Article 21 of the New Zealand Bill of Rights Act 1990 states "Everyone has the right to be secure against unreasonable search or seizure, whether of the person, property, or correspondence or otherwise."[1937] This has been interpreted by the New Zealand Court of Appeal in several cases as protecting the important values and interests that make up the right to privacy.[1938]
New Zealand's Privacy Act was enacted in 1993 and has been amended several times.[1939] It regulates the collection, use and dissemination of personal information in both the public and private sectors. It also grants to individuals the right to have access to personal information held about them by any agency. The Privacy Act applies to "personal information," which is any information about an identifiable individual, whether automatically or manually processed.[1940] Recent case law has held that the definition also applies to mentally processed information.[1941] The news media are exempt from the Privacy Act in relation to their news activities.
The Act creates twelve Information Privacy Principles generally based on the 1980 Organization for Economic and Cooperation Development (OECD) Guidelines and the information privacy principles in Australia's Privacy Act 1988. In addition, the legislation includes a new principle that deals with the assignment and use of unique identifiers. The Information Privacy Principles can be individually or collectively replaced by enforceable codes of practice for particular sectors or classes of information. At present, there are only two complete sectoral codes of practice in force, the Health Information Privacy Code 1994 and the Telecommunications Information Privacy Code 2003. There are several codes of practice that alter the application of single information privacy principles: the Superannuation Schemes Unique Identifier Code 1995, the Justice Sector Unique Identifier Code 1998, and the Post-Compulsory Education Unique Identifier Code 2001.[1942] The Commissioner has released for public consultation a proposed Credit Information Privacy Code in July 2003. In addition to the information privacy principles, the legislation contains principles relating to information held on public registers; it sets out guidelines and procedures in respect to information matching programs run by government agencies, and it makes special provision for the sharing of law enforcement information among specialized agencies.
The Office of the Privacy Commissioner is an independent oversight authority that was created prior to the Privacy Act by the 1991 Privacy Commissioner Act, which focused on the supervision of information matching among government departments.[1943] The Privacy Commissioner oversees compliance with the Privacy Act 1993, but does not function as a central data registration or notification authority. The Privacy Commissioner's principal powers and functions include promoting the objects of the Act, monitoring proposed legislation and government policies, dealing with complaints at first instance, approving and issuing codes of practice and authorizing special exemptions from the information privacy principles, and reviewing public sector information matching programs. As of June 30 2002, the Commissioner had 18 full time and 6 part-time staff.
Complaints by individuals are initially filed with the Privacy Commissioner who attempts to conciliate the matter. In the year ending June 2002 the office received 1,044 new complaints and 6,772 enquiries. 1,049 complaints (new and from last year) were closed during the year. Eighty-five percent were resolved without issuing a final opinion.[1944] The Commissioner regards the power to investigate and to require answers during investigations as "a vital element" in securing such a high conciliation rate. When conciliation fails, the Director of Human Rights Proceedings[1945] or the complainant (if the Director of Human Rights Proceedings is unwilling) can bring the matter before the Human Rights Review Tribunal, which can issue decisions and award declaratory relief, issue restraining or remedial orders, and award special and general damages up to NZD200,000 (~USD115,000).[1946]
In March 2002, the Commission hosted a meeting of the International Working Group on Data Protection in Telecommunications, a group created by the International Conference of Data Protection and Privacy Commissioners. In conjunction with that meeting the Commissioner also organized a one-day symposium on freedom of information and privacy.[1947]
The Law Commission is currently undertaking a review of the legal protection of privacy rights and the working of the 1993 Privacy Act. In February 2002, the Commission issued a discussion paper "Protecting Personal Information from Disclosure" for public comment.[1948] In the summer of 2001, the Mental Health Commission began a study of privacy procedures in mental health services. The Privacy Commissioner participated in the work of the review board. In February 2002, the board issued its report: "A Review of the Implementation of the Privacy Act and Health Information Privacy Code by Mental Health Units of District Health Boards."[1949]
New Zealand is one of several countries involved in negotiations with the European Commission concerning the "adequacy" of its privacy regime in relation to the European Union Data Protection Directive (95/46/EC). Since 1998 the Commission has been urging the Government to introduce two minor amendments to the Privacy Act in order to secure a finding of adequacy. The first amendment would remove the existing requirement that in order to make an access or correction request, an individual must be a New Zealand citizen, permanent resident or present in New Zealand at the time the request is made. The second would introduce a limited data export control to regulate the transfer of personal information outside New Zealand. In December 12, 2000 these changes were finally included in the Statutes Amendment Bill and submitted to Parliament. A statutes amendment bill is a procedure designed for the introduction of non-controversial legislation. Accordingly, it was expected that these amendments would be approved and enacted without delay.[1950] In the fall of 2001, however, one party withdrew its support of one of the amendments. In his annual report for the year ended June 30, 2001, the Privacy Commissioner encouraged "those responsible for the business of the House of Representatives [to] ensure that whatever vehicle these amendments proceed in is given priority." There has been no apparent progress to date on this issue.
