New Zealand is committed to the Universal Declaration of Human Rights and has ratified the International Covenant on Civil and Political Rights, both of which contain a right to privacy.[1] Privacy law in New Zealand is dealt with by statute and the common law. The Privacy Act 2020 addresses the collection, storage and handling of information. A general right to privacy has otherwise been created in the tort of privacy. Such a right was recognised in Hosking v Runting [2003] 3 NZLR 385, a case that dealt with publication of private facts. In the subsequent case C v Holland [2012] NZHC 2155 the Court recognised a right to privacy in the sense of seclusion or a right to be free from unwanted intrusion.[note 1]
Legislation
New Zealand Bill of Rights Act 1990
The New Zealand Bill of Rights Act 1990 (NZBORA) is based on the International Covenant on Civil and Political Rights,[3] however no express right to privacy is included in the Act. Despite the lack of an express right, privacy is the foundation for many of the rights contained within NZBORA, such as freedom from unreasonable search and seizure as protected by section 21.[4] The fact that a right to privacy is not included in NZBORA does not affect or invalidate it in any way.[5] It is suggested that privacy was not included in NZBORA due to its difficulty to define, and because the social environment at the time was not one in which it was appropriate to implement a right with vague and uncertain parameters.[6]
Privacy Act 2020
New Zealand has a statute entitled the Privacy Act 2020 (which replaced the Privacy Act 1993). However, despite its declaration that it is an Act to promote and protect individual privacy, it in fact only covers information privacy. The Privacy Act was created to combat concerns about technological advances and their potential to be used to access private information, when this risk had been far less under manual data systems.[7]
The Act contains 13 Information Privacy Principles which govern the handling of private information by agencies. An 'agency' is widely defined as any person or body of persons, whether public or private, and whether corporate or unincorporated, with specified exceptions.[8] There are also numerous exceptions to the Information Privacy Principles, which can be found both within the principles and in other places within the Act.[9]
When an individual feels there has been a breach of the principles he or she can lodge a complaint with the Privacy Commissioner.[10] The Privacy Commissioner investigates the complaint and undertakes a process of conciliation rather than punishment.[11] If the complaint cannot be settled, it may be referred to the Human Rights Review Tribunal, which may or may not consider the situation anew, and it's quite likely that they won't consider a complaint at all (especially if the issue is related to debt). If the Tribunal finds there has been a breach, it may award a range of remedies including damages and restraining orders.[12]
The Privacy Act recognises that privacy is not an absolute concept and that there are other factors which need to be weighed to determine what the outcome should be. The Privacy Commissioner must always have regard to factors such as human rights, social interests, and international obligations and guidelines.[13] The Privacy Commissioner is able to make authorisations regarding the use of private information which would normally be contrary to the Act if he or she is satisfied that the public interest or benefit outweighs the interference with privacy.[14]
Broadcasting Act 1989
The Broadcasting Act 1989 requires broadcasters to maintain standards consistent with the privacy of the individual. The Act establishes the Broadcasting Standards Authority (BSA), which has the functions of receiving and deciding complaints against broadcasters, issuing opinions relating to ethical conduct and standards in broadcasting, and issuing codes of practice for broadcasters and encouraging compliance with them.[15] Privacy is consistently mentioned in the codes and standards of practice issues by the BSA.[16] While the Broadcasting Act does not provide any explanation of what constitutes a breach of privacy, the BSA has seven principles relating to alleged breaches of privacy.[17] In considering a complaint, the BSA can award a variety of remedies if it finds there has been a breach, but there is no ability to take a complaint to a court of law based on the standards contained within the Act.[18]
Common law
A general tort of invasion of privacy exists in New Zealand. The case which is accepted to be the first which found that a tort of privacy may exist was Tucker v News Media Ownership Ltd, in which the judge supported the introduction of such a tort into the law of New Zealand.[19] A few years later in
Bradley v Wingnut Films, the judge accepted that a tort of privacy did exist in New Zealand law, but that it should be approached with caution as it was in the earlier stages of development.[20] The most crucial New Zealand High Court decision was that of P and D v Independent News Auckland Ltd[note 2], where the court defined the elements of a tort of privacy as:[21]
The public disclosure of facts
The facts disclosed are of a private nature
The facts made public would be considered highly offensive to a reasonable person
There is insufficient legitimate public concern in having the facts made public.
