Happy new year from Aotearoa New Zealand. Usually digital governance professionals in this region are relaxing and enjoying our, hopefully, warm and balmy summer. This year, however, we received an early Christmas present from the Office of the Privacy Commissioner of New Zealand. On 18 Dec. 2024, the OPC announced its decision to press on with issuing a Biometrics Processing Privacy Code, following an extensive period of consultation.
Back in April 2024, I wrote about the OPC's release of an exposure draft of the Biometric Processing Privacy Code. I also explained, for those unfamiliar with New Zealand's privacy regulatory regime, that the Privacy Act gives the OPC the relatively unique power to make law, in the form of codes of practice that have the force of law. This allows the OPC to develop codes of practice in relation to a class of organizations, a class of personal information, a class of activity, or a specified industry.
The OPC received a large number of submissions on the exposure draft and spent some time considering them and making subsequent changes. For a while, we were unsure if the OPC would abandon the code or continue in its efforts to regulate this class of processing. However, the OPC has now confirmed it will, indeed, continue these efforts and has released a new draft code for further consultation. The OPC expects the code to come into force in late 2025.
The new draft Biometric Processing Privacy Code retains some core aspects included in the April 2024 consultation draft. It requires organizations to assess whether collection is necessary and proportionate — that is, the benefits to the organization, individual and/or public outweigh any privacy risk as well as the impact on Māori — before carrying out any biometric processing.
It mandates that organizations notify people — through a clear and conspicuous notice before or at the time of collection — that they are carrying out biometric processing, for what purpose, and what alternatives are available.
It restricts some uses of high-privacy risk biometric processing, such as using it to determine emotions, infer health conditions, or categorize people according to race, ethnicity, disability, gender or sexual orientation.
The code will also be retrospective, with existing biometric processing to be compliant within nine months of it taking effect.
However, the new version also includes several changes made to reflect submissions received on the exposure draft. The restrictions on using biometric information — fair use limits — are now targeted to the most intrusive and highest risk use cases.
The OPC added a new requirement that organizations tell people where they can find a rundown of their assessment of the pros and cons of using biometrics, if they have already made this public.
The code commencement period increases from 6 months to 9 months for organizations already using biometrics, to allow a longer lead in time to ensure compliance.
The code has also been simplified to improve understanding of what processes are included and excluded, and some rules have been clarified.
Organizations and the public have until 14 March to submit comments on the new draft of the code. It remains to be seen exactly where the OPC will land on details, but no doubt further substantive submissions will be made.
We need to take a risk-based approach to this issue, taking care not to overregulate in a way that could prejudice beneficial and safe uses of biometric information or underregulate in a way that could leave individuals and communities open to harm. This will require strong collaboration between regulators, technologists and privacy professionals, to ensure we strike the right balance.
Daimhin Warner, CIPP/E, is the country leader, New Zealand, for the IAPP.
This article originally appeared in the Asia-Pacific Dashboard Digest, a free weekly IAPP newsletter. Subscriptions to this and other IAPP newsletters can be found here.
