NZ privacy advocates: Laws need revamp to reflect biometric surveillance realities

An Aotearoa New Zealand privacy advocacy group thinks that nation’s approach to privacy and biometrics must be more nuanced than a government-independent regulator proposed in August.

The nation’s Privacy Commission restated its “core regulatory expectation” at that time, saying all organizations “should” complete privacy impact assessments.

That stance was formalized a year ago in a position paper by the privacy commissioner stating that principles and regulatory tools enshrined in New Zealand‘s 2020 Privacy Act (which is administered by the Justice Ministry) “are currently sufficient to regulate the use of biometrics from a privacy perspective.”

Subsequently, the commission broadly asked the nation for biometric – including the hot-button issue facial recognition surveillance – regulations.

Enter Privacy Foundation New Zealand. The advocacy group submitted a lengthy response saying the commission, which has the power to regulate privacy matters separate from the actual government, needs a wider perspective on critical aspects of biometric data collection.

Current policy defines harm to individuals and society too narrowly, according to the foundation.

The same is true, foundation members say, about the breadth of actions that are related to biometrics. Categorization and detection are roles within biometrics, for example, and are absent from commission assessments.

Even if some data captured, such as behavioral biometrics, cannot now be used to positively identify an individual, they can be used, perhaps erroneously, to build a profile of a person. It also is a safe bet these soft variations on biometrics will be used in the future.

Foundation members back the creation of a privacy code that would allow limited collection of biometric data only after new safeguards are in place. There also needs to be a formal principle defining data minimization. For organizations worldwide using biometric surveillance, that phrase is a fig leaf.

And, of course, the commission should also publish and maintain a comprehensive privacy impact assessment.

Article Topics

biometric identifiers  |  biometrics  |  data privacy  |  legislation  |  New Zealand  |  New Zealand Privacy Commissioner  |  regulation  |  surveillance