Privacy Bill reported back – link summary

The Privacy Bill has been reported back from the Select Committee (see our submission).

This article contains relevant links and reactions.

Text of the Privacy Bill as reported back by the Select Committee.

Justice Dept report on submissions.

Privacy Commissioner welcomes Select Committee’s Privacy Bill report.

The Committee has listened to submitters and the reported back Bill contains measures to ensure the law addresses some of the most pressing aspects of the modern digital economy.

The law will now explicitly set out when agencies that collect, process and use New Zealanders’ personal information will have to comply with New Zealand law – regardless of whether these agencies have a brick-and-mortar presence on our islands

While the Bill doesn’t include all the things we were seeking, we are grateful for the diligent work of the Select Committee and look forward to making the most of the changes for the benefit of all New Zealanders.

Chapman Tripp – Playing a short game on the privacy bill

The select committee has played safe on the Privacy Bill, recommending only modest changes. While this will make for an easy transition in the short term, it may also mean further reform is needed in a few years' time.

In particular, the Bill falls well short of the European Union (EU) General Data Protection Regulation (GDPR), which sets the standard for EU engagement – an outcome that could create compliance costs for some New Zealand businesses.

NZ Herald – Commissioner misses out on two wish-list items

Edwards – who was recently re-appointed for another five-year time – says he'll continue to push for wider enforcement powers and other tweaks as the legislation continues its journey through Parliament.

The Commissioner had wanted the power to levy fines of up to $100,000 for individuals and up to $1 million for organisations who ignore breach notices.

But as the bill stands, he'll have to settle for writing strongly-worded remonstrations, and the power of publicity to embarrass those to violate privacy law.

Tweets from Andrew Ecclestone at @openpolicynz (link to first Tweet in thread)

  • The Justice Committee of the NZ Parliament has disagreed with the Law Commission’s recommendation (and my submission) that the Ombudsman be made subject to the #Privacy Act. It is also maintaining the blanket secrecy requirement on @NZPrivacy staff. No explanation given for why.
  • My submission on why the Ombudsman should be subject to the Privacy Act.
  • My submission on why the secrecy clause should be limited or removed.

Tweets from Rick Shera at @lawgeeknz (link to first Tweet in thread)

  • Gotta say, this is very disappointing. No personally actionable penalty for a #privacy breach, no matter how negligent, and even flouting one of @JCE_PC’s orders only gets a paltry $10,000 fine, max. That’s not a fine; it’s a licence fee.
  • Nothing approaching GDPR, Australian, Brazilian, Californian or other modern #privacy regimes, particularly re biometrics/sensitive info, #AI profiling, #privacybydesign etc.
  • Why does the Select Committee consider kiwi’s #privacy rights are worth such a tiny fraction of those of Europeans, Australians etc?
  • News Today of a major data breach affecting credit card and other PI held by trans Tasman firm Kathmandu. Australians will have potential remedies; New Zealanders won’t under our proposed #privacy legislation other than waiting in line at the HRRT.
  • GDPR Right to be forgotten was a bridge too far but to have no substantive addition to personal rights just reinforces @JCE_PC’s description of this as an already out of date #privacy law merely catering for issues raised by the Law Commission 8 YEARS AGO.
  • Given how long it has taken to get here, and the low esteem that our politicians evidently accord to #privacy in NZ compared to overseas, we’ll be saddled with this for many years to come. A real lost opportunity.
  • This #privacy law, if passed in current form, will also not garner us favour in our #EUFTA negotiations and may imperil our EU adequacy status.
  • And for NZ firms who process EU personal data and have to be GDPR compliant, and the many who have chosen to adopt it as #privacy best practice, good for you. Your kiwi competitors are not going to have to chin anything like that bar if they don’t want to.