New Zealand’s Privacy Act 2020 covers all sectors of the economy. It governs the collection, use and disclosure of individuals’ personal information and exists so that we can trust in our companies and governmental services.

The act was drafted in 2013, so it could not have anticipated the large-scale collection, use and transfer of personal information or the invention of generative artificial intelligence and biometrics. This month, I want to explore whether our privacy regulations have become outdated now that we live in a globalised world with a digital economy.

Privacy is important

Whether it’s customer details or staff files, you likely keep some private information on file or in a digital format. Breaches or careless handling of private information may cost you dearly. Customers will lose confidence in you. Your brand and reputation will take a hit. The more sensitive the information, the more measures you must take to protect it.

As the pace of technological development continues, it is arguable that without a substantial overhaul, New Zealand’s regulations will not be able to keep pace with the modern world.

According to a paper published on 4 December 2023, there was a large increase in privacy complaints and serious privacy breaches between 2021 and 2023. The low levels of business compliance with the act have been attributed to the lack of modernity of the legislation, which is technology neutral.

The international landscape

The European Union General Data Protection Regulation, which took effect in 2018, remains the gold standard of privacy regulation. The GDPR is pioneering because of its significant penalty regime, the invention of new rights such, as the right to erasure, and new requirements concerning automated decision-making.

Since then, case law has further developed the GDPR to make it even more robust by further defining the requirements for international data transfers. The UK has adopted the UK GDPR into its local legislation, and Australia introduced a penalty regime comparable to GDPR in 2022.

Seen against this background of quite significant legislative change, it is evident that a privacy regime drafted over a decade ago is no longer something New Zealand can be proud of. Being out of step internationally has real consequences for businesses.

International companies often incorporate robust privacy clauses into their contracts, leaving businesses needing to comply but unprepared to do so. Some companies that regularly do business overseas may have already determined they need to comply with regulations like the GDPR, even though local regulations do not demand it.

New Zealand’s shortcomings

Penalties

Penalties under the Privacy Act are virtually non-existent. The only penalty available is a $10,000 fine, imposed only when an agency commits one of the few specific criminal offences. There are no civil penalties available. Compared to the millions of dollars in penalties available in Europe or Australia, it is no wonder that there is no incentive to comply.

New technologies

Since the act was drafted, technologies have changed, including biometrics, social media and artificial intelligence. The potential harms and benefits and the corresponding rights and obligations concerning these new technologies must be considered.

The government has indicated it does not wish to enact widespread AI regulation any time soon. In the absence of specific regulation, we will need to rely on the existing regulatory regime. Seen in this context, it is even more important that the Privacy Act is updated to take into consideration technological concepts that did not exist when it was drafted.

Sensitive information

Unlike other jurisdictions, such as the EU and Australia, New Zealand legislation does not create a separate category of “sensitive personal information”, where more stringent care must be taken. This is becoming an issue when more use is being made of individuals’ biometric information – for example, through face or fingerprint recognition technology. While some effort is being made to remedy this gap in legislation through the Biometrics Code of Conduct, this will likely serve as only a temporary measure.

Children’s privacy

New technologies are seeing children and young people increasingly in a situation where they may be tempted to consent to the collection of their personal information for a perceived benefit, particularly online. Children’s inherent vulnerabilities may mean they are less able to understand the long-term consequences of providing such consent.

While the Privacy Act requires that agencies consider the “fairness and intrusiveness” of how they collect personal information, other jurisdictions, including the UK and California, are now creating specific regulations to protect children and young people.

Conclusion

The Privacy Amendment Bill 2023 will only make minor changes to our current regulatory regime. If New Zealand is to keep pace with the rest of the world, we need to overhaul our privacy regulations, as Australia has recently done, to bring it up to date with international standards.