NZLII Home | Databases | WorldLII | Search | Feedback

Public Interest Law Journal of New Zealand
You are here:  NZLII >> Databases >> Public Interest Law Journal of New Zealand >> 2019 >> [2019] NZPubIntLawJl 8

Database Search | Name Search | Recent Articles | Noteup | LawCite | Download | Help

Kim, Jae --- "The case for reform: a right to (access-based) privacy in the New Zealand Bill of Rights Act 1990" [2019] NZPubIntLawJl 8; (2019) 6 PILJNZ 137

Last Updated: 20 January 2021



(20199) A Right to (Access-Based) Privacy in the NZBORA 1990 137

1317



Public Interest Law Journal of New Zealand

(2019) 6 PILJNZ 137





ARTICLE

The Case for Reform: A Right to (Access-Based) Privacy in the New Zealand Bill of Rights Act 1990

JAE KIM*


In the modern age, with the increased prevalence of and dependence on technology, and the proliferation of surveillance technologies, invasion of privacy now carries unprecedented risks and consequences. New Zealand law does not adequately address this issue. This article proposes the introduction of an express, general, stand-alone right to privacy in the New Zealand Bill of Rights Act 1990. First, it argues that this right should capture the true nature of privacy, as distinct from concepts such as autonomy and liberty. Accordingly, a narrow working definition of privacy, which relates to the notion of exclusion (or desired inaccess), is adopted. Secondly, the article reviews the state of privacy law in New Zealand and internationally. It concludes that there is implicit recognition of a right to privacy, but that for a more coherent and principled development of privacy law, a clear statutory formulation of privacy is desirable. Thirdly, in setting out the case for reform, the article argues that a right to privacy is necessary given developments in technology and the reciprocal need for accountability, protection and vindication of our privacy, especially against the State. And the New Zealand Bill of Rights Act 1990, it is argued, is the most appropriate instrument to contain such a right.






* LLB(Hons), University of Auckland. This article is adapted from a paper the author wrote as a student under the supervision of Paul Rishworth QC in 2018. Therefore, it does not address the latest privacy law updates in detail: see, for example, Privacy Act 2020; and Nessa Lynch and others Facial Recognition Technology in New Zealand: Towards a Legal and Ethical Framework (The Law Foundation of New Zealand, November 2020).

I Introduction

In a world of connectedness, people increasingly value solitude. With the development of increasingly intrusive surveillance technologies and the arrival of Big Data analytics, society is in want of greater protection and enjoyment of privacy. Yet New Zealand does not have an express right to privacy. To date, our privacy laws have been developing in a piecemeal fashion: statutory reform has been fragmented and incomprehensive, and courts have addressed the issue only on a case-by-case basis (as is the nature of the common law). Unfortunately, the law, as it currently stands, does not protect the general concept of privacy in a comprehensive or stand-alone manner; only certain manifestations of privacy are protected.1 This article does not disagree with the Law Commissions conclusion that privacy should be developed in a piecemeal fashion; however, having a stand-alone, statutory right to privacy would ensure future developments of privacy law are coherent and principled—that is my central thesis.
To that end, this article examines the current state of privacy law in New Zealand. It ultimately concludes that change is needed, and advocates for the introduction of a general right to privacy in the New Zealand Bill of Rights Act 1990 (NZBORA). The argument is advanced in three parts. First, Part II addresses the fundamental question: what is privacy? It discusses the nature of privacy as being access-based and identifies exclusion as the common thread underlying all manifestations of privacy. Secondly, Part III then explores privacy protections in New Zealand and comparative jurisdictions. It posits that, in New Zealand, privacy is already treated as a right in effect, and recognising an express right to privacy would bring New Zealand jurisprudence in line with international approaches to privacy. Finally, Part IV outlines the case for reform in New Zealand, and in particular the benefits of such a right in the NZBORA. The article concludes by formulating a draft right to privacy.
Admittedly, this issue and the conclusions drawn are not new. The issue of whether a right to privacy should be introduced into the NZBORA has previously been explored, for example, by Petra Butler.2 She reached the same conclusion that this article hopes to defend. However, this article differs in its definition of privacy. It proposes a narrower definition of privacy, being limited to what is referred to throughout this article as access- based privacy. That difference, I submit, is significant in advancing the case for the inclusion of a right to privacy in the NZBORA.

II What is Privacy?

The concept of privacy is notoriously hard to define.3 This is because the word privacy— however defined—is used to describe a number of different things,4 is prone to being defined overly broadly, and conceptions vary vastly from culture to culture.5 Perhaps unsurprisingly then, there is no overarching definition of privacy in New Zealand (either in
  1. See Law Commission Privacy: Concepts and Issues — Review of the Law of Privacy, Stage 1

(NZLC SP19, 2008) at [4.109]–[4.110].

  1. See Petra Butler The Case for a Right to Privacy in the New Zealand Bill of Rights Act (2012) 11 NZJPIL 213.
  2. Ursula Cheer and Stephen Todd Invasion of Privacyin Stephen Todd (ed) Todd on Torts (8th ed, Thomson Reuters, Wellington, 2019) 977 at 978.
  3. Daniel J Solove Conceptualizing Privacy (2002) 90 CLR 1087 at 1095.
  4. Adam Moore Defining Privacy(2008) 39 Journal of Social Philosophy 411 at 411.


statute or case law). Indeed, as will be discussed later, privacy was omitted from the NZBORA due to difficulties in defining its substance and scope.
Evidently then, a clear formulation of the scope of privacy is a necessary antecedent to an express, general right to privacy. Such conceptual clarity is necessary to ensure the Legislature and the courts develop privacy laws in a coherent and principled way. There are therefore two preliminary tasks: first, to address the nature of privacy and, secondly, to set out the scope of privacy, that is, what the concept entails.

A The nature of privacy

(1) Privacy as a coherent concept


There are varying conceptions of privacy. These can largely be divided into two categories.6 On the one hand, there is the reductionist view that privacy is derivative of other rights, such as life, liberty and property.7 Reductionism contends that privacy is an amalgamation of different rights and interests, not a distinct concept in and of itself. It denies the existence, need and desirability of a right to privacy entirely. Most prominently, Judith Jarvis Thomson argues that all purported privacy claims can be reduced to an interference with a more basic right or interest that is (or should be) already recognised in law, such as trespass of person, property and goods, search and surveillance laws, and breach of confidence.8 For Thomson, to treat privacy as distinct from these basic rights is to muddy and undermine their value. Raymond Wacks took a similar stance in opposing the introduction of a right to privacy into English law.9 For reasons similar to those of Thomson, Wacks denied the need or desirability of recognising privacy as a freestanding right and distinct cause of action.
So, the focus of reductionism is on protecting the manifestations of privacy rather than the general concept of privacy itself. If, as the reductionists say, privacy is no more than an amalgam of its manifestations, then privacy (or its manifestations) should continue to be protected in a fragmented and ad hoc way.10 And there would be no need to identify a common denominator underlying privacy generally. Indeed, as Frederick Davis said, [i]f truly fundamental interests are accorded the protection they deserve, no need to champion a right to privacy arises.”11
One the other hand, coherentism maintains that privacy is a distinct concept related to, but nevertheless distinct from, other basic rights.12 It is the view that there is a coherent core or essence of shared characteristics that link the various manifestations of privacy.13 These include, the right to be let alone, limited access to the self, concealment or control of personal information, personhood, and intimacy.14 This article does not purport to set out some novel theory of privacy or examine each of the above theories in any detail.

  1. Stephen Penk Thinking About Privacyin Stephen Penk and Rosemary Tobin (eds) Privacy Law in New Zealand (2nd ed, Thomson Reuters, Wellington, 2016) 1 at 13.
  2. See Judith Jarvis Thomson The Right to Privacy(1975) 4 Philosophy & Public Affairs 295. 8 At 313.
    1. Raymond Wacks The Poverty of Privacy’” (1980) 96 LQR 73.
    2. See, generally, Patrick OCallaghan Refining Privacy in Tort Law (Springer, Berlin, 2013) at 8–47.
    3. Frederick Davis What Do We Mean by Right to Privacy? (1959) 4 SD L Rev 1 at 20.
    4. Penk, above n 6, at 14.
  3. Law Commission, above n 1, at [2.2] and [2.6]–[2.31]. 14 At [2.6]–[2.31].

