The news that the Australian insurer Medibank is facing a multi-million dollar lawsuit by the Australian privacy regulator has led the Office of the Privacy Commissioner (OPC) to lament the lack of similar powers of enforcement in New Zealand.

Describing New Zealand’s civil penalty regime as ”nothing, nada” Acting Commissioner Liz MacPherson has called for the Government to provide the OPC with stronger tools, while warning businesses against taking a “it won’t happen to me” approach. The Acting Commissioner’s stance is unsurprising given the availability of civil penalties to regulators in comparable jurisdictions to New Zealand, including Australia and the United Kingdom.

OAIC takes action against Medibank

On 5 June 2024, the Office of the Australian Information Commissioner (OAIC) filed civil penalty proceedings against Medibank for failing to protect the sensitive medical data of 9.7 million Australians, which were accessed by Russian cybercriminals and subsequently released on the dark web in 2022. The proceedings follow on from the OAIC’s investigation into Medibank after the cyber-attack.

The Federal Court can fine Medibank up to AU$2.22 million for each interference under the pre-December 2022 Australian Privacy Act. The Australian legislation has since been updated, meaning that if the breach occurred today, Medibank could have faced a maximum penalty of the greater of $50 million, three times the benefit accrued through the misuse of the data or 30% of the organisation’s turnover.

OPC says Privacy Act reform crucial to protect data in NZ

Unlike comparable jurisdictions, such as Australia and the UK, New Zealand does not have a civil penalty regime for breaches of the Privacy Act.

In December 2023, the OPC recommended a civil penalty regime as part of a broader package of regulatory reform to the incoming Minister of Justice (see here). In its briefing, the OPC noted a 79% increase in privacy complaints and a 59% increase in serious privacy breaches from 2021/22 to 2022/23, observing that the lack of significant financial penalties means that some agencies do “not care about privacy”.

Last week in the OPC's regular Privacy News update, Acting Privacy Commissioner Liz MacPherson, repeated the call for greater powers. Stating that the “rationale for a civil penalty regime is even stronger now than in the past”, she noted that powerful new technologies and the increasing drive to digital commerce means that how companies use personal data is becoming more and more opaque to consumers.

Despite the complexities resulting from these new technologies, statistics cited by the OPC reflect that a surprising number of New Zealand businesses are unprepared for a cyber-attack, with one in five having no response in place and one in two having reduced cybersecurity to boost productivity.

Any cyber-complacency resulting from the current lack of a civil penalty regime is misplaced. While the New Zealand regulator’s powers are currently not as far-reaching as those in Australia, organisations have important, legally binding obligations under the Privacy Act, a breach of which can expose them not only to OPC investigations but potentially also to civil lawsuits by individuals whose data has been compromised. In recent years, a number of multi-million dollar class-actions have been brought by Australian consumers against companies whose systems failed to prevent a successful cyber-attack. It seems only a matter of time, before we see this trend replicated in New Zealand. You can read more about potential lawsuits and how to mitigate the risks here.

If you have any questions about overseas privacy penalties or your organisation’s privacy and data obligations, please contact one of our experts.