Privacy Advisor

NEW ZEALAND—Will the Tide Turn in 2014?

February 11, 2014

By Gehan Gunasekara

Last year was not a good one for New Zealand privacy-wise. While Australia forged ahead enacting legislation covering issues such as cross-border controls for personal data and introducing measures to implement breach notification, the government in New Zealand, by contrast, has been dragging its feet and instead adopted a raft of measures diminishing existing privacy protections. This article briefly reviews developments in New Zealand in 2013 and ventures some predictions as to what may lie in store in 2014.

The New Zealand Law Commission completed an exhaustive review of privacy law in four stages culminating in its final Stage 4 report, on the Privacy Act 1993, in 2011. \ This report contained numerous recommendations addressing current issues such as breach notification, cross-border controls and misuse of the personal affairs exception, especially in relation to the use of social media. Minister of Justice Judith Collins promised a bill would be introduced in 2013 repealing the 1993 Act and implementing most of the Law Commission recommendations, but this did not eventuate. This year, 2014, is an election year in New Zealand, and it remains to be seen if the long-promised legislation will materialise. The government did, however, announce the appointment of Wellington privacy lawyer John Edwards as the new privacy commissioner, replacing the long-serving Marie Shroff who has completed two five-year terms in the role. A bill to address “Harmful Digital Communications” is also in the pipeline addressing social media in particular.

In the meantime, the other side of the ledger has seen an alarming erosion of existing privacy protections in New Zealand. One recommendation of the Law Commission that has been speedily implemented has been for better mechanisms for information-sharing between public-sector agencies to enable efficiency in the provision of services and the detection of fraud. The Privacy (Information Sharing) Amendment Bill was enacted in 2013 inserting a new Part 9A into the Privacy Act 1993. The measures allow information-sharing agreements between public-sector agencies and even between public- and private-sector ones to be approved by order in council. On the other hand, compensating safeguards—such as mandatory breach notification requirements—have not yet been enacted.

This comes against the backdrop of a continuing succession of privacy breaches by public-sector agencies, such as those by the Accident Compensation Corporation (ACC), IRD and the Earthquake Commission. An earlier detailed audit of ACC and the appointment of a single information officer to oversee privacy policy across all government agencies have not yet seemingly led to fewer privacy breaches.

By far the most contentious intrusion on citizens’ privacy, though, has been the government’s enactment of changes to the Government Communications Security Bureau (GCSB) Act 2003, which enables the collection and processing of metadata by the spy agency. Section 8B of the GCSB Act extends its role beyond “intelligence gathering and analysis” about foreign persons and organisations to “information infrastructure” in New Zealand. Information gathered under this category may be provided to the minister and “any person or office holder (whether in New Zealand or overseas) authorised by the minister to receive the intelligence.” The interception of the private communications of New Zealand citizens and residents is not permitted under the act, but intelligence gathering and analysis of information infrastructure in New Zealand is permitted.

The definition of information infrastructure “includes electromagnetic emissions, communications systems and networks, information technology systems and networks, and any communications carried on, contained in, or relating to those emissions, systems or networks.” The use of an inclusive definition is technology-neutral and permits access to, for example, the “Internet of Things.” What led to these legislative changes, however, is more startling.

In addition to the Snowden revelations, public concern regarding surveillance in New Zealand has stemmed largely from a local source. These are the disclosures made in the course of legal proceedings involving Internet tycoon and New Zealand resident Kim Dotcom, who has been resisting extradition to the U.S. for alleged copyright and money laundering violations. It emerged that New Zealand’s secretive intelligence agencies had been illegally monitoring Dotcom’s communications. A subsequent inquiry found many other unnamed residents and citizens had also been targeted, leading to the abovementioned measures essentially legitimising future surveillance. The bill was enacted despite intense opposition from privacy advocates and large public demonstrations.

Kim Dotcom has become something of a folk hero in New Zealand. He has announced his intention to launch a political party, which, under New Zealand’s strictly proportional electoral system, may end up controlling the balance of power. Privacy will be a major election issue this year. There is still time for the government to redeem itself by introducing the long-promised Privacy Act replacement, but time is running out.

Gehan Gunasekara is an associate professor in commercial law at the University of Auckland Business School. His privacy research has been cited by the Australian and New Zealand Law Commissions and by Canada’s Office of the Privacy Commissioner.