However, I do posit that the coherentist view is preferable to the reductionist account for three reasons.
First, New Zealand courts have already implicitly rejected reductionism. Both the minority in the Court of Appeal and Randerson J of the High Court relied on reductionist reasoning in opposing the recognition of a privacy action in Hosking v Runting.15 The court, in ultimately recognising and expanding invasion of privacy as a distinct cause of action, has arguably rejected the reductionist account. New Zealand already acknowledges that privacy, as distinct from its manifestations, is worth protecting in law (common law and statute)—more on this in Part III.
Secondly, the reductionist view, at least that supported by Thomson, requires taking a very broad construction of the basic rights which privacy is said to underlie.16 Ironically, such a broad interpretation of those basic rights may, arguably, equally muddy and undermine their value.
Thirdly, even if the reductionist premise is true, that is, that privacy is a derivative concept, it does not necessarily follow that the individual manifestations of privacy are not or cannot be coherent clusters and therefore still benefit from an overarching right to privacy. As Jeffrey Reiman notes:17

... even if privacy rights were a grab-bag of property and personal rights, it might still be revealing, as well as helpful, in the resolution of difficult moral conflicts to determine whether there is anything unique that this grab-bag protects that makes it worthy of distinction from the full field of property and personal rights.

Either way, the reductionist account does not bar the introduction of a right to privacy in the NZBORA. So, the key issue is not whether privacy is a coherent concept or not, but what the common denominator joining the different manifestations is, as that will naturally inform how a right to privacy might be formulated.
Samuel Warren and Louis Brandeis famously conceptualised privacy as the right to be let alone,18 or non-interference. The principle overarching privacy claims, according to Warren and Brandeis, is that of the inviolate personality—that is, the right to ones personality.19 As noted above, there are other theories such as privacy as limited access to the self, concealment or control of personal information, personhood, and intimacy.20 While there are differences of degree and particulars, there is, I submit, a common tenet of non-interference and inaccess. Indeed, this idea of non-interference and inaccess underlies the various manifestations of privacy recorded, for example, by Daniel Solove:21

... control over personal information, freedom from surveillance, protection of ones reputation, protection from invasions into ones home, the ability to prevent disclosures of facts about oneself, and an almost endless series of other things.

  1. Hosking v Runting [2004] NZCA 34; [2005] 1 NZLR 1 (CA) at [177] per Keith J and [263]–[271] per Anderson J; and

Hosking v Runting [2003] NZHC 416; [2003] 3 NZLR 385 (HC). See also Penk, above n 6, at 14.

  1. See Law Commission, above n 1, at [2.5].
  2. Jeffrey H Reiman Privacy, Intimacy and Personhood(1976) 6 Philosophy & Public Affairs 26 at 28.
  3. Samuel D Warren and Louis D Brandeis The Right to Privacy (1890) 4 Harv L Rev 193. See also Law Commission, above n 1, at [2.7].
  4. Warren and Brandeis, above n 18; and see also Edward J Bloustein Privacy as an Aspect of Human Dignity: An Answer to Dean Prosser (1964) 39 NYU L Rev 962.
  5. Law Commission, above n 1, at [2.6]–[2.31].
  6. Solove, above n 4, at 1095.


William Prosser similarly identifies four heads of privacy in American jurisprudence:
(i) intrusion upon the plaintiffs seclusion or solitude, or into his private affairs; (ii) public disclosure of embarrassing private facts about the plaintiff; (iii) publicity which places the plaintiff in a false light in the public eye; and (iv) appropriation, for the defendants advantage, of the plaintiffs name or likeness.22 Prosser remarks that these four heads have almost nothing in commonother than the fact that each represents an interference with the right to be let alone.23 Stephen Penk also identifies a number of distinct privacy interests: territorial privacy; bodily or physical privacy; information or data privacy;communications and surveillance privacy; privacy of attention; and associational privacy.24 Again, underlying each of these manifestations is the notion of non- interference, exclusion of others and inaccess.25

(2) Privacy as distinct from autonomy


The Law Commission, in its 2008 report, acknowledged the relation between privacy and autonomy, conceptualising privacy as a sub-category of two interconnected core values: autonomy and respect.26 Indeed, that privacy and autonomy are linked is apparent from Warren and Brandeistheory of privacy as non-interference with the inviolate personality. Personal autonomy is the cornerstone of modern democracies; it is the idea of self- determination and self-government. Proper exercise of ones autonomy requires a distinct and self-aware individual.27 Developing self-awareness requires what John Stuart Mill described as experiments in living.28 This experiment requires privacy (non-interference, exclusion, inaccess). Edward Bloustein reasons:29

The man who is compelled to live every minute of his life among others and whose every need, thought, [and] desire ... is subject to public scrutiny, has been deprived of his individuality ... Such a being, although sentient, is fungible; he is not an individual.

In an extra-judicial capacity, Winkelmann J (as she then was), citing German political philosopher, Hannah Arendt,30 noted that privacy is a pre-condition for a society in which diversity and plurality flourishand that [e]xposure of thinking to public scrutiny changes that thinking ... [and] encourages conformity in thought.31 Thus, Winkelmann continued, [p]rivacy supports true autonomy of the individual.32 A timely illustration of this relation is in the increased use of end-to-end encrypted messaging app, Signal, (being privacy) in organising and participating in protests against police brutality in the United States (being

  1. William L Prosser Privacy (1960) 48 CLR 383 at 389. 23 At 389.
    1. Penk, above n 6, at 10–11.
    2. See, generally, Tim Bain The Wrong Tort in the Right Place: Avenues for the Development of Civil Privacy Protections in New Zealand (2016) 27 NZULR 295 at 297.
    3. Law Commission, above n 1, at [3.10]–[3.11].
    4. OCallaghan, above n 10, at 47.
    5. John Stuart Mill On Liberty (eBook ed, Batoche Books, 2001) at 74.
    6. Bloustein, above n 19, at 1003.
    7. Hannah Arendt The Crisis in Educationin Between Past and Future: Six Exercises in Political Thought (Meridian Books, Cleveland, 1963).
    8. Helen Winkelmann, Judge of the Court of Appeal of New Zealand Sir Bruce Slane Memorial Lecture (Victoria University of Wellington, 30 October 2018) at 4.
    9. At 4 (emphasis added).


autonomy).33 It was in this sense that Warren and Brandeis said the recognition of a right to privacy is the next step which must be taken for the protection of the person.34
Two points are notable from the above discussion. First, privacy and autonomy are interrelated. Privacy is valuable in that it furthers personal autonomy. Secondly, privacy and autonomy are nevertheless distinct concepts. Put simply, privacy is a negative right, that is, freedom from unwanted intrusion or access, whereas autonomy is a positive right, that is, freedom to make personal choices and govern oneself.35 So, privacy and autonomy are not synonymous and ought not be conflated. At first, this distinction may seem academic and trivial, but, as will be seen, it is significant.

B Defining privacy

(1) Desired inaccess: freedom from unwanted access


A right to privacy was omitted from the NZBORA due to its uncertain and contentious scope.36 Therefore, a comprehensive, yet sufficiently narrow, formulation of privacy is necessary. Ruth Gavison, like Warren and Brandeis, essentially formulates privacy as relating to non-interference.37 She defines privacy as a limitation of othersaccess to an individual.38 She warns that we must resist the temptation to see privacy as adequately reflected in the law or in reductive accounts.39 In doing so, Gavison reasons that privacy is a complex interplay of secrecy (information about the person), anonymity (attention to the person) and solitude (physical access to the person), but, she continues, the concept of privacy is nevertheless coherent as those three concepts are ultimately a part of the single notion of accessibility.40
Gavisons definition has been criticised as being too broad. Treating any information gathered about a person, physical access to a person or attention paid to a person as a loss of privacy is contrary to the intuitive meaning of privacy.41 This criticism is addressed by Nicole Morehams modified definition of privacy, which includes the element of desire.42 According to Moreham, privacy is:43

... the state of desired inaccess’” or [a] freedom from unwanted access. In other words, a person will be in a state of privacy if he or she is only seen, heard, touched, or found out about if, and to the extent that, he or she wants to be seen, heard touched or found out about.



  1. Amelia Nierenberg Signal Downloads Are Way Up Since the Protests BeganThe New York Times (online ed, New York, 11 June 2020).
  2. Warren and Brandeis, above n 18, at 195.
  3. See, generally, Hyman Gross The Concept of Privacy (1967) 42 NYU L Rev 34 at 44.
  4. See Law Commission, above n 1, at [4.108] and [7.9].
  5. Ruth Gavison Privacy and the Limits of Law (1980) 89 Yale LJ 421. 38 At 428.

39 At 459.

40 At 434.

  1. Raymond Wacks Personal Information: Privacy and Law (Oxford University Press, Oxford, 1993) at 16–18.
  2. N A Moreham Privacy in the Common Law: A Doctrinal and Theoretical Analysis (2005) 121 LQR 628.

43 At 636.


By that definition, something becomes private when a person wishes to exclude others from accessing it; the degree of privacy depends on the degree of desired exclusion.44 In a similar vein, Hyman Gross defines privacy as the condition of human life in which acquaintance with a person or with affairs of his life which are personal to him is limited.45 Indeed, Gross observes that every-day examples as clothes, window blinds, bedroom doors, and filing-cabinet locks begin an indefinitely long list of objects whose use is motivated at least in part by concern for privacy.46
This article posits that a general right to privacy in the NZBORA should be framed as one of desired inaccess—that is, freedom from unwanted access. This definition is not only sufficiently particular but also conceptually consistent, noting the common denominators of non-interference and exclusion. The idea of desired inaccess is also apt in light of privacys relation to personal autonomy.47 Bloustein said that [t]he man who is compelled to live every minute of his life among others ... has been deprived of his individuality;48 however, that is not the case if the manchooses to live every minute of his life among others.

