Privacy commissioner John Edwards has made a last-ditch plea to further toughen up an overhaul of the country’s privacy laws, telling MPs privacy was a "fundamental human right".
Edwards praised some aspects of a bill to reform the 25 year-old Privacy Act, but told a select committee that the changes proposed by the Government were "not sufficient".
Edwards appeared to suggest he was concerned the European Union might not renew the "adequacy" status it had given to New Zealand’s privacy regime when it next reviewed it within four years.
The value of tick from the EU was difficult to quantify in dollar terms but was "relatively rare and important to preserve" from a trade perspective and would be "disastrous" to lose, he said.
READ MORE
* Andrew Little gives more power to the Privacy Commissioner in new bill
* Potential law change could make services explain data decisions
* Measures loom to tell people if their data is hacked
* Privacy Commissioner wants big fines for privacy breaches
New Zealand had an opportunity to "at very least bring New Zealand’s law up to world standards" and, at best, to future-proof it for the next 25 years, he said.
As it stands, the bill would force organisations to disclose serious data breaches to the privacy commissioner.
That is a change from the existing situation under which businesses and other organisations are not specifically obliged to say if they have had people’s personal information lost or stolen.
It would also make it a crime carrying a $10,000 fine to mislead an agency in a way that affected someone else’s information, or to knowingly destroy documents containing personal information once a request had been made for it.
But Edwards said several big changes were needed, including a right commonly known as the "right to be forgotten" that would require others to erase personal information that was out of date, inaccurate or misleading, once asked, and to "personal information portability".
The latter right would for example allow people to demand their personal information was transferred from one online service to another at their request, and could impact the likes of social media companies.
Edwards called for $1m fines saying "realistic" sanctions were needed for breaches of the Privacy Act.
"Most organisations in our economy take this stuff seriously," he said. "[But] what do we do with people who just give us the finger?"
National MP Chris Bishop said the changes being sought by Edwards were "quite big" and questioned whether – if they were to be considered – they would need to go back out for public consultation, and whether the bill would need to be withdrawn and reworked.
Edwards said he was not advocating for the Government to go as far as the EU had gone with its General Data Protection Regulation (GDPR) law which came into effect in May.
His suggestions were not "GDPR or GDPR light", he said.
"I don’t think New Zealand should go down the path of mandatory privacy impact assessments for example."
BusinessNZ chief executive Kirk Hope supported some of the changes being sought by Edwards, while not offering comment on the right to be forgotten or on the size of the fines Edwards was suggesting.
"Business supports data portability as a consumer right, so that an agency holding someone’s data must make it available to them in a usable form," he said.
It would also be appropriate for the privacy commissioner rather than the Human Rights Review Tribunal to make decisions on complaints relating to access to information, he said.
© 2022 Stuff Limited