Why the new Privacy Act doesn’t do enough to protect consumers

A revamped Privacy Act is about to kick in. Here's why we think it doesn’t go far enough to protect consumers.

20sep privacy act hero

National MP Hamish Walker and ex-party president Michelle Boag were caught out in July leaking the personal information of Covid-19 patients to the media. The politically motivated leak included the names, dates of birth, ages and quarantine locations of each of the patients.

Despite being caught out, neither Walker nor Boag faced any penalty under the Privacy Act.

Why? The Privacy Commissioner can’t prosecute individuals or organisations and has no jurisdiction over members of parliament. The bad news is little will change when a revamped Privacy Act is rolled out in December.

Protection gaps

When our first Privacy Act hit the law books in 1993, it was considered world leading. Fast-forward 27 years, the act is showing its age and has failed to keep up with the brave new world we live in.

The long-awaited overhaul of the legislation has brought some improvements. A company that fails to report a serious data breach could now be fined by the courts, though only up to $10,000 (see “Key changes”).

It will also be a criminal offence to mislead an agency to access someone else’s personal information and to destroy personal information knowing that the person requested it.

However, the Privacy Commissioner still won’t have any powers to fine or prosecute individuals or organisations for any other serious breaches of a person’s privacy. Without the threat of a meaningful penalty, there’s much less incentive for companies to play fair.

Compare that to the EU. In 2019, France’s data regulator fined Google €50 million ($85m) for breaching privacy rules set out in the EU’s General Data Protection Regulation. Australia and the UK have also given their privacy regulators the ability to issue penalties.

Back here, the only realistic chance a company will face a financial sanction is if the case is referred to the Human Rights Review Tribunal (see “Privacy complaints”). That can be a time-consuming process, reliant on an overworked tribunal system. Confidential settlements also mean the outcome may never be made public.

The chance to strengthen consumers’ privacy rights in other areas has also been missed.

There’s no “right to be forgotten” (also known as the right to erasure) as EU consumers enjoy. Under EU privacy rules, consumers can request their personal data be erased when a company no longer needs it for the purpose it was originally collected.

The furthest our law goes is stating organisations shouldn’t keep information longer than is necessary. But this isn’t the same as a right to be forgotten.

The new act also doesn’t do anything to address the vexed issue of algorithmic transparency. If you’re denied a loan based on a company’s algorithmic system, such as automatic credit screening, you should have a right to know why.

Making companies front up about the assumptions built into these systems helps ensure biases – based on factors such as ethnicity, gender or incorrect information – don’t skew decision-making. It also ensures companies can’t hide behind machines and must take responsibility for their programming assumptions.

The Privacy Commissioner argued for the act to include fair practice provisions for automated decision making. But this didn’t happen.

Why it matters

Data collection is an increasingly unavoidable part of everyday life. When you download an app, sign up to a loyalty scheme or open a bank account, you’re required to share personal data.

What’s done with this data – how it’s used, where it ends up – can have major implications for consumers.

If a company knows how much you earn, it may try to charge you more for a product because it assumes you’ll be willing to pay a higher price. Or it could refuse you service because it thinks you’re a bad credit risk based on where you live.

There’s also the ever-present risk your information could be hacked and you suddenly find your bank account has been emptied or thousands of dollars of debt has been racked up in your name.

In 1993, our privacy law was ground-breaking. But the same can’t be said about the law today. Without stronger privacy protections and penalties for breaches, consumers will be left to shoulder much of the responsibility for safeguarding their data.

Key changes

There are four key changes to the Privacy Act:

  • Mandatory data breach reporting: organisations that fail to report serious data breaches (such as a computer hack) to affected individuals and the Privacy Commissioner could be fined up to $10,000. Breaches must be reported if they cause or have the potential to cause “serious harm” to individuals.

  • Compliance notices and new criminal offences: the commissioner will be able to issue notices, requiring organisations to comply with the act. It will also be an offence to destroy personal information knowing that a request has been made to access it.

  • Regulation of cross-border data sharing: unless the individual expressly authorises the disclosure, organisations will only be able to share personal information with an agency outside New Zealand if that agency operates in a jurisdiction with similar privacy safeguards.

  • Extraterritorial effect: overseas companies operating in our market, such as Facebook and Google, will be subject to the act and have to report data breaches if they involve New Zealanders’ information. This applies even if the company doesn’t have a physical location here.

Privacy complaints

If you feel your privacy has been breached, the first step is usually to speak to the privacy officer of the organisation concerned. All organisations should have a person who knows about the Privacy Act.

Don’t get a satisfactory response? You can complain to the Privacy Commissioner. The commissioner will decide whether to investigate and, if the complaint has substance, may attempt to settle the matter.

If that’s unsuccessful, the complaint can be referred to the Human Rights Review Tribunal.

You can also take a case to the tribunal if the commissioner decides not to refer it there. The tribunal can award damages of up to $350,000. If you’re still dissatisfied, there’s a general right of appeal to the High Court.

Privacy Act 2020 timeline

1993 – Privacy Act passes.

1997 – Consumer NZ recommends the Office of the Privacy Commissioner be given broader powers.

2011 – Law Commission recommends repealing and replacing act.

2014 – Government announces reform of the act.

2018 – Privacy Bill introduced into parliament.

2020 – New Privacy Act comes into effect in December.

Stay in the know

Keep up-to-date with Consumer's latest news, investigations and product and service reviews, plus join the Consumer panel with invitations to take part in surveys.

Member comments

Get access to comment