Michael Webster suggests right to erasure, safeguards for automated decision-making
Marking the fifth anniversary of the Privacy Act 2020 on 1 December, Privacy Commissioner Michael Webster stressed the need for stronger incentives for organisations to comprehend and comply with privacy requirements, among other potential legislative changes to reflect current needs.
“This is one reason why my Office is getting record numbers of privacy complaints and increased breach notifications by agencies,” Webster said in a media release from the Office of the Privacy Commissioner (OPC).
Webster acknowledged that the current Privacy Act’s introduction represented a significant step forward in safeguarding New Zealanders’ privacy.
However, Webster emphasised that the government should introduce substantial fines, impose real consequences, or otherwise hold organisations accountable for their breaches when dealing with personal information.
“We see multimillion dollar penalties in Australia for organisations who fail to protect personal information, but in New Zealand there’s no civil penalty regime,” Webster said.
According to the findings of the OPC’s privacy survey last March, three-quarters of respondents wanted privacy legislation to empower the privacy commissioner to audit agencies’ privacy practices, impose small infringement fines for privacy breaches, and have the courts slap hefty fines for serious privacy violations.
In its media release, the OPC noted that the European Union permits individuals to request that organisations erase their personal data if they meet specific conditions.
According to the OPC, extending this right to erasure to New Zealanders would limit the amount of personal information in agencies’ custody and thus decrease the risk of harm due to privacy violations.
In the OPC’s media release, Webster explained that automated decision-making can lead to false predictions, discrimination, unexplainable decisions, and a lack of accountability, among other issues.
“Automated decision making is increasingly used to make decisions about people’s finances and allowances, which can really impact lives, and I think people should know why an automated decision is taken against them”, Webster said.
Webster stated that the government should enforce stronger protections against the significant privacy risks arising from automated decision-making.
Webster also suggested requiring agencies to be ready to show how they comply with their privacy obligations. He referred to the privacy management programs recommended by the Organisation for Economic Co-operation and Development (OECD).
“There’s been incredible technological change since 2020, and we need to keep up,” Webster said. “Many other countries have modernised their privacy rules to capture the benefits and avoid the harms of new technologies and we need to do the same and make sure our privacy rules reflect the society we live in today.”
