment, and the Department of Internal Affairs — the Privacy Act does most of the heavy lifting.
As such, Webster said he thinks the act needs to be strengthened. He is not calling for an EU-style AI Act, but does believe a financial penalty regime, more accountability obligations, and clearer rules around automated decision-making would enable a better regulatory response to the risks created by AI.
The recent confirmation of EU adequacy status for New Zealand this year was an unexpected win for New Zealand companies seeking to trade with the EU. But this hard-fought status is not guaranteed, and the commissioner believes now is the time to line our privacy law up with comparable jurisdictions.
I couldn't agree more, and I wonder how long the status quo can continue. If we don't bring the New Zealand Privacy Act into line with global best practice, we put Aotearoa New Zealand's place in the global economy in real jeopardy.
Daimhin Warner, CIPP/E, is the country leader, New Zealand, for the IAPP.
