Privacy Predictions for 2023

Our privacy predictions for 2023

Privacy’s been pretty busy in 2022. We’ve seen the appointment and commencement of our new Privacy Commissioner, Michael Webster; several news reports on the use of Facial Recognition Technology (FRT) by retailers and the release of a consultation paper from the Office of the Privacy Commissioner (OPC) on the use of biometric technology; a Ministry of Justice proposal to amend principle 3 of the Privacy Act; and several high profile privacy inquiries, including the OPC’s joint inquiry with the IPCA on the Police’s collection of personal information about members of the public, particularly rangatahi, in Aotearoa.

We think 2023 will be no less exciting, and here are our predictions for the year:

  • Consumer data right – At the end of 2021, the government signalled that a bill implementing a new consumer data right (NZ’s version of the data portability right) would to be introduced to Parliament in 2022. This has not happened yet, probably because it was overshadowed by other legislative priorities, but we’re likely to see progress on this early next year. Readiness work has already begun in the banking and fintech sectors, in anticipation of the law’s eventual implementation.
  • Regulation of biometrics – A decision on the regulation of biometric technologies, including FRT, is likely to be high on the OPC’s agenda. Whatever regulatory response is favoured, the OPC has made clear that it will seek to preserve the benefits of the technology while protecting against privacy risks, and to ensure the compliance burden is proportionate to the scale of the risk.
  • Broadening the transparency obligation – We should also see action on the Ministry of Justice’s proposal to broaden the Privacy Act’s notification requirements in IPP 3. Currently, there is no requirement for agencies to provide privacy notice to individuals when collecting personal information about them indirectly. Submissions – such as those made by the Privacy Commissioner – appear to favour an amendment to existing IPP 3, rather than the insertion of a new privacy principle. We think this is the right outcome.
  • Privacy law reform in Australia – Australia is getting a new Privacy Act, which has already been recently amended in the wake of the Optus and Medibank breaches to include provision for significantly higher financial penalties (AUD $50 million or more). This ongoing law reform is something we will all need to keep an eye on, because the changes will impact any NZ organisation that ‘carries on business’ in Australia. More broadly, it is possible that such significant reform could be the catalyst for further change here in Aotearoa.
  • Privacy Commissioner is making friends, and waves – In 2023, we can expect to see a continuation of the Commissioner’s engagement with the “privacy ecosystem” – including policymakers, organisations, NGOs, industry groups, and privacy professionals – to deliver privacy guidance and resources more efficiently. But the Commissioner has also signalled that he has a few key areas of focus for the coming year, including biometrics, children and privacy, and the small business sector.