The Commissioner had also sought "data portability", a provision that would have put people in charge of their personal data and shift it with them as they changed, for example, insurance companies. For now, that's not on the table.
Lawmakers did meet Edwards' demand for mandatory data breach disclosure, however. Once the Privacy Bill becomes law, organisations that lose customer data through a hack or negligence will have to let people to know it's at risk.
The Commissioner had worried about a "cry wolf" syndrome, where constant warnings became so much wallpaper.
To wit, the Select Committee has raised the notification threshold for privacy breaches so that notification is only required where the breach has caused, or is likely to cause, serious harm to affected people.
The Committee also tweaked the Bill so that if an overseas organisation is doing business in New Zealand, the Act will apply to any action and all personal information collected or held by that organisation - regardless of where that may be - in the course of carrying on business in NZ.
In practical terms, that will make it easier for the Privacy Commissioner as he grapples with Facebook and other multinationals - many of them online operators who did not exist when the Privacy Act was last updated in 1993.
The Select Committee also said that the news media's exemption from the act should be expanded to cover all forms of media including new media such as bloggers, and TVNZ and RNZ when they undertake news activities.
It also qualified that the news media exemption should only apply to those who are under the oversight of the Broadcasting Standards Authority or the New Zealand Media Council.
