ANALYSIS: If the Privacy Bill introduced to Parliament this year becomes law in its current form, New Zealand will have a Privacy Act fit for 2013, Privacy Commissioner John Edwards says.

Despite that, on Wednesday, a day before the deadline for public submissions on the bill, the Justice Committee counted just 38 submissions.

While it's not a fair comparison, keep in mind ACT Party leader David Seymour's End-of-Life Choice Bill received a record 35,000 submissions.

Clearly, personal data is more valuable than most of us realise. Aggregated into big data, it powers the modern world. And we've become comfortable with giving it away for little more than nothing.

READ MORE:

* Andrew Little gives more power to the Privacy Commissioner in new bill

* NZ privacy commissioner has pulled up Facebook for breach of privacy laws

* Is NZ an innovation hub, or a wild west for new technology?

"We're all moving through this world leaking data everywhere," Edwards says.

It's easy to shrug your shoulders and say you don't care, until your sensitive information is leaked, your social data inappropriately shared, or your credit card and contact information stolen.

Or maybe you would, actually, like more clarity around how machine-learning algorithms are being used to make predictions about people's lives; from diagnoses, to potential academic success, or recidivism.

"This is the opportunity for people to set the law for the next 10 years," Edwards says. "That's in terms of how it affects their business, and also how it affects them individually."

Admittedly, the bill is long and — no offence to the MP in charge, Justice Minister Andrew Little — it's very boring. But its purpose — to promote people's confidence that their personal information is secure and will be treated properly — is an important one.

WHAT WAS WRONG WITH THE OLD PRIVACY ACT?

In 1993, the Mosaic browser was released to the general public, making it the first truly accessible browser for the World Wide Web. That same year, New Zealand's Privacy Act 1993 was born. In short, that's the problem. In digital years, the act is ancient.

In 2011, the Law Commission published its review of the act with proposals for reform. Key recommendations included boosting the commissioner's powers; streamlining the complaints process; making it compulsory for agencies to notify people following a data breach; a new framework to allow the information sharing between government agencies; exceptions to some privacy principles, such as when someone's health is seriously at risk.

Seven years later, the government introduced a bill (the bill) to implement those regulations.

Little, speaking at the Privacy Forum in Wellington on May 9 this year, said in a world that increasingly relies on digital technology, "protecting privacy has never been more important".

"We're collecting, storing and disclosing more personal information than ever before on platforms like social media, cloud storage, and other technologies.

"Recent events involving Facebook and Cambridge Analytica highlight some of the challenges we face in the digital era."

ROBERT KITCHIN/STUFF Minister of Justice Andrew Little says protecting people's privacy "has never been more important".

SO WHAT'S DIFFERENT ABOUT THIS BILL?

* The commissioner has more powers, including:

The ability to shorten time frames for compliance and increase penalties for non-compliance.

The ability to issue compliance orders.

The ability to make decisions on individuals' complaints so they don't have to go to the Human Rights Review Tribunal.

* New criminal offences with fines not exceeding $10,000:

Offence to mislead an agency.

Offence to knowingly destroy documents containing personal information after someone has requested it.

* Mandatory reporting of privacy breaches that "pose a risk of harm to people".

* Agencies sharing information with firms overseas must take "reasonable steps" to ensure the firms are subject to "acceptable privacy standards".

WHAT'S STILL MISSING?

Well, that depends on who you talk to. Edwards has a few suggestions for the bill, consistent with his previous recommendations: namely, the power to apply to the High Court for a civil penalty of up to $1 million to be imposed on private and public sector organisations, and up to $10,000 for individuals, who breach the law, and for the Director of Human Rights Proceedings privacy functions to be absorbed by his office.

"Those are consumer protections laws, the act is a consumer protection law. In an age where your data is currency, you need to have some mechanism to ensure it's kept safe and rules are properly applied.

"I'm saying as commissioner, I should have the same access to sanctions as my counterparts in Europe, Australia, Korea and Japan."

Others think the bill should also offer 'the right to be forgotten', as enshrined by Europe's new General Data Protection Regulation. Also known as 'the right to erasure', it means you can require a company to erase all of your personal data and halt third party processing of that data.

"Should we have one of those? I think we should look at that," Edwards says.

Ken Wallace, practice leader, technology risk and assurance at Ernst & Young, at the Privacy Forum said he had a simple goal for the new act: "I'd like the act to be toothy to the point where those who ignore my rights are held to account in a way that's painful."

Jacqueline Peace, global privacy function lead at Air New Zealand, said her biggest concern with the act is that it doesn't determine what constitutes a "breach". "I'd like to see further articulation of what might constitute a breach — it's important to us, as an organisation, to know when we cross the line and need to tell someone."

MONIQUE FORD/STUFF Privacy Commissioner John Edwards oversees personal information held by agencies in both public and private sectors.

IS LEGISLATION REALLY THE ANSWER?

With the increasing rate of technological advances, those in charge of policy and regulation are falling further behind.

"No, legislation can't keep up, but that doesn't mean it shouldn't try," Edwards says. "The fact someone's going to invent a quantum computer that we can all have in our homes next year doesn't mean we shouldn't legislate for the world as it now.

"But what we're looking at doing is legislating for the world as it was seven years ago and that doesn't make sense to me."