(2) Access-based privacy vs decisional autonomy


Having considered what privacy is, I now turns to what privacy is not. There are broadly two kinds of privacy: informational privacy and decisional privacy.49 The former refers to individuals exercising control over access to information about themselves. It is the notion of privacy as exclusion and inaccess—that is, freedom from. The latter kind refers to the freedom to make ones own decisions on intimate and personal matters without interference. While there is the idea of non-interference, it is, at its core, about self- determination and self-government—that is, freedom to/of.50 I submit that decisional privacyis a misnomer—it is not, in fact, privacy at all, rather it is personal autonomy.
Jill Marshall argues that the two kinds of privacy can be united in that both the freedom to make personal decisions without interference (decisional privacy) and the right to exclude or retreat (informational privacy) are necessary for the development of ones personality.51 However, as argued above, just because there is a relation between the two kinds, it does not mean they are one and the same.52 While privacy is a natural concomitant to personal autonomy, it is itself a distinct concept.53 Uniting the two distorts the nature of
  1. Bain, above n 25, at 297 (emphasis added).
  2. Gross, above n 35, 36. 46 At 36.
    1. Bain, above n 25, at 298. Note: a purely subjective conception of privacy is problematic as it would infringe on the rights of others. This is why the courts have framed the action as involving a reasonable expectationof privacy. Even Moreham acknowledges the need for an objective check should her definition be used in the legal context: Moreham, above n 42, at 643–644.
    2. Bloustein, above n 19, at 1003 (emphasis added).
    3. See Judith Wagner DeCew In Pursuit of Privacy: Law, Ethics and the Rise of Technology (Cornell University Press, Ithaca, 1997) at 61–62.
    4. Katja S Ziegler (ed) Human Rights and Private Law: Privacy as Autonomy (Hart Publishing, Oxford, 2007); and see also H Tomás Gómez-Arostegui Defining Private Life Under the European Convention on Human Rights by Referring to Reasonable Expectation (2005) 35 Cal W Intl LJ 153 at 160.
    5. Jill Marshall Personal Freedom through Human Rights Law?: Autonomy, Identity and Integrity under the European Convention on Human Rights (Martinus Nijhoff Publishers, Leiden, 2009) at 52.
  3. Gross, above n 35, at 42–43. 53 At 39.


privacy as a distinct and coherent concept independent of notions of autonomy. Autonomy and freedom of action does not fit within the privacy definition of desired inaccess or freedom from unwanted access.
Accordingly, this article proposes that the true nature of privacy is access-based (that is, relating to the notion of accessibility). The value of privacy is in allowing people to limit access to information others know about them; it empowers people to maintain the edited character they have chosen to present.54 Invasion of privacy can therefore be reduced to this proposition: improperly getting to know [that is, getting access to] something personal [that is, information, in a broad sense] or making it known to others [that is, facilitating access by others].55 This somethingshould be constructed broadly to include data privacy, communications privacy, spatial privacy and bodily privacy (which are aspects of privacy already recognised in law).
In characterising privacy as such, this article distinguishes it from what has been referred to as decisional privacy (or more properly, decisional autonomy). It is the freedom to make choices and order ones own affairs without regulatory interference. While decisional autonomy is related to access-based privacy, it is not about access; it is not privacy; it is freedom to/of, not freedom from. However, that is not to say that ones decisions cannot be private. A privacy interest may attach to, for example, a persons decision to have an abortion if they desire to keep their decision a secret from others. But, in that case, privacy attaches to the information (that is, the fact of the decision), not the decision itself—privacy, properly conceived, does not confer a right to make the decision. That is not to say that decisional autonomy (or aspects of it) should not be a right contained in the NZBORA—it is simply that such discussions are beyond the ambit of this article.
As Gross says, [i]t is not the nicety of legal theory for its own sake that is of concern, but rather the interest which it serves.”56 Accordingly, I submit that distinguishing access- based privacy and decisional autonomy is advantageous for at least three reasons. First, it is consistent with the coherentist account of privacy as related to, but nevertheless distinct from, autonomy. Secondly, it bypasses the political debate of whether manifestations of decisional autonomy, such as the right to have an abortion, should be contained within the NZBORA. While such discourse is important, it is perhaps a matter best left for independent consideration. Such debate risks unnecessary opposition to the recognition of a right to privacy, overshadowing more intuitive and uncontentious forms of privacy. Thirdly, limiting the definition of privacy to notions of desired inaccess avoids the criticism of an overly-broad definition and uncertain scope which originally hindered the inclusion of a right to privacy in the NZBORA.

C The thesis


Against this background, I consider the Law Commissions conclusion, in its study of privacy, that New Zealands approach to privacy protection should be piecemeal and particularised, not generalised. Where there are demonstrable problems and abuses, intervention should be made, but not otherwise.”57 It does not dispute the Law Commissions conclusion. Rather, the central thesis of this article is that a general right to

  1. James Rachels Why Privacy is Important(1975) 4 Philosophy & Public Affairs 323.
  2. See Gross, above n 35, at 36. 56 At 54.
    1. Law Commission, above n 1, at [3.56]–[3.57].


privacy in the NZBORA would ensure that both Parliaments and the courtspiecemeal development of the law of privacy is coherent and principled.

III Comparative Analysis

In support of the above thesis, this section examines domestic and international approaches to privacy and concludes: (i) the status of privacy in New Zealand is uncertain, inconsistent and confused; (ii) privacy is recognised as a right, whether implicitly or expressly; and (iii) a clear conception and sufficiently particular definition of privacy is needed to ensure privacy laws are developed coherently.

A New Zealand: legislation and common law


To borrow the words of Butler, [a]t present, there is a patchwork of privacy protections from various sources of law in New Zealand.”58 There is no general right to privacy in New Zealand nor is privacy founded in any single source of law. In Brooker v Police, Thomas J summarised the current status of privacy in New Zealand in this way: privacy has not yet been judicially [or legislatively] accorded the status of a right, but it is, at the very least, a fundamental value.59 In his dissent, his Honour continued to set out the case for the recognition of privacy as a right. Elias CJ also described privacy as interests and values,60 but she doubted whether privacy should be treated as a right.
In this sub-section, I consider that characterisation of the current status of privacy in New Zealand law. In particular, I explore two domestic avenues for privacy protection: legislation and the common law. As will be seen, in statute, privacy protections are implicit (being incidental to the protection of other rights) and incomprehensive in scope. Privacy protections in common law are similarly ad hoc and limited in scope. Yet, it is apparent from both sources that the law recognises, to some degree, the importance of protecting privacy.

(1) Legislation

(a) New Zealand Bill of Rights Act 1990


The starting point is that there is no express constitutional guarantee of the right to privacyin the NZBORA.61 However, the Act is not an exhaustive instrument; exclusion from the Act does not abrogate other extant rights.62 According to the White Paper, privacy was omitted from the Bill of Rights as it was still a developing concept and its boundaries were uncertain and contentious.63 Privacy was omitted due to the difficulties in defining its terms, not because it was not worth protection.64

  1. Butler, above n 2, at 217.
  2. Brooker v Police [2007] NZSC 30, [2007] 3 NZLR 91 at [164]. 60 At [37].
    1. Law Commission, above n 1, at [4.87] and [4.89].
    2. New Zealand Bill of Rights Act 1990, s 28.
    3. Geoffrey Palmer A Bill of Rights for New Zealand: A White Paper[1984–1985] 1 AJHR A6 at [10.144].
    4. Hosking v Runting (CA), above n 15, at [92]–[94].


This, however, does not mean that the NZBORA is entirely void of any notion of privacy. While absent from the text of the Bill of Rights, privacy is given form, content and weightin other rights.65 Most notably, privacy, together with notions of property rights in land and goods, is central to the s 21 right to be secure against unreasonable search and seizure.66 Tipping J, in Hosking v Runting, observed that [t]hat right is not very far from an entitlement to be free from unreasonable intrusions into personal privacy.”67 The Supreme Court of Canada made the same point in relation to s 8 of the Canadian Charter of Rights and Freedoms (the right to be secure against unreasonable search and seizure), interpreting the right as including a reasonable expectation of privacy against governmental encroachments.68 La Forest J reasoned that, [g]rounded in mans physical and moral autonomy, privacy is essential for the well-being of the individual. For this reason alone, it is worthy of constitutional protections.69
The notion of privacy is said to given form in a number of other rights, including: s 13, the right to freedom of thought, conscience and religion; s 17, the right to freedom of association; s 10, the right not to be subjected to medical or scientific experimentation; and s 11, the right to refuse to undergo medical treatment.70
I make three observations. First, current privacy protections in the NZBORA fail to recognise privacy as a distinct, coherent right. Secondly, it is nevertheless notable that privacy, or some aspect of it, is already treated as a right. Arguably, it would be a relatively small step to introduce an express, general right. Thirdly, in protecting only some aspects of privacy, privacy protections are incomprehensive and limited. For example, as Thomas J noted, it would seem very strained to view photographs as a form of seizure, or indeed searchunder s 21.71 And while [t]he lack of any express recognition of a right to privacy in the Bill of Rights should not ... inhibit common law developments,72 an express, general right to privacy would encourage such common law (and statutory) developments, and further ensure those developments are coherent and principled.

