The new Government must, in its first 100 days, begin updating our pre-Internet era Privacy Act so that New Zealand may reclaim its lead in technology-friendly privacy law.

Earlier this month it emerged that a Vehicle Testing NZ employee had given several people's personal information to a gang member. The information had, amongst other things, allowed those people's identities and addresses to be known by gang affiliates.

This is just one illustration of how deeply flawed are the truisms that "privacy is dead", and that "those with nothing to hide have nothing to fear". Personal information about all of us exists that, if misused, can have serious consequences.

Australia updated its federal Privacy Act five years ago and further amendments take effect next year. In the Vehicle Testing NZ example, the agency would have to warn those whose details had been leaked.


The previous Government had committed to bringing in this mandatory breach reporting, as well as empowering the Privacy Commissioner to unilaterally make compliance orders against agencies that frequently flouted privacy standards (currently he/she can only make non-binding findings and it is up to a tribunal to make binding decisions which can take time).

Australia also requires greater transparency through public notification of organisations' privacy policies. New Zealand should go further to bring its law up to date with today's hyper-connected world.

Consider, for instance, mobile ads. Anyone can now use services such as Google AdWords not only to pitch their products and services, but also to find out information about those who download apps that enable this, including their location data.

App providers should, in future, have to incorporate "privacy by design" features so customers can control the purposes for which data is being collected. For example, telling you whenever they collect additional data such as your smartphone's unique identifier.

Similarly, "Trojan horse" technologies - where for instance an app is downloaded to facilitate a service but which then snoops on all other information about the user not related to the service - must be regulated.

Critically, the definition of what counts as personally identifiable information and the protection of digital identity needs to be a focus. No one can deny the benefits gained from being able to analyse large data sets when individuals' data has been combined with that of others, or made anonymous by removing identifying details, but the ability to re-identify someone is now alarmingly easy.

Consider a scenario where researchers analyse all data of secondary students in New Zealand and find that there is a high correlation between those who have studied a particular subject and their future health outcomes. If those student who have taken that subject are then denied a health service, is this a valid use of data?

What if, instead, those who have not studied it are targeted for the service? Are these decisions about individuals or about a class of people with certain attributes? These are matters that must be addressed in any new law.


The new law must be future-proof but, at the same time, respect individuals' rights to keep aspects of their lives off-limits to technology. Already, advanced brain-scanning techniques are being developed that allow our innermost thoughts and feelings to be read by a machine. We may have nothing to hide but most people would wish to keep some thoughts private.

• Gehan Gunasekara is an associate professor in commercial law at the University of Auckland and is deputy chair of the Privacy Foundation NZ.