The High Court ruled in July 2000 that the implementation of a nationwide drivers license system with a digitized photographthat was required by the 1998 Land Transport Act was legal. The law creates a national database of digitized photographs. The individual challenging the law appealed the ruling.[1951] The Court of Appeals rejected her appeal in April 2001 saying much of the case was based on misconceptions of the law.[1952]
The New Zealand Crimes Act and Misuse of Drugs Act governs the use of police interception powers.[1953] Interception warrants authorize not just the interception of communications but also the placing of listening devices. A judge authorizes warrants where there are reasonable grounds to believe that certain offences have been committed or are being contemplated. Emergency permits may be granted for the bugging of premises and, following the 1997 repeal of a prohibition, for telephonic interceptions. Those who illegally disclose the contents of private communications illegally intercepted face two years in prison. However, those who illegally disclose the contents of private communications lawfully intercepted are merely liable for a NZD500 (~USD290) fine. In 2001/2002 the New Zealand Police sought and obtained 19 (new and renewed) interception warrants under the Misuse of Drugs Act and 8(new and renewed) interception warrants under the Crimes Act. One emergency permit was granted under the Crimes Act.[1954] A total of fifty-two warrants (new and renewed) were obtained under the Telecommunications Amendment Act 1997 for obtaining call data analyzers (pen registers and trap and trace devices that obtain call information but not the contents of communications).
The New Zealand Security Intelligence Service (NZSIS), established under the New Zealand Security Intelligence Service Act of 1969, is also permitted to carry out electronic interceptions. The NZSIS has a staff of 115 and an annual budget of NZD11 million (~USD6.3 million). The majority of its work is devoted to threats to national security.[1955] The Act was amended in 1999 to allow for the service to enter premises to install taps following a Court of Appeal case that prohibited entering of premises without a warrant. The amendment also created a "foreign interception warrant."[1956] Another amendment created a Commissioner of Security Warrants to jointly issue warrants with the Prime Minister.[1957] The Minister in Charge of the NZSIS is required to submit an annual report to the House of Representatives. During the year ending June 2002, the Minister reported that 21 domestic interception warrants were in force. Of these, 13 were new interception warrants and 8 were carried over from the previous year. The average length of time for which these warrants were in force was 131 days.[1958] According to the Minister's report "the methods for interception and seizure used were listening devices and the copying of documents." The report also states that foreign interception warrants were in force during the year but does not give any statistics for these warrants.
One agency not governed by the restrictions imposed on law enforcement and the NZSIS is the Government Communications Security Bureau (GCSB), the signals intelligence (SIGINT) agency for New Zealand. The GSCB was established by Executive Authority in 1977 and focuses on foreign intelligence. Operating as a virtual branch of the US National Security Agency, this agency maintains two intercept stations at Waihopai and Tangimoana. The Waihopai station routinely intercepts trans-Pacific and intra-Pacific communications and passes the collected intelligence to NSA headquarters. David Lange, a former Prime Minister of New Zealand, said that he and other ministers were told very little about the operations of GCSB while they were in power. Of particular interest to GCSB and NSA are the communications of the governments of neighboring Pacific island states.[1959] GCSB was specifically exempted from the provisions of the Crimes Act in 1997.[1960]
The Government Communications Security Bureau Act was enacted in 2003. This enactment places the GCSB on a statutory footing. In August 2001, the Government announced that it is setting up a new unit within the Government Communications Security Bureau dedicated to the protection of nation's critical infrastructure from cyber threats by Internet hackers or computer viruses. The Centre for Critical Infrastructure Protection (CCIP) was scheduled to begin operations in April 2002.[1961]
The Government has created major new surveillance powers for these state agencies. The Crimes Amendment Act (No. 6), overwhelmingly passed by Parliament in July 2003, gives intelligence agencies additional powers to intercept communications, with High Court approval; while also criminalizing similar unauthorized activities, and the distribution or possession of computer hacking programs.[1962] The Act prohibits the unauthorized interception of electronic communications and makes hacking and denial of service attacks illegal, but would grants exemptions to the police, the NZSIS and the GCSB, allowing them to secretly hack into individuals' computers and intercept e-mail, text messages, and faxes. Police are required to specify a person, place, and specific electronic address, phone number, or similar facility when applying for an interception warrant.
