Accessible News

Top storiesNew ZealandPoliticsBusinessEntertainmentSportsWorld

Privacy Commissioner: Time to toughen up our privacy controls

Monday, 1 December 2025

Companies and organisations which hold private data don’t face strong enough incentives to understand even the most basic privacy requirements, argues Michael Webster.
Companies and organisations which hold private data don’t face strong enough incentives to understand even the most basic privacy requirements, argues Michael Webster.

Michael Webster is the Privacy Commissioner.

OPINION: Five years ago today the Privacy Act underwent significant updating. Today, more needs to be done to further modernise and strengthen it to reflect the world we live in.

My office is receiving record numbers of privacy complaints from individuals, and the number of serious privacy breaches notified by agencies (businesses and organisations) has also risen significantly. It’s clear more needs to be done to encourage agencies to lift their game when it comes to privacy.

The Privacy Act does not provide sufficient incentives for many agencies to understand or meet even the most basic privacy requirements. If we’re serious about privacy then businesses need to be held accountable for the most serious failings in handling personal information, and that means my office having the ability to seek large financial penalties.

A firm in Australia was recently issued a $5.8m penalty for failing to take reasonable steps to protect customer data. My office has no such power to seek a penalty for a serious privacy breach.

Privacy Commissioner Michael Webster wants the ability to impose sizeable fines for privacy breaches, among other moves to strengthen the Privacy Act.
Privacy Commissioner Michael Webster wants the ability to impose sizeable fines for privacy breaches, among other moves to strengthen the Privacy Act.

The Government recently announced a new civil penalties regime for breaches of the Fair Trading Act. This included significant increases in the maximum penalties companies may face. A comparative penalty regime in the Privacy Act could encourage compliance and give New Zealanders confidence that their privacy rights will be protected.

There are other things that can be done to the Privacy Act that would modernise it and strengthen privacy outcomes.

In the European Union, people have the right to ask organisations to delete their personal data if certain conditions apply. Adding the “right to erasure” to privacy rules here would provide New Zealanders with the right to ask organisations to delete their personal information in certain circumstances. This right would reduce the harm arising from privacy breaches through reducing the amount of personal information an agency is holding.

New Zealanders also need stronger protections for the significant privacy risks which arise from automated decision-making, with problems such as inaccurate predictions, discrimination, unexplainable decisions and a lack of accountability.

Our trading partners, including the EU and Australia, have been introducing greater protections, including people having a right to request meaningful information about how substantially automated decisions with legal or similarly significant effect are made. New measures need to be included in our Privacy Act to manage the risks of automated decision making, and ensure that New Zealanders are treated fairly and equitably.

I’m also suggesting that agencies need to be able to demonstrate how they meet their privacy requirements, such as the privacy management programmes recommended by the OECD.

The Privacy Act was last amended five years ago and, given the incredible pace of technological change, it’s time to update it again. A modern Privacy Act, including an appropriate penalty regime, will help New Zealanders have trust in the companies and government services they use every day. We need to modernise our legislation now to ensure our privacy rights are protected and respected.