(b) Privacy Act 1993


Next, there is the Privacy Act 1993, which purports to promote and protect individual privacy.73 However, the Act takes a very narrow view of privacy, being principally concerned with personal information (or data) privacy. Notwithstanding that, Penk notes that the Act is a significant milestone in the evolution of human rights legislation.74 But the Privacy Act is not just a human rights or data protection statute; the Act, in insisting on conforming with the OECD Guidelines, also has the purpose of facilitating data flows,



65 C v Holland [2012] NZHC 2155, [2012] 3 NZLR 672 at [25].

  1. See R v Jefferies [1993] NZCA 401; [1994] 1 NZLR 290 (CA) at 319; and Winkelmann, above n 31, at 7.
  2. Hosking v Runting (CA), above n 15, at [224]. 68 R v Dyment [1988] 2 SCR 417 at 426.

69 At 427–428.

  1. Winkelmann, above n 31, at 7.
  2. Hosking v Runting (CA), above n 15, at [226]. 72 At [226].
    1. Privacy Act 1993, long title.
    2. Stephen Penk The Privacy Act 1993in Stephen Penk and Rosemary Tobin (eds) Privacy Law in New Zealand (2nd ed, Thomson Reuters, Wellington, 2016) 53 at 54–55.


thereby enhancing both government and business efficacy(which potentially conflicts with its data protection purpose).75
The Privacy Act provides a framework for regulating the collection, storage, use and disclosure of personal information. At its core are 12 information privacy principles which agencies must comply with.76 An agency is defined in s 2 as any person or body of persons, whether corporate or unincorporated and whether in the public sector or the private sector. The definition is intentionally broad, but there are a number of significant specified exclusions such as the Sovereign and news media.77 Furthermore, intelligence agencies, that is, the New Zealand Security Intelligence Service (SIS) and the Government Communications Security Bureau (GCSB), are exempt from compliance with principles 1–
5 and 8–11, which relate to the collection, holding, use and disclosure of personal information.78 As discussed in Part IV, that exemption is notable: it means there is little accountability for the State relative to its capacity to intrude ones privacy.
Furthermore, with the exception of the right to access ones personal information when it is held by a public sector agency (principle 6), the privacy principles do not confer any legal right enforceable in a court of law.79 Only principle 6 is enforceable in a court of law; however, in practice, this avenue is seldom elected as individuals usually opt for the cheaper alternative, namely, the Privacy Commissioners complaint resolution process. To explain: a complaint alleging a breach of a privacy principle by an agency is dealt with under a two-tier procedure under pt 8 of the Act.80 First, the complaint must be investigated by the Privacy Commissioner. The Commissioner must then attempt to reach a settlement between the parties. Secondly, failing conciliation, proceedings may be brought before the Human Rights Review Tribunal. The Tribunal has the jurisdiction to grant remedies, including damages.
The Privacy Act regime has, however, been criticised on the basis that the lack of enforceability in the courts, consistent with the Acts emphasis on education, conciliation and reform of privacy-invasive record-keeping practices, leaves complainants with little or no meaningful remedy.81 The statute is more a nuanced approach to protection of privacy in personal information balanced against competing interests that may outweigh the individuals privacy interest.82
Additionally, I note four further significant issues with the Privacy Act. First, it does not proffer any definition of what privacy is. Secondly, its scope is limited to personal information, excluding other forms of privacy such as intrusion into seclusion. Of course, the Act is not a code and does not exclude the operation of the common law.83 However, it is significant that the Act does not provide comprehensive protection of privacy. Thirdly, in bringing an action under the Act, the plaintiff must show that the defendants act or omission was a contributing cause to the loss or harm in the sense that it constituted a
  1. Rodger Haines Damages for Interference with Privacy Under Statute: The New Zealand Privacy Act 1993in Jason N E Varhaus and N A Moreham (eds) Remedies for Breach of Privacy (Hart Publishing, Oxford, 2018) 349 at 349.
  2. Privacy Act, s 6.
  3. Section 2(1)(b)(xiii)
  4. See John Edwards and Paul Roth Privacy Law — Where are we now?(New Zealand Law Society Continuing Legal Education Seminar, May 2013) at 11. See also Privacy Act, s 27(1).
  5. Privacy Act, s 11(2).
  6. See Haines, above n 75, at 355–356.
  7. Penk, above n 74, at 87. 82 At 54.
    1. Privacy Act, s 1.


material cause.84 In other words, the plaintiff must prove (i) loss and (ii) causation. By contrast, the common law action is actionable per se. This is significant given the purpose of a privacy action being principally one of vindication rather than compensation, as will be discussed below. Fourthly, and related to the third, the Act focuses on settlement and speedy resolution of disputes rather than vindication of the complainants right to privacy. At the time of writing, the Privacy Act was under review, and has subsequently been repealed and replaced with new legislation;85 however, the regimes core operation and purposes are unchanged. It follows that the Privacy Act, while commendable in certain aspects, is not a sufficient replacement for a general, stand-alone right to privacy in the NZBORA. Instead, I submit, a general right to privacy will enhance and complement
enforcement of the privacy principles.

(c) Other statutes


New Zealands piecemeal approach to legislating privacy protections is further evident in the following enactments and provisions:
In summary, New Zealands statutory treatment of privacy has three main shortcomings:

(i) privacy is not defined; (ii) there is no express general right to privacy, only aspects of privacy implicit in existing rights; and (iii) there is no privacy right actionable against the State, that is, as a sword rather than merely as a shield.

(2) Common law


The common law, like statute, has yet to recognise a right to privacy. Despite this, two causes of action in tort for invasion of privacy have emerged.
First, in Hosking v Runting, the Court of Appeal majority definitively recognised a separate cause of action in New Zealand for invasion of privacy by wrongful publicity of private facts.86 That case involved the publication of photographs taken of the twin daughters of Mike Hosking (a public figure) in public. Mr Hoskings appeal was ultimately dismissed on the facts. Notably, however, Gault P, Blanchard and Tipping JJ, making up the majority, observed that the New Zealand Courts have, to a greater or lesser extent, already espoused a separate tort to protect privacy interests.”87 The Court expressly left open the scope of the tort of invasion of privacy, noting that [n]o court can prescribe all the boundaries of a cause of action in a single decision ... [t]he cause of action will evolve through future decisions.”88 That would indeed prove to be the case.

  1. Section 66; and Haines, above n 75, at 358.
  2. Privacy Act 2020.
  3. Hosking v Runting (CA), above n 15.
  4. At [247] per Tipping J and [78]–[85] per Gault P and Blanchard J. 88 At [118].

Secondly, in C v Holland, Whata J expanded the scope of the invasion of privacy tort to include intrusions upon seclusion.89 That case involved a surreptitious visual recording of the plaintiff while she was showering. Significantly, there was no publication or intention to publish the recording. In recognising an action for intrusion upon seclusion, his Honour noted that New Zealands legal landscape is not devoid of consideration of protection of privacy from intrusionas opposed to publication,90 noting, as an example, s 21 of the NZBORA.91

(a) The torts as access-based privacy


I submit that both causes of actions can be characterised as formulations of access-based privacy—that is, the plaintiffs ability to exclude others from access to something about himself or herself. Obviously, the publicity of private facts action recognised in Hosking controls access to private facts by the general populace. The intrusion into seclusion action in C v Holland is more difficult to fit within the access-based framework. However, at its core, the action is concerned with excluding undesired parties, as distinct from the public at large, from accessing private spaces and affairs or activities exercised therein. Evidently, although the actions are framed in different ways and consist of different elements, the two are ultimately about protecting desired inaccess. Indeed, Thomas J in the recent case of Henderson v Walker observed that Whata Js decision in C v Holland can be considered an incremental development of the principles enunciated in Hosking v Runting, underpinned by the concepts of autonomy and dignity.”92 The Judge commented that a private affair (C v Holland) is arguably information (Hosking), and that the two actions are not so distinct93—they are held together by the underlying notion of access-based privacy, which is necessary for the furtherance of, but ultimately distinct from, personal autonomy. In the end, the torts fit the access-based framework discussed above of improperly getting to know (access) something personal (information) or making it known to others. Accordingly, her Honour extended the tort to providing private information to third parties without authorisationnot involving widespread publicity.94

