Organisations now need to 'fess up if they lost your data through carelessness or to hackers, and it will be easier for the Privacy Commissioner to clamp down on privacy abuse by multinationals.
The first major update to the Privacy Act since the internet went mainstream has just passed Parliament, with unanimous support.
The slow-burning update to the old law, passed in 1993, followed a series of recommendations made by the Law Commission in 2011.
Privacy Commissioner John Edwards did not get two of the key items on his wish-list.
One was the ability to levy heavy-duty fines of up to $1 million on organisations that breached the new law - although he can now issue non-compliance notices and ding offenders for up to $10,000).
The other was data portability - or the ability to take your files with you when you switch service providers. The GDPR this is not.
But the Commissioner did get other elements included - notably mandatory data breach disclosure, and clarification that global companies like Google and Facebook are subject to NZ law when they offer services to New Zealanders.
We now await the first test case to see if Big Tech will indeed start to tow the line under the new rules.
Privacy Act key reforms
• Mandatory notification of harmful privacy breaches. If organisations or businesses have a privacy breach that poses a risk of serious harm, they are required to notify the Privacy Commissioner and affected parties. This change brings New Zealand in line with international best practice.
• Introduction of compliance orders. The Commissioner may issue compliance notices to require compliance with the Privacy Act. Failure to follow a compliance notice could result a fine of up to $10,000.
• Binding access determinations. If an organisation or business refuses to make personal information available upon request, the Commissioner will have the power to demand release.
Privacy shock: NZ Police trialled facial recognition tech without clearance
Emergency services' ability to track cellphones to be expanded
Covid-19 Coronavirus: More cheap loans from the Crown
• Controls on the disclosure of information overseas. Before disclosing New Zealanders' personal information overseas, New Zealand organisations or businesses will need to ensure those overseas entities have similar levels of privacy protection to those in New Zealand.
• New criminal offences. It will be an offence to mislead an organisation or business in a way that affects someone's personal information or to destroy personal information if a request has been made for it. The maximum fine for these offences is $10,000.
• Explicit application to businesses whether or not they have a legal or physical presence in New Zealand. If an international digital platform is carrying on business in New Zealand, with the New Zealanders' personal information, there will be no question that they will be obliged to comply with New Zealand law regardless of where they, or their servers are based.
The Act comes into effect on December 1.