Kia ora koutou,
After a period of relative quiet in New Zealand’s privacy world, we’re suddenly on the cusp of a few exciting changes, with several important developments out for consultation.
On 24 Aug., the Ministry of Justice (which administers the Privacy Act) released an engagement document on the proposed broadening of the Privacy Act’s notification requirements. The Privacy Act requires agencies to give privacy notice to individuals only when collecting personal information from them directly. There is no requirement for agencies to provide privacy notice to individuals when collecting personal information about them from other sources. This may not adequately reflect current business and technological practices, which increasingly involve the sharing of personal information in ways individuals are not aware of.
It is also out of step with overseas privacy laws, such as the EU General Data Protection Regulation — which includes express provisions requiring notification in relation to indirect collection — and the Australian Privacy Act, which requires notification regardless of the information source. As such, the Ministry states in its engagement document that the broadening of the Privacy Act’s notification requirements would better align New Zealand’s Privacy Act with overseas laws, thereby facilitating international trade and cross-border data flows. This language is interesting as it indicates a likelihood that this proposal — coming so soon after a major rewrite of the Privacy Act — has been prompted by concerns about maintaining New Zealand’s EU adequacy status, which is under constant review by the European Commission.
On 15 Aug., the Office of the Privacy Commissioner released a consultation paper on the regulation of facial recognition and other types of biometric technologies. This consultation follows the OPC’s 2021 position paper on the use and regulation of biometrics, which I reported on in my October 2021 notes. The OPC’s view in 2021 was that the Privacy Act’s regulatory tools were sufficient to regulate the use of biometrics from a privacy perspective, though it noted that it would keep a watching brief on this, as there may be a case in the future for further steps to be taken, including the potential for a code of practice issued under the Privacy Act.
The OPC has indeed kept a watching brief and found cause for renewed concern, noting in the consultation paper that more action may be needed due to the increasing use of biometric technology in New Zealand, growing concern about the adequacy of current regulation, concerns about the implications of biometric technology for Māori, the potential for greater clarity to support safe innovation, the need for greater public assurance about the use of biometrics and the tighter controls on biometrics being implemented in other countries (again, we don’t want to be out of step with our global partners). Many readers will be well aware of the numerous recent media articles in New Zealand and Australia expressing concerns around the use of facial recognition in particular.
The OPC has made clear in the consultation paper that it seeks a regulatory response to biometrics that preserves the benefits of the technology while protecting against privacy risks, and that creates a compliance burden proportionate to the scale of the risk. This is a welcome approach, and the OPC’s willingness to engage with the industry to ensure the right approach is taken is relatively novel. We as a privacy community have an important opportunity to influence the way facial recognition and other biometric technologies are regulated in New Zealand and are well-placed to provide practical perspectives that ensure the outcome of this process is robust, pragmatic and sustainable.
Submissions close for both the Ministry’s proposal and the OPC’s consultation 30 Sept., so this is going to be a busy few weeks for privacy professionals who want to have their say on these important developments.
In the meantime, enjoy the digest, stay safe and be kind.
Ngā mihi