(b) A right in effect


Notwithstanding the common law developments, judicial considerations of privacy mimic the legislative reluctance to expressly recognise a right to privacy. However, I submit that, in effect, case law treats privacy as a right.
First, Tipping J in Hosking referred to privacy as a value; however, he nonetheless thought that privacy could, in certain circumstances, outweigh the rightto freedom of expression.95 Furthermore, Anderson J similarly noted that privacy claims are not about competing values, but whether an affirmed right is to be limited by a particular manifestation of a value.96 The judges are effectively saying that while there is no express right to privacy, privacy may nevertheless displace express NZBORA rights such as

89 C v Holland, above n 65. 90 At [22].

91 At [25].

92 Henderson v Walker [2019] NZHC 2184 at [215]. 93 At [215].

94 At [215]–[216].

  1. Hosking v Runting (CA), above n 15, at [237].
  2. At [266] (emphasis added).


freedom of expression. Arguably, privacy is already treated as a right and, therefore, an express legislative right would not be out of place or extraordinary.
Secondly, the actions for invasion of privacy further support this point that privacy is already treated as a right, in effect. Penk illumines that the existence of legal rights is marked by the availability of legal remedies for their enforcement.97 Legal protections generally take one of two forms: a rights-based or loss-allocation framework.98 Rights- based actions are actionable per se (that is, without proof of harm); the purpose is to vindicate the plaintiffs right. Loss-allocation actions, on the other hand, require proof of harm; the purpose here is to compensate the plaintiff for the harm suffered. Neither of the two privacy actions require tangible loss; the harm is the invasion of privacy itself. The common law privacy actions appear to adopt a rights-based framework. This is evidenced, for example, in the fact that the remedies for invasion of privacy are usually injunctions rather than damages, that is, to cease the breach of the right or interest protected; the breach itself being the harm done.99
So, I submit, Thomas J was correct in observing that privacy has not yet been accorded the status of a right. I also agree with his Honour that I favour regarding privacy as an existing right which has not been abrogated or restricted by reason only that it has not been expressly referred to in the [NZBORA].100 However, this is a matter best suited for Parliament to address, not the courts—as the supreme law-making body, it is desirable for the Legislature to take charge in recognising, and defining the scope of, a right to privacy. While it is desirable for the courts to continue the development of the law of privacy (given its reactive and flexible nature), there is a case to be made that the Legislature should introduce an express statutory right to privacy generally to cure judicial inconsistencies as to the true nature and treatment of privacy, and to guide future development of privacy as a legal concept.

B International: the Universal Declaration of Human Rights


Internationally, the concept of privacy was first recognised as a human right under the Universal Declaration of Human Rights (UDHR).101 Article 12 provides:

No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.


The UDHR expresses privacy alongside related manifestations of privacy such as the home (spatial privacy) and correspondence (communications privacy). This is significant as it recognises not only a general right to privacy but also specific manifestations, or kinds.
The International Covenant on Civil and Political Rights (ICCPR) also recognises a right to privacy; it imported the UDHRs provisions.102 The United Nations Convention on the

  1. Penk, above n 6, at 23–26.
  2. See Law Commission, above n 1, at [3.38].
  3. Rosemary Tobin The Common Law Tort of Invasion of Privacy in New Zealandin Stephen Penk and Rosemary Tobin (eds) Privacy Law in New Zealand (2nd ed, Thomson Reuters, Wellington, 2016) 89 at 109.
  4. Brooker v Police, above n 59, at [164].
  5. Universal Declaration of Human Rights GA Res 217A (1948) [UDHR].
  6. International Covenant on Civil and Political Rights 999 UNTS 171 (opened for signature 16 December 1966, entered into force 23 March 1976) [ICCPR], art 17.


Rights of the Child (UNCROC) also employs words nearly identical to the UDHR in recognising a privacy right.103
New Zealand is committed to the obligations set out in these instruments. It has ratified both the ICCPR and UNCROC, and it voted in favour of the UDHR. In particular, the long title of the NZBORA expresses a commitment to the ICCPR. While the conventions have not been fully incorporated into domestic law, New Zealand has indicated its commitment to the rights entailed via the act of ratification. And New Zealands international obligations should not be ignored simply because they have not been domestically incorporated.104 The international instruments provide an important interpretative tool to hold the government accountable. Yet none of those conventions define privacy or confer an actionable right against the State—the lacuna remains.

C European Union: the European Convention on Human Rights


The European Convention on Human Rights (ECHR) contains an express right to a private life. Article 8 reads:

Right to respect for private and family life

  1. Everyone has the right to respect for his private and family life, his home and his correspondence.
  2. There shall be no interference by a public authority with the exercise of this right ...

I make three observations about art 8 of the ECHR: (i) it does not mention privacy, only a private life; (ii) the right is respect forones private life; and (iii) there shall be no interference by a public authorityas opposed to other private citizens.

(1) Private life


It is generally accepted that the art 8 reference to a private life confers a right to privacy. However, there is no indication of what amounts to a private life. The European Court of Human Rights (ECtHR) interprets private lifeas a broad term encompassing, inter alia, aspects of the individuals physical and social identity including the right to personal autonomy [and] personal development.105 The ECtHR has described the notion of personal autonomy as being the principle underlying its interpretation of art 8; notably, the Court did not mention privacy.106 The Court reasoned in this way despite the fact that there was no precedent explicitly recognising a right to personal autonomy or self- determination as being contained in art 8.
As discussed in Part II, privacy and personal autonomy are related but distinct concepts which ought not to be conflated. The ECtHRs formulation of the scope of a private life is problematic and departs from the theory of privacy as exclusion. In broadening the net of the private life to include notions of self-determination, the ECtHR has converted the right to privacy to a right to autonomy. In doing so, it distorts the nature and value of privacy.

  1. Convention on the Rights of the Child 1577 UNTS 3 (opened for signature 20 November 1989, entered into force 2 September 1990), art 16.
  2. See Tavita v Minister of Immigration [1993] NZCA 354; [1994] 2 NZLR 257 (CA) at 266.
  3. Tysiac v Poland (2007) 45 EHRR 947 (ECHR) at [107].
  4. Pretty v United Kingdom [2002] ECHR 427; (2002) 35 EHRR 1 (ECHR) at 35–36.

(2) Respect for


This distortion of privacy is further evident in the ECtHRs interpretation of respect for. The Court observed that the purpose of art 8 is to protect individuals from arbitrary interference by public authorities; however, in addition to this primarily negative undertaking, there may be positive obligations inherent in an effective respect for private or family life.107 In other words, art 8 imposes positive obligations on the State. This is contrary to the theory of privacy as exclusion (freedom from), which requires only inaction or non-interference.

The point is made in Von Hannover v Germany.108 There, Princess Caroline of Monaco

succeeded in her art 8 claim against Germany. The ECtHR found Germany to have violated the provision by allowing photographs of the Princess to be published. The photographs showed her enjoying everyday activities in public. The State did not take the photographs; instead, the Princessclaim was that there was a lack of adequate State protection of her private life. That is, the State had failed to meet its positive obligations to protect her right to a private life. Again, the ECtHR has erroneously and unfortunately conflated the concepts of privacy and autonomy.

(3) Public authority


Notwithstanding its misguided characterisation of privacy, the Convention should be commended for creating a privacy right actionable against the State (interference by a public authority). This provision is reflected in the Human Rights Act 1998 (UK) where s 6(1) provides that it is unlawful for a public authority to act in a way which is incompatible with a Convention right. Subsection (3) sets out the meaning of public authorityto include pure public authorities and authorities which are considered public only when performing a public function.109 Section 7(1) crystallises the right to bring a claim against public authorities for breaches of rights.
This is a significant development. It contrasts with New Zealands privacy regime which lacks a right to privacy actionable against the State—the significance of this lacuna is discussed in Part IV, particularly in relation to State surveillance powers.