Even more controversial is the Telecommunications (Interception Capabilities) Bill, introduced into Parliament on November 12, 2002. Similar to the United States Communications Assistance for Law Enforcement Act (CALEA) of 1994, this legislation would require all Internet Service Providers (ISPs) and telephone companies to upgrade their systems so that they are able to assist the police and intelligence agencies (GCSB and SIS) intercept communications. The legislation would also require a telecommunications operator to decrypt the communications of a customer if that operator had provided the encryption facility.[1963] It would not require individuals to hand over encryption keys.
Prior to introducing the proposals the Government sought the advice of the New Zealand Law Commission on whether such a requirement would violate Section 21 of the New Zealand Bill of Rights on unreasonable searches and seizures. In its report, issued in February 2002, the Law Commission concluded, "the existence of comparable obligations in other democracies establishes reasonably conclusively either that the search is not thereby rendered unreasonable or that if there is a limitation of the rights described in Section 21 it can be demonstrably justified in a free and democratic society." The Commission recommended that the law be amended to impose an obligation on third parties to provide all reasonable and necessary information and assistance (including passwords and decryption keys) to enable law enforcement officer(s) to access, copy or convert the data into intelligible form.[1964]
The government introduced the Counter-Terrorism Bill on December 17, 2002. This measure, intended to implement obligations arising from international conventions relating to the suppression of terrorism, proposes to introduce new and sweeping criminal offences. The Bill introduces powers to search and seize computer databases; seize and detain goods at border checks if there is cause to suspect that the recipient is "eligible" for designation as a terrorist; and it establishes a regime for the use of tracking devices (defined as devices which "when installed in or on any thing, may be used to help ascertain, by electronic or other means, the location of any thing or person"). The Bill could force individuals to disclose their passwords, even in non-terrorism related investigations, or else face three months in jail or a fine of NZD2,000 (~1,150USD).
The Broadcasting Act of 1989 requires broadcasters to maintain standards that are consistent with "the observance of good taste and decency...the maintenance of law and order and the privacy of the individual."[1965] It establishes a Broadcasting Standards Authority (BSA) to oversee enforcement and to rule on complaints. The BSA has ruled on several privacy cases.[1966] Recently, particular controversy surrounded several television broadcasts unreasonably intruding on the privacy of children. In March 1999 one program, widely publicized in advance, revealed the results of a DNA paternity test live on TV with mother, father and young child present.[1967] The Broadcasting Amendment Act of 2000, which came into effect on July 1, 2000, empowers the BSA to encourage the development and observance by broadcasters of codes of broadcasting practice in relation to the privacy of the individual.
The Criminal Investigations (Blood Samples) Act of 1995 authorized the establishment of a national DNA databank. Police have to get an order from a High Court judge before a compulsory test can be conducted and they can only take samples from suspects of violent crimes and convicted burglars. Voluntary samples from anybody can be included in the databank. In October 2000, police were ordered to reduce the number of voluntary DNA samples due to budgetary concerns. By 2002, however, it was reported that police were being advised to increase this number again and to try and obtain voluntary samples from anyone arrested with a prior criminal record.[1968] In February 2001 the Justice Minister announced that he planned to introduce legislation to allow DNA samples to be taken from burglary suspects.[1969] As of June 2002, the total number of DNA profiles stored in the national database was 24,001. Of these, 19,453 were obtained by consent and 4,426 were obtained by compulsory order.[1970] In May 2002, a new NZD3 million (~USD1.7 million) purpose-built laboratory was opened in Auckland for forensic DNA testing.[1971] Testing is carried out by the Institute of Environmental Science and Research (ESR).
The Official Information Act of 1982[1972] and the Local Government Official Information and Meetings Act of 1987[1973] are freedom of information laws governing the public sector. There are significant interconnections between this freedom of information legislation and the Privacy Act in subject matter, administration, and jurisprudence, so much so that the three enactments may be viewed, in relation to access to information, as complementary components of one overall statutory scheme. The Office of the Ombudsman supervises enforcement.[1974] The Ombudsman hears around 1,100 complaints each year under the Official Information Act and 170 each year under the Local Government Official Information and Meetings Act. The Privacy Commissioner and the Ombudsmen work closely together where Official Information Act requests involve privacy issues.
New Zealand is a member of the Organization for Economic Cooperation and Development and has adopted the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.
The Privacy Act does not apply to self-governing territories associated with New Zealand, the Cook Islands and Niue. Nor does it apply to the soon-to-be self-governing territory of Tokelau.