New Zealand Privacy Chief Backs $1 Million Fines for Breaches

Cites EU, Australian Moves to Impose Stronger Penalties

New Zealand's privacy commissioner is recommending new civil penalties against companies of up to NZ$1 million (US$718,000) for a "serious" data breach to keep up with sterner penalties adopted by Australia and the European Union.

See Also: Top 5 Log Sources You Should Be Ingesting but Probably Aren't

"In light of international trends and current conditions, privacy enforcement sanctions no longer appear adequate to deal with serious breaches," writes Privacy Commissioner John Edwards in a 27-page recommendation to the government. "Additional civil enforcement sanctions for serious breaches of privacy are needed."

The country's Privacy Act, which went into effect in 1993, contains possible breach-related criminal penalties of either $2,000 or $10,000. But those types of cases are intensive for the government to prosecute due to complex criminal process rules, and the fines are relatively low, Edwards writes.

New Zealand has been considering revising its Privacy Act for many years. Parliament has yet to pass legislation, but it is expected to act this year. The largest change would be a requirement that organizations report data breaches to regulators and the public (see Australia, New Zealand Still Mulling Data Breach Laws).

Edwards' review includes five other recommendations covering data portability, compliance, anonymized data, a narrowing of defenses against accusations of a breach and new rules concerning already-public data, such as electoral rolls and land registers.

The country's Law Commission published a lengthy review of the Privacy Act in 2011, but Edwards writes its suggested reforms aren't keeping pace with rapidly evolving data-driven business models.

"This new environment is revealing or confirming gaps and pressure points that add to those identified or considered in previous reviews," he writes.

Steeper Penalties

Edwards' recommendations would give his office the power to apply to the High Court for civil penalties of up to $100,000 on an individual and $1 million for a corporation for a very "serious" breach or repeated violations.

Under the draft legislation, "serious" breaches would be those that pose a risk of harm, such as loss, injury, significant humiliation or adverse effects on rights or benefits.

The proposal for larger fines reflects an expanding view worldwide that data breaches should come with more serious financial consequences, Edwards writes.

The European General Data Protection Regulation, which comes into force in May 2018, gives authorities the power to impose noncompliance penalties of 20 million Euros (US$21 million) or up to 4 percent of a company's global revenue, whichever is greater (see Mandatory Breach Notifications: Europe's Countdown Begins).

"The international context has also seen significant developments," Edwards writes. "These should now be taken into account in preparing revisions to New Zealand's privacy law."

Five years ago, Australia amended its Privacy Act to increase civil penalties. The Office of the Australian Information Commissioner can apply to the Federal Court for fines up to $1.7 million for violations.

Data Anonymization

Governments are increasingly seeking to release large data sets to the public for external analysis and transparency. But those well-intended efforts have sometimes resulted in significant privacy lapses.

The dangers of data that has been inadequately anonymized are well known. Australia ran into trouble when its Department of Health released a 30-year sampling of pharmaceutical benefits claims Australians made under Medicare, the country's public health service (see Australian Health Breach Exposes Danger of 'Anonymous' Data).

Researchers showed it was possible to decrypt codes that identified service providers. They were unsuccessful, however, in decrypting patient IDs.

As a result, last year the Australian government proposed a change to the Privacy Act that would make it an offense to de-anonymize data sets. Although well intended, it's questionable in an age of anonymous public data dumps whether such a measure would prove an effective deterrent.

Edwards proposes that New Zealand's Privacy Act should have a provision that requires entities holding personal data to take adequate steps to anonymize it before public release. Also, the public "should have a means of redress if they suffer harm as a result of being re-identified from supposedly anonymous data," he writes.