InternetNZ says it's more important than ever for New Zealand to get its privacy laws on track, particularly as Kiwis' data is becoming increasingly threatened by data breaches in New Zealand and across the world.
Parliament is currently wading through the Privacy Bill, a proposed modernisation of our 25-year-old Privacy Act.
According to InternetNZ chief executive Jordan Carter, you only have to look at recent data breaches to realise that New Zealand has to lift its privacy game.
"Has your data been included in a breach? There's no way to tell. My data could have been breached, your data could have been breached. With no law requiring organisations to report these breaches we have no way of knowing and taking steps to protect ourselves," says Carter.
“There's currently no law requiring companies like Z Energy, Vector, or LinkedIn to tell New Zealanders if their data has been leaked.
"This isn't some niche nerd thing, this is something every New Zealander cares about. The Privacy Bill affects every organisation that serves us - from your daycare centre to your accounting software and your supermarket loyalty card.
He says that New Zealand's Justice Select Committee must use the opportunity to make the Privacy Bill work not just for 2018, but many years beyond. While it's too urgent to delay, it's also too important to risk getting it wrong.
“The Justice Select Committee needs to take this opportunity to make this Privacy Bill fit for 2018 and beyond. In practical terms, that means working with the suggestions submitters have made, and consulting on new ideas that people have raised,” he says.
“This Bill has waited five years to get to Select Committee. Taking the time to test new changes is the right thing to do now, to pass this Bill and make it fit for purpose."
The Bill has gained plenty of attention amongst New Zealanders. It attracted 165 written submissions, including some Xero, Trade Me, and Bell Gully.
According to InternetNZ, even Vector has called for strong measures to lift the Privacy Bill so that it's fit for the Internet era.
A number of other global breaches such as LinkedIn, Facebook and Cambridge Analytica have also proven that there needs to be a strong focus on privacy.
Europe's General Data Protection Regulation (GDPR) has certainly helped to address some of those privacy concerns, but New Zealand's laws don't currently stack up.
According to InternetNZ policy director Ellen Strickland, nobody who works in the privacy space believes the current law works for 2018.
“We urgently need an up-to-date privacy law that is fit for purpose in the Internet age. We think it's great to see so many businesses, organisations and individual New Zealanders engaging to support privacy protections that work in the 21st Century and there are some good ideas in those submissions that deserve to be looked at," says Strickland.
InternetNZ says the proposed Privacy Bill needs two urgent changes:
1) An urgent review of EU adequacy under GDPR. New Zealand needs to retain our stamp of approval from the EU. Without this, every individual New Zealand company who trades with Europe would have to do their own compliance with EU law and that would be a big burden.
2) Align breach notifications. The Bill currently requires companies whose data is breached to notify people to let them know they're effected. We support breach notification but are calling for an approach which follows overseas best practice in line with Australia, Canada and the European Union. This will make it easier for New Zealand businesses who work globally. We don't want to drown people in notifications but we want them to be meaningful.
Read more about our coverage on the Privacy Bill and privacy in New Zealand:
- Parliament supports NZ's Privacy Bill during first reading
- New Zealand's Privacy Bill to get first reading in Parliament
- InternetNZ says the Privacy Bill is a good start, but New Zealand can do better
- 2018 a 'defining year for privacy', says NZ law firm
- Privacy Week: 79% of Kiwis concerned about businesses that share their personal info
- Interview: IBM New Zealand's John Martin talks GDPR, NZ's Privacy Act, and Australia's NDB laws