Mandatory reporting requirements still raising concerns

Thursday 1 August 2019

Authors: Tania Goatley, Kristin Wilson and Julius Hattingh

​The second reading of the Privacy Bill continued on Tuesday 30 July, picking up from where it left off last month. The current Act of 1993, brought in prior to the widespread adoption of the internet, is perceived as lacking a framework for modern privacy issues. Accordingly, there is strong cross-party support for the bill.

Nevertheless, it is clear that there are points of finer disagreement, described as “residual concerns" by National's Tim Macindoe. These include mandatory reporting requirements and we are watching closely for any further movement on this point.

National believes that the mandatory reporting requirements for privacy breaches are too strict. The concern is that it will lead to “over-notification", which will both trivialise the process, and burden smaller players with high compliance costs. This was raised by Macindoe, a recent member of the Select Committee, despite the fact that the threshold for a mandatory notification has been raised since the first meeting. It would now be mandatory where it is reasonable to believe the breach has caused or is likely to cause serious harm, as opposed to harm per se.

The Committee has come to a compromise with regard to the controversial “right to be forgotten". In lieu of granting that right, as the European legislature did with Article 17 of the GDPR, the Committee has inserted a weaker provision into Principle 1. It will require agencies that collect personal information to nevertheless allow individuals to remain anonymous, unless identification is necessary for their purpose. While this will protect privacy in ways similar to Article 17, it diverges in not clearly allowing individuals to have their data obtained from the agency and erased. 

While the lack of a right to be forgotten represents a turn away from the European precedent, it is clear that Europe has nevertheless been a guiding star for the Committee. As Labour's Duncan Webb stated during his speech, the similarity of the two pieces of legislation will mean that agents who have already been determined to be EU-compliant, will be assumed to meet New Zealand standards – and vice versa.

The reading was interrupted with eight speeches still remaining. We will bring you an update when it recommences. If you have any questions about the matters raised in this article, please get in touch with the authors or your usual Bell Gully advisor.​


This publication is necessarily brief and general in nature. You should seek professional advice before taking any action in relation to the matters dealt with in this publication.

For more information
  • Tania Goatley

    Partner Auckland
  • Laura Littlewood

    Partner Auckland
  • Rachael Brown

    Partner Wellington
  • Kristin Wilson

    Senior Associate Auckland
Related areas of expertise
  • Privacy and data protection
  • Information, communications and technology
  • Consumer law
  • Cyber security
  • FinTech
  • Media