IAPP-GDPR Web Banners-300x250-FINAL

By Gehan Gunasekara

Last year was not a good one for New Zealand privacy-wise. While Australia forged ahead enacting legislation covering issues such as cross-border controls for personal data and introducing measures to implement breach notification, the government in New Zealand, by contrast, has been dragging its feet and instead adopted a raft of measures diminishing existing privacy protections. This article briefly reviews developments in New Zealand in 2013 and ventures some predictions as to what may lie in store in 2014.

The New Zealand Law Commission completed an exhaustive review of privacy law in four stages culminating in its final Stage 4 report, on the Privacy Act 1993, in 2011. \ This report contained numerous recommendations addressing current issues such as breach notification, cross-border controls and misuse of the personal affairs exception, especially in relation to the use of social media. Minister of Justice Judith Collins promised a bill would be introduced in 2013 repealing the 1993 Act and implementing most of the Law Commission recommendations, but this did not eventuate. This year, 2014, is an election year in New Zealand, and it remains to be seen if the long-promised legislation will materialise. The government did, however, announce the appointment of Wellington privacy lawyer John Edwards as the new privacy commissioner, replacing the long-serving Marie Shroff who has completed two five-year terms in the role. A bill to address “Harmful Digital Communications” is also in the pipeline addressing social media in particular.

In the meantime, the other side of the ledger has seen an alarming erosion of existing privacy protections in New Zealand. One recommendation of the Law Commission that has been speedily implemented has been for better mechanisms for information-sharing between public-sector agencies to enable efficiency in the provision of services and the detection of fraud. The Privacy (Information Sharing) Amendment Bill was enacted in 2013 inserting a new Part 9A into the Privacy Act 1993. The measures allow information-sharing agreements between public-sector agencies and even between public- and private-sector ones to be approved by order in council. On the other hand, compensating safeguards—such as mandatory breach notification requirements—have not yet been enacted.

This comes against the backdrop of a continuing succession of privacy breaches by public-sector agencies, such as those by the Accident Compensation Corporation (ACC), IRD and the Earthquake Commission. An earlier detailed audit of ACC and the appointment of a single information officer to oversee privacy policy across all government agencies have not yet seemingly led to fewer privacy breaches.

By far the most contentious intrusion on citizens’ privacy, though, has been the government’s enactment of changes to the Government Communications Security Bureau (GCSB) Act 2003, which enables the collection and processing of metadata by the spy agency. Section 8B of the GCSB Act extends its role beyond “intelligence gathering and analysis” about foreign persons and organisations to “information infrastructure” in New Zealand. Information gathered under this category may be provided to the minister and “any person or office holder (whether in New Zealand or overseas) authorised by the minister to receive the intelligence.” The interception of the private communications of New Zealand citizens and residents is not permitted under the act, but intelligence gathering and analysis of information infrastructure in New Zealand is permitted.

The definition of information infrastructure “includes electromagnetic emissions, communications systems and networks, information technology systems and networks, and any communications carried on, contained in, or relating to those emissions, systems or networks.” The use of an inclusive definition is technology-neutral and permits access to, for example, the “Internet of Things.” What led to these legislative changes, however, is more startling.

In addition to the Snowden revelations, public concern regarding surveillance in New Zealand has stemmed largely from a local source. These are the disclosures made in the course of legal proceedings involving Internet tycoon and New Zealand resident Kim Dotcom, who has been resisting extradition to the U.S. for alleged copyright and money laundering violations. It emerged that New Zealand’s secretive intelligence agencies had been illegally monitoring Dotcom’s communications. A subsequent inquiry found many other unnamed residents and citizens had also been targeted, leading to the abovementioned measures essentially legitimising future surveillance. The bill was enacted despite intense opposition from privacy advocates and large public demonstrations.

Kim Dotcom has become something of a folk hero in New Zealand. He has announced his intention to launch a political party, which, under New Zealand’s strictly proportional electoral system, may end up controlling the balance of power. Privacy will be a major election issue this year. There is still time for the government to redeem itself by introducing the long-promised Privacy Act replacement, but time is running out.

Gehan Gunasekara is an associate professor in commercial law at the University of Auckland Business School. His privacy research has been cited by the Australian and New Zealand Law Commissions and by Canada’s Office of the Privacy Commissioner.


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Advertise in IAPP Publications

Find out how to get your message in front the people you want to reach. Download a media kit now.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Registration Open

New! Intensive two-day GDPR training led by the sharpest minds in the field. It's a can't-miss event.

The Congress Is Cancelled

The IAPP Europe Data Protection Congress 2015 is cancelled. Click through to learn more.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»