New items include, mandatory reporting of a data breach (but only if it is likely to cause serious harm), fines of up to $10,000 for ignoring breaches and stronger powers to control overseas data transfers and foreign-based organisations. The Public Register privacy principles are gone altogether.
What the bill will not do is follow some of the EU General Data Protection Regulations (GDPR) which were proposed by many privacy advocates, including the Privacy Commission. So, no personal data portability, no “right to be forgotten” and no mandatory requirement to opt-in.
The Committee clearly decided that the GDPR approach was not necessary in New Zealand. The National Party went as far as to say “We are uneasy that the Commissioner recommended that the select committee make these substantial changes to the bill. A better approach would be for the Government to consult widely in advance of preparing a bill and then submitting it to the House for consideration”.
So, for now at least businesses and marketers in NZ are spared the time and expense of a massive update of their privacy policies.