On December 18, 2024, the New Zealand Privacy Commissioner announced the forthcoming introduction of the Biometrics Privacy Code, aimed at establishing rules for the collection and processing of biometric information within the country.
This updated Code emerges from earlier drafts and reflects the pressing need for specific regulations concerning biometric data—a type of information representing individuals’ physical or behavioral characteristics, such as facial features, fingerprints, and voice patterns. The Code aims to amend certain privacy principles found within the Privacy Act 2020 and introduce stringent provisions surrounding biometric processing.
“Biometric information refers to an individual’s physical or behavioural features like their face, fingerprints, or voice,” stated the Privacy Commissioner, highlighting the significance of this data type as society increasingly adopts technologies like facial recognition.
Under the proposed Code, agencies handling biometric information will have specific obligations to protect individual privacy. This includes implementing strict privacy safeguards, which demand the collection of informed consent, the ability to opt out, as well as ensuring the security of biometric systems and providing oversight over their operation. New Zealand’s current absence of explicit guidelines on biometric data collection has raised concerns about privacy rights, driving the urgency for this Code.
One of the mandatory requirements detailed within the new guidelines is the conducting of “proportionality assessments.” Agencies must evaluate the contexts surrounding biometric data collection, weighing the benefits against privacy risks, and considering cultural effects, particularly on Māori and other demographic groups. “Agencies must also conduct a 'proportionality assessment' to justify biometric processing,” the Commissioner asserted.
Another key element of the Code focuses on transparency. Agencies will be obligated to provide individuals with greater clarity concerning how their biometric information is processed. This includes informing them of alternative options to biometric processing and allowing individuals the ability to raise concerns or complaints to the Privacy Commissioner if they feel their data has been mishandled.
There are notable limitations on the use of biometric data under this Code. The restrictions prevent agencies from using biometric data for purposes outside the original intent without implementing adequate privacy safeguards. “The commencement period has been increased to nine months,” the Privacy Commissioner highlighted, allowing organizations more time to comply with these updated mandates.
Most obligations detailed have been influenced by feedback during the community consultation process. The Code’s definitions have been simplified to promote clarity and ease of comprehension, and the guidelines make it explicit which practices fall within the scope of the Code. “The Code strikes a balance between protecting individual rights and fostering innovation,” according to privacy expert commentary on recent developments.
Besides, trials for new biometric applications can now be conducted by organizations, with the expectation they still align with the Code. This offers the opportunity to evaluate various biometric technologies under real-world conditions without automatically encountering hindrances imposed by existing regulations.
Changes also introduced by the Biometrics Privacy Code include the removal of the restriction on web scraping—an online data collection practice previously subjected to stringent scrutiny. Instead, any unreasonable web scraping will be handled under Rule 4 of the Code. Such shifts aim to streamline processes and maintain focus on the most sensitive areas of biometric use, such as emotional recognition.
With the consultation period currently open until March 14, 2025, the Privacy Commissioner has actively sought submissions from the public about the proposed Code. This feedback will contribute to shaping the final version, expected to be released around mid-2025. Key questions outlined for consideration include whether organizations should undergo proportionality assessments before employing biometric data and whether individuals should preemptively be informed about how their data is utilized.
While these new regulations provide necessary protections for individuals, privacy experts warn of potential unintended consequences as the compliance requirements may pose challenges to organizations adapting to these new standards. Organizations must balance safeguarding individual rights with fostering innovation and adopting new technologies.
Overall, the introduction of the New Zealand Biometrics Privacy Code marks a significant step forward for data protection, aiming to create a framework where biometric information can be collected responsibly, keeping individual rights at the forefront of technological advances.
