Our website uses cookies to give you the best experience and for us to analyse our site usage. If you continue to use our site, we will take it you are OK about this. Click on More for information about the cookies on our site and what you can do to opt out.

We respect your Do Not Track preference.

The good and not so good of the new GCSB bill John Edwards
16 August 2016

laptop spying

(This post originally ran on The Spinoff.Until last night I was unfamiliar with the commissioning process for pieces for The Spinoff. Mine came in the form of a Twitter direct message. “John! fancy writing us a post for the Spinoff on the new legislation and why you’re not a cheerleader clown!?”

The new legislation referred to is the New Zealand Intelligence and Security Bill. The “cheerleader clown” quip refers to a tweet from a beleaguered internet entrepreneur:


Kim Dotcom tweet

The Bill, with its explanatory note, is 150 pages long, made up of 280 clauses, and it was tabled yesterday afternoon. So obviously I haven’t got chapter and verse yet. We will be diving deep into the details, and making a submission to the Select Committee. You should too. To use the old cliché, Mephistopheles resides in the particulars.

No Privacy Commissioner would champion legislation that permits intrusive and prying practices, hence the “no cheerleader” undertaking, but this Privacy Commissioner has an obligation to have due regard for the protection of important human rights and social interests that compete with privacy. I have to deal with the world as it is, and the intelligence and security functions, and agencies, are part of that world.

I respect the position of others who question the legitimacy of those activities, support their right to advocate that position with the Select Committee, and their political representatives and encourage them to do so.

My own advocacy has been directed at improving the transparency and oversight, and I think considerable gains have been made. As to some of the other aspects of the Bill, I’ve been interested in comparing and measuring the proposals against the current situation. Here are some of my initial impressions.

So the GCSB will be allowed to spy on New Zealanders?

Yep. That was provided for in the controversial 2013 amendments, passed as a result of the findings of the Kitteridge Report. Rebecca Kitteridge herself recommended the amendment as a “clarification” of the GCSB’s authority to assist other agencies. GCSB had always assumed its mandate to “provide advice and assistance to any public authority” allowed it to facilitate the execution of interception warrants obtained by the Police and the NZSIS despite the prohibition elsewhere in the Act on targeting New Zealand citizens .

The Bill implements the recommendations of the Reddy/Cullen Review, to provide for surveillance of New Zealand citizens that would otherwise be unlawful only on the authority of a warrant issued by the Attorney-General and Commissioner of Intelligence Warrants, where strict criteria are met.

Doesn’t the Bill allow the SIS to snoop around public databases?

Under current law, there is little to stop the NZSIS accessing any public or private sector database with the consent of the agency concerned, and allowing the SIS to have access is never a breach of the Privacy Act. Cullen and Reddy described this as “open slather”. It also lacks transparency.

Part 5 of the Bill provides for the intelligence and security agencies to have routine direct access to specified databases, but this access will be governed by “direct access agreements” entered into between the minister responsible for the agency with the database, and the minister responsible for the intelligence and security agency. In preparing those agreements, the ministers have to consult with the Privacy Commissioner, and the Inspector General of Intelligence and Security, and must have regard to our comments. We will be looking for proportionate access, good record keeping and audit, and sound policies around the retention of the data accessed.

Those agreements will be publicly available. That represents a significant improvement on the status quo in relation to those databases.

Part 5 also allows access by request for other information held by both government and private sector agencies. I’ll be looking closely at what controls there are on this access and whether these are sufficient.

But their activities are inherently anti privacy?

That’s true and for that reason, for the last 23 years, the intelligence and security agencies haven’t even had to worry about complying with the information privacy principles everyone else has to comply with (except for 6 and 7 which provide for your access and correction rights, and 12 which is about unique identifiers).

Neither the Law Commission in its review of the Privacy Act in 2011, nor the Cullen/Reddy review recommended changing that position. However, my office continued to advocate for the agencies to be subject to a greater range of privacy principles.

As a result, the government has agreed that the intelligence and security agencies should be exempt only from principles 2, 3 and 4(b). I’ll be taking that up with the Select Committee, but the Bill as introduced represents a significant advance. Principles will have exceptions to allow the agencies to carry out their statutory functions, and I want to look at whether those are sufficiently clear to ensure the application of the privacy principles will be meaningful. I’d like to have seen a link to a more clearly defined imperative to protect national security, but we’ll keep working on it, and see if we can come up with something workable for the committee to consider.

The fact that the agencies will be subject to nine of the 12 privacy principles means that my office will play a greater role in the oversight of the agencies, and concerned individuals will have a right to make complaints about a wider range of activities. I’ll work out with the Inspector-General which cases it will make more sense to transfer to her, but again, that represents an improvement on the status quo.

Hasn’t the Inspector General expressed concerns about their own internal data security? Why should we trust them?

The Inspector General has been very active in examining the practices and procedures of the GCSB and NZSIS. Of course she is there to ensure they are complying with the law, but she has increasingly pointed out risks and practices that could be improved, even when they are not unlawful.
Take security vetting for example. The SIS holds very personal and intimate details about thousands of New Zealanders who needed to undergo vetting as a condition of their employment. She has reported on her concerns that vetting information could be used by the Service for unrelated purposes. I share that concern.

The Bill proposes that that information be subjected to protections even more stringent than the Privacy Act, so that is another improvement on the what we have at the moment.

So you are a cheerleader after all?

I still wouldn’t say that. There’s lots more for us to study. I want to examine the provisions for giving personal information to overseas agencies, see how different the “whistleblower” protections are and compare the new offences for wrongful communication, retention, or copying of classified information with the current law.

There are already bloggers and commentators condemning and praising the reforms. That’s healthy. Inform yourself, and participate in the discussion. If you think there needs to be greater privacy protection in the reforms, make your submission. I’ll look forward to reading it.


I don’t even have big shoes.

Image credit: EFF Photos via Flickr




  • The fact they have to "consult with the Privacy Commissioner" is meaning less. First you are a government department as well and unlikely to get in their way. Second they can just ignore any recommendations you make. 'consult' is just that, consult no obligations to follow your recommendations if by some chance you do actually make a recommendation they do not like. It is not like you have any real power or can give any orders like you can to private citizens, they can just say "well we consulted, we will need (and fully intended to from the start) ignore any of your concerns. Yor sole purpose is to be a mouth peace for the government, GCSB and NZSIS and make people think there is a privacy watchdog to protect them when there is not. I am qusing this comment will not even see the light of day because it goes against the party line.

    Posted by Lance, 26/08/2016 10:44am (19 months ago)

    Post Reply

    The aim of the Office of Privacy Commissioner’s blog is to provide a space for people to interact with the content posted. We reserve the right to moderate all comments. We will not publish any content that is abusive, defamatory or is obviously commercial. We ask for your email address so that we can contact you if necessary to clarify your comment. Please be respectful of authors and others leaving comments.

Post your comment

The aim of the Office of Privacy Commissioner’s blog is to provide a space for people to interact with the content posted. We reserve the right to moderate all comments. We will not publish any content that is abusive, defamatory or is obviously commercial. We ask for your email address so that we can contact you if necessary to clarify your comment. Please be respectful of authors and others leaving comments.