In the year ended March 2024 the Office of the Privacy Commissioner received its highest number of reported privacy breaches ever; privacy complaints from individuals rose 44% and serious breach notifications from agencies jumped by 31%.
And, as the commissioner noted, that was likely to only be the half of it — not everyone complains to their office. More chillingly, not everyone knows that they have been subject to a privacy breach at all.
Such numbers are backed up by the biennial survey of public opinion carried out by the commissioner’s office.
Half of New Zealanders were concerned about their privacy, and almost two-thirds said protection of their personal information was a major concern.
More than two-thirds said they would consider changing service providers if a firm they had trusted with their business was found to have poor privacy and security practices.
New Zealand has had laws specifically addressing privacy issues since the early 1990s, and the Privacy Act was substantially revised in 2020 in an attempt to future-proof it.
However, the speed of technological advancement — particularly in the sphere of artificial intelligence — meant that Parliament has again has to address the protection of privacy rights.
The recently passed Privacy Amendment Act has attempted to plug some of those gaps, even though it seems likely new technologies will soon spring new and unconsidered leaks in the privacy protection dam.
Chiefly it introduces a new provision, effective from May 1 next year, which further strengthens requirements concerning gathering of private details.
As the law stands, if a business or organisation gathers personal information about you, they have to tell you.
However, if that information is collected for the business or organisation by someone or something else — an AI bot being the classic example being considered by law-makers — then no disclosure requirement exists.
Under the imminent law change reasonable steps will need to be taken to make sure that the affected person is told and told why their information has been collected.
This will place added responsibility on the shoulders of business and organisations to make sure that they are operating within the rules, but so it should. When trusted with personal, private details there is an understandable legal duty on them to protect that information and to only use it for any legitimate purpose it was gathered for.
Other government agencies, such as the defence and customs service, may wonder why it too did not qualify for an exemption — let alone private companies which, as already demonstrated, routinely deal with personal information.
However, the unique role of law enforcement justifies the position where the law has settled; while other worthy cases can be made out, the law also cannot be riddled with so many exclusions as to make it meaningless.
There is also an exception for archiving in the public interest, something which galleries, libraries and museums lobbied for.
Historians will be grateful that in an era where paper records are starting to become less regularly kept, some mechanism will exist which could keep and collect electronic documents and correspondence of interest to future generations.
The law change is also important given the interwoven world we live in, as it aligns with similar provisions in European, British and Australian statute books.
However, it does not introduce what many people interested in privacy issues have long called for: meaningful penalties in cases of serious privacy breaches — both as a protection for citizens and an incentive for agencies to comply.
Without them New Zealand runs the risk of falling behind other countries.
However, they will have to wait for another day and another government, a day which will surely come as the information gathering business and its related technologies continue to evolve.