The New Zealand Court of Appeal in a bare majority in Hosking v Runting accepted that there was a tort of privacy in New Zealand. The tort was affirmed as protection in this area was needed and the breach of confidence tort was not suitable to cover situations involving privacy.[22] The two requirements for the tort set out by the majority closely reflect those set out in P v D:
Existence of facts which were reasonably expected to be private
Publicity given to those facts which would be considered highly offensive by the objective and reasonable person.
In addition, privacy had to be weighed against the defence of legitimate public concern which encompasses the right to freedom of expression.[23]
The Supreme Court of New Zealand has in one case accepted that a tort of privacy exists for the purposes of a case before it, but had differing opinions about its requirements and application.[24] In Brooker v Police the court acknowledged the decision of Hosking but refrained from commenting.[25]
Security and intelligence
New Zealand’s intelligence and security agencies
Two government bodies are responsible for monitoring New Zealand's national security: the Government Communications Security Bureau (the 'GCSB') and the Security Intelligence Service (the 'SIS'). Prior to the introduction of the Intelligence and Security Act 2017, these bodies operated strictly independently of one another, and general mystery surrounded their exact functions and capabilities. Much of the confusion originated from the fact that the SIS and GCSB appeared to have differing objectives which meant that, if required, co-operation and coordination would likely be complex and convoluted.
For example, only the SIS could perform surveillance, or spy, on New Zealanders, as provided by the New Zealand Security Intelligence Service Act 1969. There were stipulations as to what 'spy-activities' were permitted, and as a pre-requisite, any proposed surveillance had to be relevant to "security" and its associated threats, such as instances of 'espionage, sabotage, subversion or terrorist attacks'.[26]
The 2013 surveillance landscape
In September 2012, Paul Neazor, the Inspector-General of Intelligence and Security advised John Key, the then New Zealand Prime Minister, of a situation which would later be called an "unlawful interception" of an individual known as Kim Dotcom by the GCSB.[27] Following a formal request from the United States' Federal Bureau of Investigation that Kim Dotcom be extradited to the United States, the GCSB spied on Mr Dotcom in order to assist the FBI's request.[27] However, as the GCSB did not have the legal authority to conduct surveillance, Justice Gilbert of the Court of Appeal, deemed unlawful.[28]
Following this widely publicised incident, GCSB Director Ian Fletcher and Chief Executive of the Department of the Prime Minister and Cabinet Andrew Kibblewhite initiated a review of compliance.[29] They assigned the then Cabinet Secretary Rebecca Kitteridge with undertaking the review to look into the "activities, systems and processes since 1 April 2003".[30] This date is significant as it was the date from which the Government Communications Security Bureau Act 2003 came into force.
The “Kitteridge Report” ultimately concluded that GCSB lacked the legal basis and authority to perform many of its intelligence acts – including the surveillance carried out on Kim Dotcom. The Kitteridge Report made a number of recommendations to ensure that the Government agency had the legal authority to do the activities necessary. All of the recommendations presented in the Kitteridge Report were accepted by the Government and GCSB which led to a number of legislative reforms. These included giving the GCSB the express capability to legally perform surveillance on New Zealanders when required by the SIS, the police or Defence forces.[31] At the time when these changes were introduced, with mounting public concern about New Zealanders' rights to privacy, the then Prime Minister John Key stated that the "new legislation does not add up to an expansion of the bureau’s powers".[31]
It is now permissible for GCSB to legally spy on New Zealanders as a result of the 2013 reforms.[26] In addition, the GCSB's role has expanded and it is now able to perform surveillance on "behalf of the SIS, the police or the Defence forces, or for the purposes of cyber security".[32]
The 2016 surveillance landscape
In August 2016 the then Prime Minister John Key announced that due to the threat of ISIS and global terrorism, the New Zealand Government would be introducing new legislation to provide further safeguards for New Zealanders.[33]
New Zealand's first Intelligence and Security Review was undertaken by Sir Michael Cullen and Dame Patsy Reddy, and looked at "the legislative framework governing the agencies and considered whether they were well placed to protect New Zealand’s current and future national security while protecting individual rights".[34] The review was completed at the end of February 2016, and its findings proposed that one Act be introduced to bring all of New Zealand's intelligence and security agencies together.[26]
Cullen and Reddy identified a number of issues in their report. One of the prominent issues identified was that the fragmented legislative landscape meant that it was difficult to bring the multiple agencies together when required. Because each intelligence and security agency operated under its own legislative framework, it was confusing for New Zealanders to understand which agency was responsible for what, and exactly what their lawful powers and capabilities were.
