In this article we summarise the key takeaways from the announcement and how businesses can prepare for the proposed reforms.
Overview of the code - three key rules
The introduction of a new code of practice would change how certain principles in the Privacy Act apply to organisations who gather biometric information (i.e., information about a person’s physical or behavioural characteristics).
The OPC’s announcement proposes three “workable rules” for the regulation of biometric information, as follows:
- Proportionality Assessment: Agencies collecting biometric information will be required under the code to conduct a proportionality assessment, evaluating the necessity of the data collected and associated privacy risks. This is intended to ensure that the use of biometrics aligns with the level of risk and intrusiveness involved.
- Transparency and Notification Requirements: The proposed code will require agencies to be transparent and open about their use of biometric information. This includes using clear language and signage to inform individuals about the collection and use of their biometric data.
- Purpose Limitations: The proposed code will seek to define and limit the purposes for which biometric information can be collected and used. This includes restrictions on the use of biometrics for direct marketing or inferring emotions.
Certain carve-outs will apply, including for health information, neurodata (i.e., information related to the structure, function, or activity of the brain and nervous system) and genetic information. Depending on its nature and content, this information may be separately regulated under the Health Information Privacy Code 2020.
The OPC has explained that it has proposed a binding code (rather than issuing non-binding regulatory guidance) for several reasons, including that a code enables the OPC to “take compliance action” in the event of breach. In addition, the OPC’s announcement refers to the need to respond to “significant concerns” about the risks that biometrics pose to Māori, including the potential for bias, discrimination, and surveillance.
The exposure draft of the code will be released in early 2024.
In advance, businesses should carefully review any current biometric data practices, and assess the types of biometric information collected, the purposes of collection, and existing transparency measures, to identify any areas that may require adjustments to align with the new regime.
Businesses should also take note of other international developments which may influence the development of the biometrics code, including:
- the EU’s draft AI Act, which proposes to restrict certain uses of biometric technology, including live facial recognition systems in public places (see our article here);
- a recent US executive order by President Biden on AI (here), which warns of the risk of those with disabilities receiving “unequal treatment from the use of biometric data like gaze direction, eye tracking, gait analysis, and hand motions”; and
- the recent Bletchley Declaration on AI (here), signed at a summit in the UK by 27 countries and the EU, which included a statement that signatories were “especially concerned” by “biotechnology” risks.
In addition, New Zealand businesses should prepare to actively participate in the public consultation on the design of the Code to ensure that any current or proposed biometrics initiatives are not unduly stifled.
Bell Gully’s Consumer, Regulatory and Compliance Team are closely monitoring these developments. If you would like further details on the proposals, or assistance in making submissions on the draft code early next year, please get in touch with the authors or your usual Bell Gully adviser.
This article was written with the helpful assistance of Abbie Pool, a summer intern in Bell Gully’s Summer Intern Programme.