• Gehan Gunasekara is an associate professor in commercial law at the University of Auckland and researches and teaches privacy law.
The much-anticipated New Zealand Intelligence and Security Bill is before a select committee of Parliament. There is unlikely to be loud applause from Edward Snowden, however, as the bill does little to address the concerns regarding mass surveillance he exposed in 2013 and the subsequent mischiefs that have come to light including the GCSB spy agencies spying on New Zealand residents.
The bill follows the recommendations of the independent Cullen-Reddy Report as to how these should be addressed and the bill does implement many of them. The devil, however, is in the detail.
On the one hand the bill strengthens privacy protections by expanding the number of the Privacy Act's rules that now apply to the intelligence agencies.
Thus an individual may complain that information about them that was used, say, in a security clearance, was out of date, inaccurate or misleading, and another may complain that information about them was retained longer than necessary by the intelligence agency.
The bill's requirements for the issue of warrants for surveillance is also relatively robust.
There are, despite this, some weaknesses.
First, the Privacy Commissioner can only investigate breaches by the intelligence agencies and make recommendations to agencies and to the Prime Minister, which the latter is not obliged to follow.
Individuals cannot complain to the specialist tribunal that hears complaints against other agencies and can award damages. The same goes for whistle-blowers within the intelligence agencies, any complaints of unlawful behaviour can be made only within the intelligence structure itself, whereas other agencies' employees can bring matters to the attention of the Ombudsman who can ultimately report to Parliament.
Secondly, under the Privacy Act it is perfectly lawful for an agency such as a business holding customer information to disclose it to authorities where reasonable grounds exist for believing it is necessary for law enforcement, detecting offences and so forth. The intelligence agencies have now been added to this list. The police are likely to produce evidence as to why they need access to information but all that is required of intelligence agencies is their say-so that the information is needed.
This puts a lot of pressure on those who are the subject of such requests. Very few agencies release "transparency" reports detailing the number of official requests they have received and complied with, Trade Me being one exception. As the bill does not require warrants to carry out "lawful activities", clarity is needed as to whether warrants are needed in these instances.
Finally, the bill's definitions of the agencies' functions incorporate widely drawn terms such as "information assurance and cybersecurity" and "information infrastructure" that covers, for example, things such as metadata and big data.
Such gathered data may be shared with other agencies in New Zealand as well as those overseas if the minister authorises it. Even more alarmingly, the Director-General of Intelligence and Security may retain and disclose to public authorities, especially overseas ones, any "incidentally-obtained intelligence" for purposes that include responding to "potential threats to the security of any other country".
Such a loophole provides just the type of back door that continues and legitimises the possibility of mass surveillance. The nature of intelligence-gathering in the modern era is that a large amount of data is likely to be scooped up in the electronic net. The Cullen-Reddy Report recommended that any such retention and disclosure be subject to a separate warrant application, but this has not been followed in the bill.
Although it may be an improvement on earlier legislation governing spying the bill still contains many flaws and opposition parties would do well to examine these closely.