The reviewers concluded that a "single Act" was necessary to overcome these issues.[35] They commented that a single Act would:
"give a comprehensive and much clearer view of the agencies' functions and powers, and the checks and balances that apply to the operation of their powers … [and] would avoid inconsistencies and gaps between various statutes and enable a consistent set of fundamental principles to be applied to the agencies and their oversight".[36]
Understandably, drawing the two bodies together would make it easier for them to co-operate and work together when required.
Another issue concerning to the reviewers was the lack of security protection available to New Zealanders under the prevailing legislation. The most recent piece of legislation dealing with intelligence and surveillance was enacted some 47 years ago, the New Zealand Security Intelligence Service Act 1969. Over the course of those years and the accompanying advances in technology, the need to overhaul the law has increased markedly. As terrorist groups continue to advance in their technological capabilities, the current legislation was quickly becoming out-dated and unsuitable for present day society.
The Intelligence and Security Act 2017
The purpose of the Intelligence and Security Act 2017 was to bring clarity and cohesion to the GCSB and SIS, the two agencies in New Zealand responsible for monitoring the country's security and intelligence.
The Act was "a direct response to the report of the First Independent Review of Intelligence and Security in New Zealand: Intelligence and Security in a Free Society, and it replaces the four Acts that applied to the GCSB, the NZSIS, and their oversight bodies".[37]
Given the importance of this proposed legislation, when public submissions for the Bill were called for, 92 were received by the Select Committee. These included submissions made by the New Zealand Law Society,[38]the New Zealand Human Rights Commissioner,[39] and the Privacy Commissioner[40] and many of their recommendations were similar in nature expressing concern over the words used to draft the Bill making the powers of the bodies uncertain, and also the potential for ordinary New Zealanders' privacy rights to be breached.
Although the Act intended to give oversight and transparency to the New Zealand intelligence and security agencies, the Act was drafted in a manner that gave far-reaching powers to the GCSB and SIS to perform surveillance on New Zealand citizens and non-residents in ways that had previously been prohibited. The basis for doing so was that New Zealand's national security is at stake with the ever-present and increased risk of terrorism in today's society.[citation needed]
The new Act has extended the GCSB's capabilities to perform surveillance on New Zealanders, whereas previously, only the SIS was permitted do this. This extension of the GCSB's powers has the potential to have serious ramifications for all New Zealanders, as author and associate professor of law Stephen Penk notes, "surveillance of an individual may lead to a loss of privacy through an individual’s loss of control or autonomy when, typically, he or she is subjected to undesired monitoring of his or her functions, movements or communications"[41]
As per the recommendations made by Cullen and Reddy the new Act covers a number of points such as:
Bringing the GCSB and SIS together under a single Act for the purpose of achieving co-operation between the agencies.[35]
Clarifying the rules regarding monitoring, gathering, and storing of human intelligence.[35]
Making the SIS and the GCSB state-sector government departments, and therefore requiring them to comply with all regulations governing state-section government bodies.[35]
The Act's purpose was expressed in Section 3; which is to "protect New Zealand as a free, open, and democratic society".[35] This is achieved by:
a. Establishing intelligence and security agencies that will effectively contribute to –
The protection of New Zealand’s national security;
The international relations and well-being of New Zealand; and
The economic well-being of New Zealand
b. Giving the intelligence and security agencies adequate and appropriate functions, powers, and duties;
c. Ensuring the functions of the agencies are performed –
In accordance with New Zealand law and all human rights obligations recognised by New Zealand law;
With integrity and professionalism; and
In a manner that facilitates effective oversight;
d. Ensuring that the powers of the agencies are subject to institutional oversight and appropriate safeguards.
