Privacy Commissioner John Edwards has got some items on his Privacy Bill wishlist, but missed out on others as the Justice Select Committee delivered its report.

Facebook 'doubling down' on privacy abuse: NZ watchdog
Kathmandu investigating month-long data security breach

Edwards - who was recently re-appointed for another five-year time - says he'll continue to push for wider enforcement powers and other tweaks as the legislation continues its journey through Parliament.

The Commissioner had wanted the power to levy fines of up to $100,000 for individuals and up to $1 million for organisations who ignore breach notices.


But as the bill stands, he'll have to settle for writing strongly-worded remonstrations, and the power of publicity to embarrass those to violate privacy law.

The Commissioner had also sought "data portability", a provision that would have put people in charge of their personal data and shift it with them as they changed, for example, insurance companies. For now, that's not on the table.

Lawmakers did meet Edwards' demand for mandatory data breach disclosure, however. Once the Privacy Bill becomes law, organisations that lose customer data through a hack or negligence will have to let people to know it's at risk.

The Commissioner had worried about a "cry wolf" syndrome, where constant warnings became so much wallpaper.

To wit, the Select Committee has raised the notification threshold for privacy breaches so that notification is only required where the breach has caused, or is likely to cause, serious harm to affected people.

The Committee also tweaked the Bill so that if an overseas organisation is doing business in New Zealand, the Act will apply to any action and all personal information collected or held by that organisation - regardless of where that may be - in the course of carrying on business in NZ.

In practical terms, that will make it easier for the Privacy Commissioner as he grapples with Facebook and other multinationals - many of them online operators who did not exist when the Privacy Act was last updated in 1993.

The Select Committee also said that the news media's exemption from the act should be expanded to cover all forms of media including new media such as bloggers, and TVNZ and RNZ when they undertake news activities.


It also qualified that the news media exemption should only apply to those who are under the oversight of the Broadcasting Standards Authority or the New Zealand Media Council.