The Greens have unveiled an election policy that would empower the Privacy Commissioner to require individuals and organisations responsible for serious privacy breaches to pay compensation.
The proposed penalties would be up to $500,000 for individuals. For corporations, the maximum penalty would be the greater of three times the commercial gain from the breach, 10% of annual turnover, or $10 million.
Courts would determine whether a privacy breach meets the threshold of being “serious”, following a model similar to Australia’s, with any penalties imposed being paid to the government.
The penalties are aligned with those the Commerce Commission can impose for anti-competitive behaviour, as well as new penalties being introduced for power companies that fail to secure sufficient supply ahead of dry years.
It also mirrors the coalition’s approach to Fair Trading Act breaches, although those penalties are smaller in scale.
Current penalties are capped at $10,000 and only apply to failures to report a breach or to cooperate with an investigation.
According to Greens co-leader Marama Davidson, the Privacy Commissioner has reported a 43% rise in serious breaches in 2024/25, which means there was a clear need to “close the gap that lets companies treat New Zealanders’ data as an afterthought.”
She said, “The Manage My Health hack laid it bare. People trusted Manage My Health and Te Whatu Ora with their health information, and that trust was broken.”
After that privacy breach in which poor security at a third-party health records portal allowed hackers to access the data of nearly 100,000 New Zealanders, the Privacy Commissioner called for the ability to order penalties for such breaches.