Part 2 of the Act "continues the SIS and the GCSB" but clarifies that they will remain two separate agencies with differences in capabilities and methods.[42] Although Part 2 makes note of these differences, they will continue to have shared objectives and functions under a "joint warranting" framework.[42]
In response to concerns that this proposed legislation interferes with New Zealanders' human rights, Part 2 provides a number of safeguards.[42] One such safeguard is expressed in sections 12 and 13 that "require that the agencies operate in accordance with New Zealand law and all human rights obligations, including when co-operating or sharing intelligence with foreign partners".[42] These sections were a direct recommendation of the Human Rights Commission to ensure that New Zealand complies with its international and domestic human rights obligations.[43]
Section 22 of the Act provided a further safeguard extending protection to "the right to engage in lawful advocacy, protest and dissent".[42] This is an important and long-standing human right that ought to be protected. The right to freedom of expression is enshrined in the New Zealand Bill of Rights Act 1990, with section 14 stating that "everyone has the right to freedom of expression, including the freedom to seek, receive and impart information and opinions of any kind in any form". The right has also been expressed in many other human rights instruments, such as Article 19 of the International Covenant on Civil and Political Rights, which also upholds this right. It is also reflected in the Universal Declaration of Human Rights: "Everyone has the right to freedom of opinion and expression; this right includes freedom to hold opinions without interference and to seek, receive and impart information and ideas through any media and regardless of frontiers".[44]
Future directions
In dissenting judgments in the 2007 case Brooker v Police, two judges of the Supreme Court of New Zealand voiced their support for the strengthening of privacy rights in New Zealand. McGrath J outlined the international and domestic recognition of the right to privacy, concluded that privacy is close to matching the strength given to the right to freedom of expression, and used the privacy interests of an individual concerned in the case as the main reason for his conclusion and dissent. Thomas J explicitly stated his support for privacy to be given the status of a right, and reasoned his support by citing the NZBORA, international instruments, judicial decisions and social attitudes.[45]
In August 2011, the New Zealand Law Commission released the fourth and final part to a detailed inquiry into the state of New Zealand's privacy laws. The four parts discuss the concept of privacy, public registers, the invasion of privacy in both civil and criminal contexts, and the Privacy Act 1993.[46] The Commission recommends a range of changes be made to the law, such as the creation of a Do Not Call register and better protection of online information. Some of these recommendations are currently tabled before Parliament, while others are currently awaiting a response from the government.[47]
In March 2018, Minister of JusticeAndrew Little introduced the Privacy Bill to amend the Privacy Act 1993. The Bill will repeal and replace the current Act and make various changes, including strengthening powers for the Privacy Commissioner, introducing mandatory reporting of privacy breaches, creating new offences and increasing fines.[48][49]
^P and D v Independent News Auckland Ltd[2000] NZHC (n/a), presumably unavailable for privacy reasons, 2 NZLR 591 at [34] (25 February 2000), High Court (New Zealand)
^Hosking v Runting[2004] NZCA 34, [2005] 1 NZLR 1 at [45]-[49] and [108]-[116], 7 HRNZ 301 (24 March 2004), Court of Appeal (New Zealand)
^Hosking v Runting[2004] NZCA 34, [2005] 1 NZLR 1 at [117] and [129]-[130], 7 HRNZ 301 (24 March 2004), Court of Appeal (New Zealand)
^Television New Zealand Ltd v Rogers[2007] NZSC 91, 2 NZLR 277 at [23]-[26], [98]-[99], and [144]-[145], [2011] 24 NZULR 386, [2010] NZLJ 17, [2009] 15 NZBLQ 35; [2009] 15 Canta (16 November 2007), Supreme Court (New Zealand)
^Brooker v Police [2007] NZSC 30; [2007] 2 NZLR 91 at [122]-[129] and [136]-[148] per McGrath J dissenting and [164] and [213]-[229] per Thomas J dissenting