D United States: the Constitution


In modern American constitutional theory, the word privacy and the legal concept of a right to privacy are associated with the landmark Supreme Court ruling in Griswold v Connecticut.110 The case resulted in the striking down of a state criminal statute prohibiting the use of contraceptives, even by married couples, on the grounds of privacy. With respect, however, the 7-2 majority failed to provide an explicit Constitutional basis for the recognition of a right to privacy. The Constitutions text is silent as to privacy. The Supreme Court later justified, in Roe v Wade, its decision on the grounds of liberty, supplanting its previous reliance on privacy.111 That case involved a statute outlawing abortion unless the
  1. Airey v Ireland [1979] ECHR 3; (1979) 2 EHRR 305 (ECHR) at [32].
  2. Von Hannover v Germany [2004] 21 EMLR 379 (ECHR).
  3. See Duncan Fairgrieve and Dan Squires The Negligence Liability of Public Authorities (2nd ed, Oxford University Press, Oxford, 2019) at [7.07].
  4. Griswold v Connecticut [1965] USSC 128; 381 US 479 (1965).
  5. Roe v Wade [1973] USSC 43; 410 US 113 (1973); and David J Garrow Privacy and the American Constitution (2001) 68 Social Research 55.


womans life was at risk. The challengers claimed, inter alia, that the statute violated their right to privacy.
Gross suggests that both Griswold and Roe erroneously conflate the distinct concept of privacy and liberty (or autonomy).112 This confusion is evident in modern commentary on the cases. Elizabeth Foley, for example, remarked that a right to privacy is mischievously narrowand that employing the shibboleth privacyinstead of libertyinherently narrows individual rights rather than expands them.113 Similarly, Mary Ziegler observed that the above two decision[s] mostly played a part in broader set of claims involving self-determination and personal libertybefore continuing to speak of the right to privacy.114 Ziegler asserted that Roe also hinted that privacy was a matter of choice or decision making rather than seclusion [or, as this article adopts, desired inaccess].”115 Such an approach misconstrues the nature and value of privacy and should be avoided when conceptualising a right to privacy (in the true and narrow access-based sense).
The American jurisprudence, as with the European approach, demonstrates the need for a clear and coherent conception of privacy before seeking to develop a stand-alone right to privacy. An express and sufficiently particular right to privacy not only captures what should be protected under the umbrella of privacy, but naturally also identifies what does not fall within its scope.

IV The Case for Reform

Against that background, this final section advances the case for reform in three parts: (i) identifying the need for enhanced privacy protections in the modern age; (ii) discussing why the right to privacy should lie in the NZBORA and not some other instrument; and (iii) formulating a draft right to privacy.

A An unsatisfactory status quo

(1) Gleanings from Parts II and III


The case, so far, for an express, general right to privacy can be reduced to six points:

  1. Gross, above n 35, at 40–46.
  2. Elizabeth Price Foley Liberty for All: Reclaiming Individual Privacy in a New Era of Public Morality

(Yale University Press, New Haven, 2006) at 2–3.

  1. Mary Ziegler Beyond Abortion: Roe v Wade and the Battle for Privacy (Harvard University Press, Massachusetts, 2018) at 17 (emphasis added).

115 At 30.


The above six points should be read in light of the following shortcomings of the current state of privacy law in New Zealand:

(2) Privacy issues in the modern age


That final point is evident in Edward Snowdens disclosures in relation to the National Security Agency (NSA).116 The NSA files, together with more recent events such as the 2018 Facebook and Cambridge Analytica fiasco,117 where Cambridge Analytica used personal data obtained from Facebook to influence the public, including during the 2016 US Presidential election, demonstrates and justifies the publics concerns in relation to their privacy. Privacy is increasingly at the forefront of public attention. In 2018, the Privacy Commissioner noted that 55 per cent of all New Zealanders were more concerned with individual privacy that they were in the preceding years.118 Thomas J observed, in the Supreme Court, that to recognise privacy as a right is simply to bring legal discourse into harmony with an established and fundamental community value.119
These frightening demonstrations of State and corporate surveillance capabilities are not simply tales from afar. The NSA files reveal the mass surveillance powers of States,
  1. See Glenn Greenwald NSA collecting phone records of millions of Verizon customers daily The Guardian (online ed, United Kingdom, 6 June 2013); and Ewen Macaskill and Gabriel DanceNSA Files: DecodedThe Guardian (online ed, United Kingdom, 1 November 2013).
  2. See Carole Cadwalladr and Emma Graham-Harrison Revealed: 50 million Facebook profiles harvested for Cambridge Analytica in major data breachThe Guardian (online ed, United Kingdom, 17 March 2018).
  3. Privacy concerns on the rise — public survey(7 May 2018) Privacy Commissioner

<www.privacy.org.nz>.

  1. Brooker v Police, above n 59, at [225].


including New Zealand, and the lack of transparency on the issue.120 Domestically, Cheryl Gwyn, former Inspector-General of Intelligence and Security, confirmed that the GCSB had conducted bulk data collections in the Pacific, including communications by New Zealanders.121 While she concluded that the GCSBs collection was legal, I submit there are at least three reasons to remain vigilant.
First, the GCSBs bulk collections may inadvertently breach ones privacy. Gwyn acknowledges that bulk collections inherently involve[s] acquisition of some non-targeted communications.122 The process is: the GCSB collects bulk data; the data is searched using selector terms; the specific information resultant from those targeted searches was considered collected.123 While the Bureau can only retain information related to its purpose, the scale of mass searches means that inadvertent breaches of privacy are inevitable; in fact, Gwyn identified two such breaches.124 So, the legality of the GCSBs collections does not mean there were no privacy breaches.
Secondly, modern technologies enhance the potential for more intrusive and insidious breaches. One only needs to observe China to see the creeping shadow of a dystopian surveillance State.125 China is supposedly racing to implement a system of algorithmic surveillance, referred to as a citizen score, to incentivise good behaviour. A more recent example is South Koreas response to Covid-19, which includes implementing a system to track infected patients and publish their travel online anonymously—a measure that requires sift[ing] through credit-card records, CCTV footage, mobile-phone location services, public-transport cards and immigration records to pin down the travel histories of those infected or at risk.126
New Zealanders have a relatively high level of trust in the Government,127 and there are currently reasonable statutory limitations on New Zealand State intelligence and surveillance activities. But what if something changes?128 Governments change; policies change. It would be dangerous for such a change to occur under the radar and without opportunity for proper public scrutiny. Moreover, there are also disparities in trust, with Māori having comparatively low levels of trust in Government.129
Furthermore, it is not just intelligence agencies, but also the Police, who pose a threat. Indeed, there have been concerns of the quiet creep of facial recognition systems into
  1. David Fisher John Key, mass surveillance and what really happened when Edward Snowden accused him of spyingThe New Zealand Herald (online ed, Auckland 28 November 2017).
  2. Cheryl Gwyn Complaints arising from reports of Government Communications Security Bureau intelligence activity in relation to the South Pacific, 2009–2015 (Office of the Inspector-General of Intelligence and Security, 4 July 2018).

122 At [25.1].

  1. See David Fisher How the GCSB collects information about Kiwis through spying on the Pacific
  2. Gwyn, above n 121, at [64] and [128].
  3. Anna Mitchell and Larry Diamond Chinas Surveillance State Should Scare EveryoneThe Atlantic (online ed, Boston, 2 February 2018).
  4. Eun-Young Jeong South Korea Tracks Virus PatientsTravels — and Publishes Them Online

The Wall Street Journal (online ed, New York, 16 February 2020).

  1. Michael Macaulay Public Trust Survey 2018: Greater trust in Government(6 July 2018) Transparency International New Zealand <https://transparency.org.nz>. See also Simon Chapple and Kate Prickett Who do we trust in New Zealand?: 2016 to 2019 (Institute of Governance and Policy Studies, Victoria University of Wellington).
  2. See, for example, Matt Bartlett Covid-19 mass surveillance terrifying for the future(23 April 2020) Newsroom <https://newsroom.co.nz>.
  3. Trust in political system low among Māori, Stats NZ survey findsThe New Zealand Herald

(online ed, Auckland, 26 January 2018).



New Zealand life.130 Concerningly, even the Privacy Commissioner was left in the dark regarding the Polices new facial recognition system.131
Notably, the issue is not simply: do we trust our Government?132 Surveillance technologies and collected data are often shared or stored in offshore servers. The Australian CovidSafe contact-tracing app is an example. There are concerns that should a trans-Tasman bubble open following the Covid-19 lockdown, New Zealanders may be required to sign up to CovidSafe. Technically, data collected via CovidSafe is accessible only by Australian health authorities. However, the data is stored on a central server operated by US tech company, Amazon, and privacy pundits have expressed concerns that the data could fall into the hands of US law enforcement agencies.133
Thirdly, more than just data is on the line. Metadata (data that describes data) can be used to gather information as to who a person is meeting, at what time and where. Stewart Baker, former NSA General Counsel, noted: Metadata absolutely tells you everything about somebodys life. If you have enough metadata you dont really need content.”134 So, bulk data collections are not only about information or data privacy; it equally impacts associational privacy, communications privacy and spatial privacy. The technological capability to extrapolate more information from existing bits of information is exemplified in reverse location searches, also known as Google geofence warrant searches—The warrants, which draw on an enormous Google database employees call Sensorvault, turn the business of tracking cellphone userslocations into a digital dragnet for law enforcement.135
The surveillance and tracing technologies are useful, for example, in keeping a pandemic at bay or catching criminals. However, one must be wary of how such technologies, intended for good, can result in ill. The public is rightly concerned. An express right to privacy would be a step in the right direction; an indication that privacy is worth protecting and should be considered when using such technologies.

B Why the NZBORA?


For the above reasons, an express right to privacy is necessary and desirable. But why should such a right be contained in the NZBORA and not some other Act?


