On 18 December 2024, the New Zealand Privacy Commissioner announced his intention to issue a Biometrics Privacy Code (Code). The Code is an updated version of the exposure draft released in April 2024. You can read our previous alert on the exposure draft here, and the latest draft Code here. 

What is the code?

New Zealand currently does not have specific rules that relate to the collection and use of biometric information. Biometric information refers to an individual’s physical or behavioural features like their face, fingerprints, or voice. Biometric processing is the use of technology, such as facial recognition technology, to collect and process the biometric information of an individual to identify them or learn more about them. 

The Code proposes to amend certain information privacy principles in the Privacy Act 2020 (Privacy Act) and create specific rules for the processing of biometric information. The key requirements will be: 

• a requirement to put in place privacy safeguards for biometric information and undertake a proportionality test for its collection;
• new obligations relating to information disclosure and providing sufficient notice; and 
• limiting the potential uses of biometric information. 

Collection

Under the Code, agencies will be required to implement privacy safeguards that minimize risks to individuals, such as obtaining informed consent, allowing opt-outs, ensuring biometric systems are secure, and providing oversight in system training. The previous exposure draft had included these examples of privacy safeguards directly into the Code itself, but the proposed new iteration of the Code has removed specific examples of privacy safeguards from the Code, as the Privacy Commissioner believes specific examples are better suited to being included in guidance material accompanying the Code. Agencies must also conduct a "proportionality assessment" to ensure that biometric processing is justified, effective, and not disproportionate in the specific context. This includes evaluating whether there are less privacy-invasive alternatives, weighing the benefits against potential privacy risks, and considering cultural impacts, particularly on Māori or other demographic groups. 

Information Disclosure

Agencies will also be required to disclose more information to affected individuals about the processing of their biometric information, including informing individuals whether alternatives to biometric processing are available, the policies governing biometric data use, and the retention of such data. Additionally, individuals must be informed of their right to raise concerns and lodge complaints with the Privacy Commissioner about the processing of their biometric information. To meet these additional transparency obligations, agencies must provide clear and separate notices detailing their biometric processing practices, distinct from general privacy policies.

Limits on use

The new Code also imposes strict limitations on how biometric information can be used. Agencies are prohibited from using biometric data for secondary purposes unless privacy safeguards are in place and the processing for that other purpose is deemed proportionate. The Code also restricts the use of biometric data to infer sensitive information, such as health status or emotional state, with some exceptions. 

Importantly, these new requirements under the Code will not apply to biometric processing by health agencies already regulated under the Health Information Privacy Code 2020.

What has changed? 

The key obligations in the Code have remained largely the same to the original exposure draft. However, following feedback through the submission process, the Code has been amended to make it clearer and easier to follow, including:

• Commencement period: The commencement period has been increased to nine months (previously six months) to allow businesses already using biometric information more time to comply with the Code.
• Simple definitions: The Code’s definitions have been simplified and the amount of definitions have been reduced to make it easier for individuals to understand. A key aspect of this change is revising the definition of biometric categorisation to make it easier to understand what activities are considered in-scope or out of scope under the Code. 
• Proportionality assessment and safeguards: The requirements relating to the proportionality assessment have been refined to make it easier for organisations to comply with the Code. Example safeguards will be set out in guidance issued by the Privacy Commissioner, rather than in the Code. 
• Trials: The Code now allows for an organisation to undertake a trial to assess its use of biometrics information. Any trial must still comply with the requirements of the Code. 
• Transparency: If an organisation publishes its proportionality assessment (which is optional), the organisation must publish where individuals can find this assessment. The notification requirements have also been simplified. 
• Lower risk activity: Restrictions on the use of biometric data are now more focused on high-risk areas like emotion recognition and health inference, while age estimation and attention tracking are regulated based on proportionality without specific restrictions.
• Web-scraping: The restriction on collecting information from publicly available sources by web-scraping has been removed. Unreasonable use of web-scraping will be dealt with under Rule 4 of the Code. 

What’s next?

The Privacy Commissioner is seeking submissions on the Code by 14 March 2025. Following the consultation period, the Privacy Commissioner will release the final code in approximately mid-2025. The key questions the Privacy Commissioner is seeking to answer are:

• Should organisations assess whether using biometrics is proportionate, and be required to put in place privacy safeguards if they do use biometrics?
• Should people know about the use of biometrics beforehand, and should organisations have to provide additional information about the processing?
• Should there be limits on some uses of biometric information, like biometric emotion analysis and types of biometric categorisation?

While the proposed new Code does remove some of the complexities, issues, and potential barriers that were raised in response to the exposure draft, the revised Code will still impose significant compliance costs on those organisations who process biometric information. These additional compliance obligations may unintentionally reduce the uptake of new technology and systems which can better protect individuals’ privacy rights.

Therefore, in our view, it is important that agencies engage in this consultation process to ensure the Code reaches the right balance between protecting individual rights and fostering innovation.

If you would like assistance in developing a submission on the Code, or would like to understand how the Code may impact your existing biometric processing activities, please get in touch with one of our privacy experts.