sign up log in
Want to go ad-free? Find out how, here.

Privacy Commissioner urges the Government to tighten up privacy laws including bringing in a civil penalty regime

Personal Finance / news
Privacy Commissioner urges the Government to tighten up privacy laws including bringing in a civil penalty regime

The Government is being urged to beef up privacy legislation by the man whose job it is to enforce it.

Michael Webster says the problem is so serious that some people are not signing up for goods and services because they fear their personal information might be stolen.

Webster is New Zealand's Privacy Commissioner and was speaking to initiate a series of webinars as part of Privacy Week. They mark 30 years since the Privacy Act was implemented.

“With the pace of technology and change there’s already a need to strengthen our legislation,” Webster told his audience in a message on YouTube.

“It is my view that legislative changes are needed to ensure New Zealand’s privacy law is fit-for-purpose in the digital age.”

He said he would like to see New Zealand as a country where people were confident that their privacy would be protected. But this was not the case.

“My office’s research shows that three out of five New Zealanders are concerned about businesses sharing their personal information without their permission,” he said.

“A recent study by Internet NZ showed that one of our top concerns online is threats to privacy. And in the past 12 months, two thirds of New Zealanders have chosen not to use at least one online service because of security or privacy concerns.”

Webster went on to say there was a 41% increase in privacy breaches between the 2021/22 and 2022/23 years. And more than half of all New Zealanders would avoid doing something on the internet for fear of their activity being tracked.

And he said other countries are acting to strengthen their privacy law, and New Zealand should do the same.

“You might be surprised to learn that the New Zealand Privacy Act does not contain a civil penalty regime, ”Webster said.

"We are an outlier in not having civil penalties....such penalties could apply to negligence as well as to deliberate breaches.

“The low-level criminal offences in the Act only target specific non-compliance such as an agency failing to report a serious privacy breach, rather than penalising a serious breach that has inconvenienced thousands of Kiwis and in some cases caused them serious harm.”

He said Australia had boosted its privacy laws after large scale hacking of the companies Optus and Medibank. But New Zealand was experiencing the same thing, with the breach of cyber security at the finance company Latitude.

“Having the full range of effective tools in the regulatory toolbox is increasingly essential for privacy regulators, including ones that can be used for the most serious privacy breaches,” he said.

“My privacy, your privacy, has been, and will continue to be, under threat and we need to continually evolve our legal protections to stay ahead of the curve.

We welcome your comments below. If you are not already registered, please register to comment.

Remember we welcome robust, respectful and insightful debate. We don't welcome abusive or defamatory comments and will de-register those repeatedly making such comments. Our current comment policy is here.


I would love to have an enforcable Do Not Call (or spam / advertise) Register that all companies have to adhere to... but would the register then just be a tool for overseas spammers to aquire our umbers?


Hear Hear! My brother used to rave about this in Aus, said if any telemarketers called him he would state he was on the no-call register and they would apologise profusely then cut the call, never to call again. 


Good to hear but how confident can we be that this will be 1./ completed and 2./ enforced.

The easiest way to get your bank account raided is for a website you have used or saved your card details on to be hacked and then the card info used to make purchases.

Perhaps if there were real penalties for negligence then companies would value their security more stringently.


They can start by preventing Realestate agents, solicitors and accountants etc using email(incredibly insecure method or transfer) to pass around our sensitive personal documentation including names addresses, DOB, signatures, Passport, citizenship, licence etc documents, store them using exceptional security measures, and then use scheduling and auditing to ensure erasure and shredding as soon as possible. 


I used to work at the passport office years back. Once your information is out there, it is out there and there isn't any point in getting another passport because realistically the only way it would flag up is with interpol if someone used it to somehow travel internationally. Whether you get a new one or not people can still use it to register for things etc, sell it on the dark web for money, but the NZ passport is the most secure passport in the world having over 150 unique security features with more added every couple of years so it isn't possible to replicate due to the complexity of it. The reactions I got from people when I told them this over the phone were nothing short of disbelief. Everyone just wants to feel safe and can;t fathom that once something is on the internet, you don't own it anymore