  1. George Block The quiet creep of facial recognition systems into New Zealand life(1 January 2020) Stuff <www.stuff.co.nz>.
  2. George Block Police facial recognition: Privacy commissioner not consulted on new system (8 December 2019) Stuff <www.stuff.co.nz>; Mackenzie Smith Police trialled facial recognition tech without clearance(13 May 2020) Radio New Zealand <www.rnz.co.nz>; and Mackenzie Smith Police searched for suspects in unapproved trial of facial recognition tech, Clearview AI (15 May 2020) Radio New Zealand <www.rnz.co.nz>.
  3. See, generally, Guyon Espiner and John Daniell NZs independence from Five Eyes has slipped
  4. Jenni McManus Privacy fears with trans-Tasman bubble(29 May 2020) Auckland District Law Society <https://adls.org.nz>.
  5. Bruce Schneier NSA Doesnt Need to Spy on Your Calls to Learn Your SecretsWired (online ed, San Francisco, 25 March 2015).
  6. See Jennifer Valentino DeVires Tracking Phones, Google Is a Dragnet for the PoliceThe New York Times (online ed, New York, 13 April 2019); and Deanna Paul Alleged bank robber accuses police of illegally using Google location data to catch himThe Washington Post (online ed, Washington DC, 22 November 2019).

(1) Balancing exercise


First, the right to privacy would have equal standing to other, contending rights contained in the NZBORA. Section 5 of the NZBORA provides that the rights and freedoms contained in the Bill of Rights may be subject only to reasonable limits. What is reasonable requires a balancing of the competing rights and interests. As aforementioned, the current state of privacy is incoherent. The privacy cases use the terms rights, values and interests to describe privacy but fail to clearly delineate the differences; the terms are effectively used synonymously. In C v Holland, for example, privacy was referred to as an interestand later, in the same judgment, as a legal value, with no distinction being drawn between those terms.136 For present purposes, it suffices to say that rights enjoy a higher status under the NZBORA framework than interests or values.137 The approach to date treats privacy as a limitation, for the purposes of s 5, on rights expressed in the NZBORA.
Privacys chief adversary is, arguably, the right to freedom of expression, that is, the freedom to seek, receive and impart information and opinions of any kind in any form.138 While s 28 clarifies that rights not included in the NZBORA are not abrogated, the wording of s 5 is significant: the justified limitation analysis is with regard to the rights and freedoms contained in this Bill of Rights. According to the Law Commission, this means rights and freedoms contained in the NZBORA are given greater weight than those excluded, notwithstanding s 28.139 Indeed, Elias CJ had doubts about whether it is open to the courts ... to adjust the rights enacted by Parliament by balancing them against values not contained in the [NZBORA].140 And again, Tipping J has previously described freedom of expression as having a head startover privacy.141 In other words, if privacy is not an express right in the NZBORA, it will ordinarily be outweighed by freedom of expression concerns. It is also notable that the rights preserved in the NZBORA, although principally designed to operate between citizen and State, are to be given appropriate consideration by courts when regulating relationships between citizen and citizen.142 It is therefore imperative that a right to privacy be recognised specifically in the NZBORA.

(2) Declaration of inconsistency


Secondly, courts may declare statutes to be inconsistent with the right to privacy, providing public accountability. While the NZBORA does not contain an express statutory authority to award damages for breaches of the rights and freedoms contained within it, two remedies have developed through the common law for breaches of the NZBORA. The first of these is a declaration of inconsistency.
Declarations of inconsistency are a relatively recent development. In Attorney-General v Taylor, the Supreme Court determined that the senior courts have the power to declare
that an Act of Parliament is inconsistent with the NZBORA.143 This represents a significant

  1. C v Holland, above n 65, at [22] and [25].
  2. Sarah Wilson Privacy: Right, Value or Fundamental Interest?(2013) New Zealand Centre for Human Rights Law, Policy and Practice at 2.
  3. New Zealand Bill of Rights Act, s 14.
  4. Law Commission, above n 1, at [4.89].
  5. Brooker v Police, above n 59, at [40].
  6. Hosking v Runting (CA), above n 15, at [234]; and Winkelmann, above n 31, at 13.
  7. Hosking v Runting (CA), above n 15, at [229].
  8. Attorney-General v Taylor [2018] NZSC 104, [2019] 1 NZLR 213.


development in New Zealands constitutional arrangement.144 However, apart from its constitutional significance, commentators wonder whether the declarations have any real force. The answer, I submit, is both Yes and No.
No, because Parliament is still the supreme law-making body in New Zealand. The NZBORA is not an entrenched super-constitution like, for example, the US Constitution. Therefore, courts cannot invalidate legislation by reason of it being inconsistent with the NZBORA. In theory, Parliament can repeal the NZBORA altogether as it can any other statute. Similarly, Parliament can choose to ignore a courts declaration of inconsistency. This was the initial reaction of the Minister of Justice at the time the declaration was made in relation to prisoner voting rights: The Government has no current plans to introduce legislation allowing prisoners to vote.”145
Yes, because declarations have a practical effect. First, it vindicates the right being abridged, thereby recognising and respecting the importance of the right. It is a public declaration, both to the citizens and to Parliament, of the importance of the NZBORA and the rights and freedoms therein. Secondly, it demands that Parliament justify in a public domain the reasonableness of its rights-restricting legislation.146 Regardless of whether Parliament responds or not, the importance is in the demand itself. In a democracy, Parliament is answerable to the public. In making a declaration of inconsistency, the courts initiate that dialogue; it is for the public to follow up and hold the Legislature accountable. The practical consequence of a declaration is the mobilisation of the public and drawing of public scrutiny to Acts of Parliament. Thirdly, with the introduction of the New Zealand Bill of Rights (Declarations of Inconsistency) Amendment Bill, a more rigid mechanism for the Government considering and responding to declarations of inconsistency may potentially be implemented. The objective of the Bill being to help provide a mechanism for the Executive and House of Representatives to consider, and, if they think fit, respond to, a declaration of inconsistency.147
If a right to privacy were introduced into the NZBORA, then an individual may challenge whether certain statutes are consistent with the right to privacy. The remedy of a declaration would guard against unreasonable statutory powers relating to, for example, the States intelligence and surveillance operations and technologies. The effect being that either Parliament amends the inconsistency or the publics scrutiny is invited; thus, privacy would be protected, either in the court of law or of public opinion.

(3) Baigent damages


Thirdly, NZBORA rights are actionable against the State, providing legal accountability. One of the deficiencies of New Zealands current privacy framework is that there is no general right to privacy actionable against the State. The right to be secure against unreasonable search and seizure, for example, is actionable against the State only to the extent that improperly obtained evidence may be excluded under s 30 of the Evidence Act 2006; it is

  1. Andrew Geddis “‘Declarations of Inconsistencyunder the New Zealand Bill of Rights Act 1990 (19 June 2017) UK Constitutional Law Blog <https://ukconstitutionallaw.org>.
  2. Letter from the Hon Amy Adams (Minister of Justice) to Marion Sanson (New Zealand Council for Civil Liberties) regarding Prisoner voting (2 December 2015).
  3. Olga Ostrovsky Declarations of inconsistency under the New Zealand Bill of Rights Act [2015] NZLJ 283 at 286.
  4. See Bill allows declaration of inconsistency with NZBORA(18 March 2020) New Zealand Law Society <https://lawsociety.org.nz>.


a shield, not a sword. And in the modern world, as discussed above, the State is one of the greatest (potential) threats to individual privacy.

(a) Difficulties with public authority liability in private law


The prevalent paradigm in public authority liability law in New Zealand is the equality principle.148 This principle is that public authorities should be held liable in the same way as private individuals; the rule of law demands that the law treat everyone alike.149 Section 6 of the Crown Proceedings Act 1950 provides for direct Crown liability for torts committed by its servants if the act or omission complained of would have given rise to a cause of action in tort independent of the Act.
The conditions of direct Crown liability pose a significant hurdle to suing the Crown for breaches of privacy. There are two torts for invasion of privacy. Taking the example of inadvertent retention of data from a bulk collection by the GCSB, it is difficult to frame retention of personal information under the two privacy torts. There is no publication, so the Hosking tort does not apply; there is no intrusion into seclusion (in a spatial) sense, so the C v Holland tort also does not apply. Alternatively, one might consider negligence. However, the difficulty there is that courts have generally been hesitant to recognise a common law duty of care for public authorities.150 Similarly, breach of a statutory duty is unlikely to succeed. Section 3 of the Intelligence and Security Act 2017 sets out the purposes in general terms such as democratic oversightand appropriate safeguardswithout mention of privacy. Also, perhaps more relevant is the fact that the tort of breach of statutory duty is rarely successful and does not create common law duties and therefore does not assist the negligence claim.151 Therefore, there are difficulties in establishing direct Crown liability in private law.
For information privacy, the Privacy Act may seem an appropriate alternative avenue for bringing a claim, especially as the Act defines agency to include public agencies. But that is not the case. As aforementioned, the Act contains numerous exemptions to the application of the privacy principles. First, s 55 excludes personal information in the course of transmission; the GCSBs prime method of data collection is to collect it via satellites while in transmission. Secondly, s 57 exempts intelligence and security agencies from privacy principles 2, 3 and 4(b). Principle 4(b) states that:

Personal information shall not be collected ... (b) by means that, in the circumstances of the case, — (i) are unfair; or (ii) intrude to an unreasonable extent upon the personal affairs of the individual concerned.


