Data-driven businesses are the way forward, and spying rules must be tight for others to use our services.

With the recent announcements of manufacturing closures in New Zealand, such as Fisher & Paykel's Auckland plant, it is important to develop new knowledge-based jobs here. Twenty-first century business is increasingly data-driven by analytics and Big Data. Personal information is becoming the new oil and companies here must be able to tap into it.

A good example of information-based business is cloud providers. Currently, the United States is the dominant player. New Zealand has never competed on scale; instead its strength has been the quality of its products and the reputation of its brands. With cloud services reputation and trust is everything.

Legal safeguards for personal information and restraining unimpeded surveillance are crucial to allow businesses to make the most of this trust.

The recent Independent Review of Intelligence and Security by the Hon Sir Michael Cullen and Dame Patsy Reddy has produced remarkably detailed recommendations for revamped laws surrounding the activities of our spy agencies. If they are implemented in their entirety we will have some of the toughest controls on such agencies in the western world.


If instead the Government cherry-picks aspects of the Cullen-Reddy report then the gaps would quickly be exploited by the agencies concerned and we may as well not have bothered with any reform.

To give just one example, one of the currently neglected areas is "incidentally gathered information". Electronic surveillance tends to "vacuum up" vast amounts of information. Most is undoubtedly discarded by the likes of the GCSB but currently it can be sent to its partners in the Five-Eyes network who can do what they want with it.

The report recommends plugging this gap by requiring the New Zealand agency to decide which part of the data it wants to keep or share and to go through procedures (such as an obtaining an interception warrant). This would mean all surveillance is targeted and mass surveillance such as that exposed by Edward Snowden could not occur.

Into this heady mix must be factored the restrictions imposed on New Zealand by the TPP. Although this free-trade agreement requires its parties to adopt or maintain a legal framework providing for the protection of personal information, the requirement is weakly defined. It can be satisfied by laws providing for enforcing voluntary undertakings by enterprises relating to privacy. This is essentially the American approach and has not prevented frequent privacy invasions by the likes of Facebook and Google, for instance.

The TPP's article 14.11.2 mandates that cross-border data flows of personal information not be restricted, and article 14.13 prohibits laws that require data to be held in New Zealand and not, for example, elsewhere such as Australia.

Exceptions are subject to a complex four-step test with the onus being on the country imposing restrictions to show why they are essential for its public policies, and that they are non-discriminatory and proportionate.

Finally, there are the investor-state dispute settlement provisions prohibiting direct or indirect expropriation of overseas investors targeting New Zealand.

Should the Government follow recommendations for strengthening the Privacy Act by imposing strict liability on local agencies that outsource information or use cloud providers, it is likely that the agencies would seek to obtain indemnities from the overseas providers involved. This may lead to the latter refusing to provide the services.


Where existing facilities (say data storage) have already been built with a view to serving customers here, this may amount to indirect expropriation and lead to our government being sued by investors under investor-state provisions in the TPP. This may not be far-fetched and illustrates why delaying much-overdue reform of the Privacy Act has weakened our ability to project a privacy-friendly image.