Source: Office of the Privacy Commissioner
The introduction of the Privacy Act 2020 was a big step forward in protecting New Zealander’s privacy, but five years on (1 December), it needs further changes to respond to today’s needs,” Privacy Commissioner Michael Webster says.
“The Privacy Act doesn’t provide sufficient incentives for many organisations to understand or meet even the most basic privacy requirements. This is one reason why my Office is getting record numbers of privacy complaints and increased breach notifications by agencies.”
“If New Zealand wants to be serious about privacy, then organisations need to be held accountable for their failings in handling personal information. That includes introducing significant fines, and real consequences. We see multimillion dollar penalties in Australia for organisations who fail to protect personal information, but in New Zealand there’s no civil penalty regime.
The New Zealand public also supports the need for Act reform. In our March 2025 privacy survey, three quarters of those surveyed said the Privacy Commissioner should have the power to:
– audit the privacy practices of agencies
– issue small infringement fines for a privacy breach, and
– ask the Courts to issue large fines for serious privacy breaches.
“Stronger penalties are a great start, but there are also other things that can be done to modernise the Privacy Act and strengthen privacy outcomes.”
In the European Union, people have the right to ask organisations to delete their personal data if certain conditions apply. Adding the ‘right to erasure’ to privacy rules here would provide New Zealanders with the right to ask organisations to delete their personal information in certain circumstances. This right would reduce the harm arising from privacy breaches through reducing the amount of personal information an agency is holding.
“We also need stronger protections for the significant privacy risks that arise from automated decision-making, which can cause problems such as inaccurate predictions, discrimination, unexplainable decisions, and a lack of accountability.
“Automated decision making is increasingly used to make decisions about people’s finances and allowances, which can really impact lives, and I think people should know why an automated decision is taken against them”, Mr Webster says.
The Commissioner is also suggesting that agencies need to be able to demonstrate how they meet their privacy requirements, such as the privacy management programmes recommended by the OECD.
“There’s been incredible technological change since 2020, and we need to keep up. Many other countries have modernised their privacy rules to capture the benefits and avoid the harms of new technologies and we need to do the same and make sure our privacy rules reflect the society we live in today.”
