On March 7, 2024, the Office of the Privacy Commissioner of New Zealand (OPC) released a statement calling for greater penalties for data breaches, following two major research studies that indicate widespread support, including from businesses, for higher penalties for breaches.

In particular, the OPC noted concerns that the majority of businesses relying on digital environments lack a high degree of privacy maturity and cyber security practices, showing a lack of motivation to comply with legislation protecting data, like the Privacy Act.

Furthermore, the OPC highlighted that it can only issue a maximum fine of NZD 10,000 (approx. $6,090) to an organization for not adhering to a compliance order, whereas its counterpart in Australia can fine up to NZD 50 million (approx. $30.4 million).

Moreover, the OPC emphasized that the first research featuring a survey of business leaders shows that 58% believe an increase in legislation and regulatory guidance will improve cybersecurity, while almost three-quarters think New Zealand should introduce harsher penalties for businesses that fail to protect personal data. The second research surveying individuals shows that 60% believe the current level of fines in the Privacy Act is not high enough.

In light of the above, the OPC concluded that the Privacy Act will need to be revised in order to keep up with global privacy standards, and therefore proposed the following recommendations:

• a civil penalty regime for major non-compliance alongside new privacy rights for New Zealanders to better protect themselves;
• a set of specific amendments to make the Privacy Act fit-for-purpose in the digital age; and
• stronger requirements for automated decision-making and agencies demonstrating how they meet privacy requirements.

You can read the press release here.