The GCSB is exempt from this principle. The GCSB is subject to only part of the Privacy Act. And while the 2019 GCSB Annual Report states that the GCSB completed 31 Privacy Act requests, (i) it is unclear how many responses involved the Neither Confirm Nor Denyresponse and (ii) an action for interference with the privacy of an individual is not the same as an information privacy request. Accordingly, the Privacy Act does not remedy the lacuna State accountability for breaches of privacy.
  1. Chris Curran, Dean Knight and Geoff McLay Liability of Public Authorities(New Zealand Law Society seminar, June 2009) at 1.

149 At 1–2.

  1. Hanna Wilberg Defensive Practice or Conflict of Duties? Policy Concerns in Public Authority Negligence Claims (2010) 126 LQR 420.
  2. Curran, Knight and McLay, above n 148, at 15.

(b) The solution of a public law remedy: Simpson v Attorney-General


In the landmark decision of Simpson v Attorney-General (Baigents Case), the Court of Appeal affirmed the courtspower to award damages for breaches of the NZBORA despite the absence of any express statutory authority.152 This is the second of the two NZBORA remedies mentioned above. Baigents Case concerned an unlawful execution of a valid search warrant. The Police executed a lawfully-obtained warrant at the wrong address; they continued to search the property despite knowing that it was the incorrect address. The wrongfully-searched party sued the Crown for breach of the s 21 right to be secure against unreasonable search and seizure.
The action for breach of the NZBORA takes a novel form of public authority liability which can be brought only against the Crown.153 The Crowns liability is characterised as direct liability in public law founded in the NZBORA rather than vicarious liability in tort for the acts or omissions of its servants.154 Therefore, the action is unaffected by statutory immunities and s 6 of the Crown Proceedings Act.155
The application of these principles in the privacy context is demonstrated by Kim Dotcoms proceedings against the GCSB.156 Dotcom alleged a breach of s 21 as well as bringing concurrent tort claims in negligence and breach of privacy.157 The Court dismissed the Crowns objections to the Baigent claim, allowing the application to be heard; however, the matter was subsequently settled.158 While the proceedings did not reach judgment (and therefore remains untested), the case is a timely illustration of how the pursuit of Baigent damages might fortify protections for NZBORA rights.
Furthermore, Baigent damages are a public law remedy and therefore serve a different function to private law remedies.159 This issue was examined by the Supreme Court in Taunoa v Attorney-General, where prisoners challenged their treatment under a Behaviour Management Regime.160 The Regime saw dangerous prisoners confined to their cells for prolonged periods to encourage good behaviour. The prisoners challenged this as a breach of their rights under ss 9 and 23(5) of the NZBORA. For present purposes, it is the Courts discussion of the function of public law remedies that is of interest. It is well- known that the purpose of private law remedies is to compensate the plaintiff for losses suffered. In tort, it is to put the plaintiff in the position they would be in but for the tort. The Supreme Court noted that the primary function of public law remedies is to vindicate the right breached.161 It continued that a court vindicates a right when it defends and upholds the importance of the right.162
A right to privacy in the NZBORA would amend the deficiencies of the current privacy law actions against the State. The public law Baigent claim seeks to vindicate the right
  1. Simpson v Attorney-General [1994] NZCA 287; [1994] 3 NZLR 667 (CA).
  2. J A Smillie The Allure of Rights Talk: Baigents Case in the Court of Appeal[1994] OtaLawRw 3; (1994) 8 Otago L Rev 188 at 199.

154 At 189–190.

155 At 190.

156 Dotcom v Attorney-General [2018] NZCA 220, [2018] NZAR 1298 at [10]. 157 At [15].

  1. Attorney-General v Dotcom [2018] NZHC 2564, [2019] 2 NZLR 277 at [29]
  2. Juliet Philpott Damages Under the United Kingdoms Human Rights Act 1998 and the New Zealand Bill of Rights Act 1990 (2007) 5 NZJPIL 211 at 219.
  3. Taunoa v Attorney-General [2007] NZSC 70, [2008] 1 NZLR 429.
  4. At [106] per Elias CJ, [253] per Blanchard J, [300] per Tipping J, [372] per McGrath J and [385] per Henry J.
  5. At [255] per Blanchard J, [300] per Tipping J and [366] per McGrath J.


rather than merely compensating for the loss. It confers an action against the State which demands that the State recognise the true value of the right to privacy. This vindication is similarly achieved through the other NZBORA remedy, namely, a declaration of inconsistency, and in the balancing exercise of rights. For those reasons, the NZBORA is the preferred frame for an express general right to privacy.

C Formulating a right to privacy

(1) Definition


Finally, I turn to formulate a draft right to privacy. Before doing so, however, recall the nature of privacy adopted in this article:
In light of this conception of privacy, I propose the following formulation:

Section 14A Right to Privacy

Everyone has the right to freedom from unwanted and unreasonable access to his or her person, settlement, communications and other information.

(2) Explanation


First, the definition, in using the phrase freedom from, recognises that privacy is a negative right. Contrary to the ECHR, the NZBORA right to privacy should not confer positive obligations. Furthermore, the words reflect the idea of privacy as exclusion.
Secondly, Morehams original language of unwanted accessis modified to include unreasonable. The former relays the subjectivity of privacy: matters are private to the extent an individual wishes to exclude others from it.163 The latter adds an objective element, that is, the caveat that the law ought not enforce unreasonably onerous expectations.164 Moreover, the term unreasonableis preferred over unjustifiablebecause the latter connotes a sense of (un)lawfulness; however, something that is lawful can still be unreasonable (such as, arguably, the GCSBs spying in the Pacific). Also, the language of unreasonableness reflects the ICCPR wording of arbitrary—it is appropriate that the proposed Bill of Rights definition reflects the ICCPR given the NZBORAs express commitment to the Covenant.
Thirdly, the term accessis used as distinct from regulation or governance—the latter referring to notions of decisional autonomy rather than access-based privacy. This idea of privacy being access-based is consistent with a conception of privacy as being desired inaccess and exclusion.
Fourthly, four heads of privacy are identified: bodily and thought (person); spatial and associational (settlement); data (communications); and a residual category (other information). Importantly, settlementis intended to cover both spatial or territorial
  1. Bain, above n 25, at 299.
  2. At 299. Note: the torts of publication of private fact and intrusion into seclusion both require the objective element.


privacy, such as the home, as well as associational privacy, that is, the people in your space or your settlement. Alternatively, associational privacy can be covered under a broad interpretation of communications—that is, to include not only the content of, but also the parties to, your communications.
Fifthly, I submit that the right to privacy is best conceived as a democratic and civil right in the NZBORA. I propose that a right to privacy be inserted as s 14A to demonstrate that the right is often competing with freedom of expression; privacy is about exclusion of others from obtaining information about oneself whereas freedom of expression is about freedom to seek, receive, and impart information.165 This contrast is enhanced when privacy is conceived as being limited to access-based privacy as opposed to decisional autonomy, as I have argued.166

V Conclusion

To conclude, this article has argued that (i) privacy, properly conceived, is underlay by a notion of exclusion, non-interference and desired inaccess, and is distinct from autonomy;

(ii) privacy is already implicitly recognised as a right in New Zealand law and comparative jurisdictions, but a clear and coherent statutory formulation is needed to ensure the principled development of privacy law; and (iii) a right to privacy should be included specifically in the NZBORA so as to ensure that it is given proper weight in the s 5 balancing exercise and holds the State accountable for breaches of privacy.

This article is particular in its definition of privacy as access-based, departing from previous academic contributions on the topic in New Zealand. This, I have argued, is important as it avoids of criticism and concern of an overly-broad, vague and contentious right to privacy—which was the reason why privacy was originally omitted from the NZBORA. That is not to say that decisional autonomy-type rights ought not be included in the NZBORA, but that is beyond the scope of this article.
The central thesis that I have sought to advance in this article is this: even if, as the Law Commission recommends, privacy law should be developed in a piecemeal fashion, an express, general right to privacy would still be desirable as it ensures that future developments, whether in statute or common law, are coherent and principled.













  1. New Zealand Bill of Rights Act, s 14.
  2. By contrast, decisional autonomy, arguably, does not contend with freedom of expression but assists it. Both are concerned with the freedom to/ofrather than freedom from.

NZLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback
URL: http://www.nzlii.org/nz/journals/NZPubIntLawJl/2019/8.html