Home | Databases | WorldLII | Search | Feedback New Zealand Bill of Rights Act Reports

Digital Identity Trust Framework Bill (Consistent) (Sections 14, 19 and 25(c)) [2021] NZBORARp 57 (23 August 2021)

Last Updated: 8 October 2021

23 August 2021

LEGAL ADVICE

LPA 01 01 24

Hon David Parker, Attorney-General

Consistency with the New Zealand Bill of Rights Act 1990: Digital Identity Services Trust Framework Bill

Purpose

1. We have considered whether the Digital Identity Trust Framework Bill (‘the Bill’) is consistent with the rights and freedoms affirmed in the New Zealand Bill of Rights Act 1990 (‘the Bill of Rights Act’).
2. We have not yet received a final version of the Bill. This advice has been prepared in relation to the latest version of the Bill (PCO 23338/2.40). We will provide you with further advice if the final version includes amendments that affect the conclusions in this advice.
3. We have concluded that the Bill appears to be consistent with the rights and freedoms affirmed in the Bill of Rights Act. In reaching that conclusion, we have considered the consistency of the Bill with s 14 (freedom of expression), s 19 (freedom from discrimination) and s 25(c) (right to be presumed innocent until proved guilty) of the Bill of Rights Act. Our analysis is set out below.

The Bill

4. Currently, New Zealand lacks consistency in the way personal and organisational information is shared, stored and used in a digital identity1 environment. This has led to inconsistencies and inefficiencies in how this information is handled, undermining trust and confidence in the digital identity system for individuals, government agencies and the private sector.
5. The Bill establishes a legal trust framework (consisting of primary legislation, and a set of rules and regulations) for the provision of secure and trusted digital identity services2 for individuals and organisations (‘the Trust Framework’).
6. The policy objectives of the Bill are to:
   1. help drive consistency, trust, and efficiency in the provision of digital identity services;
   2. support the development of interoperable digital identity services;
   100. provide people with more control over their personal information and how it is used; and
        

1 Digital identity is the user-consented sharing of personal and organisational information online to access services and complete transactions. It is understood that the use of digital identity is believed to improve service delivery and reduce inefficiencies, security risks and privacy breaches.

2 Digital identity services are services, or a product, provided by a digital identity service provider that enable the sharing of the information by a user in a transaction with the relying party.

4. enable the user-authorised sharing of personal and organisational information digitally to access public and private sector services.

7. The Bill creates an opt-in accreditation scheme for accrediting digital identity service providers against the Trust Framework rules. This scheme establishes a minimum set of standards for handling personal and organisational information which accredited digital identity service providers must comply with.
8. The Bill creates a Trust Framework board (‘the Board’) which will undertake education, publish guidance, and monitor the performance and effectiveness of the Trust Framework. To enforce the Trust Framework rules and to protect the security and privacy of Trust Framework users, the Bill allows for the establishment of a Trust Framework authority (‘the Authority’).
9. To protect the integrity of the Trust Framework and to enforce compliance with the rules, the Bill also creates offences and a complaints process, allowing people to submit complaints to the Authority and giving the Authority the power to order remedies. The offences contained in the Bill carry pecuniary penalties for activities such as falsifying accreditation.

Consistency of the Bill with the Bill of Rights Act

Section 14 – Freedom of expression

10. Section 14 of the Bill of Rights Act affirms the right to freedom of expression, including the freedom to seek, receive, and impart information and opinions of any kind in any form. The right to freedom of expression has also been interpreted as including the right not to be compelled to say certain things or to provide certain information.3
11. The Bill places various obligations on applicants, Trust Framework providers and other persons to provide information to the Authority in relation to the accreditation scheme. These provisions require applicants to disclose and keep updated certain information as part of their accreditation applications and allow the Authority to require persons to provide information to assist it in relation to complaints and compliance.
12. Under s 14 of the Bill of Rights Act any provision that requires a person to provide or disclose information would be a prima facie limit on freedom of expression. A provision found to limit a particular right or freedom may nevertheless be consistent with the Bill of Rights Act if it can be considered a reasonable limit that is justifiable in terms of s 5 of that Act. The s 5 inquiry asks whether the objective of the provision is sufficiently important to justify some limitation on the right or freedom engaged and, if so, whether the limitation is rationally connected and proportionate to that objective and limits the right or freedom no more than reasonably necessary to achieve that objective.4
13. To the extent that the provisions of the Bill engage the right in s 14 (as to whether such information is truly ‘expressive’ in nature), we consider that the requirements are rationally connected to the objectives of the Bill, which are to establish a legal framework for the provision of secure and trusted digital identity services, and establish governance and accreditation functions that are transparent and incorporate te ao Māori approaches to identity.
    

3 RJR MacDonald v Attorney-General of Canada (1995) 127 DLR (4th) 1.

4 Hansen v R [2007] NZSC 7, [2007] 3 NZLR 1.

14. We also consider that the limits on the freedom of expression are no more than reasonably necessary and are proportionate to the objectives of the Bill. The relevant provisions in the Bill relate to the operation of the accreditation scheme, which is an opt- in scheme, so applicants and Trust Framework providers who are required to provide information in relation to the scheme are doing so because they have elected to be part of the scheme. Where there are requirements on other individuals and organisations to provide information to assist the Authority with complaints and compliance with the scheme, the collection of this information can only be for specified purposes.
15. For these reasons, we conclude that any limits on the right to freedom of expression provided by the Bill are justified under s 5 of the Bill of Rights Act.

Section 19 – Freedom from discrimination

16. Section 19(1) of the Bill of Rights Act affirms that everyone has the right to freedom from discrimination on the grounds of discrimination in the Human Rights Act 1993 (‘the Human Rights Act’).
17. The key questions in assessing whether there is a limit on the right to freedom from discrimination are:5
    1. does the legislation draw a distinction on one of the prohibited grounds of discrimination under s 21 of the Human Rights Act; and, if so
    2. does the distinction involve disadvantage to one or more classes of individuals?
18. Clause 46(2)(a) provides that when selecting board members for the Board, the chief executive of the Board must ensure members of the Board include persons with knowledge or expertise in te ao Māori approaches to identity. Additionally, pursuant to clauses 50 – 54, the Bill creates a Māori advisory group (‘Māori Advisory Group’). The relevant Minister must only appoint members to the Māori Advisory Group who, in the Ministers opinion, have the appropriate knowledge, skills and experience to assist the group to perform its role, which is to advise the Board on Māori interests and knowledge.
19. We note that there is no obligation to appoint members to the Board who have knowledge or expertise in other cultural approaches, and there is also no obligation to appoint an advisory group to advise the Board on non-Māori interests and knowledge. It could appear that these provisions could constitute discrimination on the basis of race or ethnic origins. However, we do not consider that this is the case, for the following reasons.
20. The appointment of members who have knowledge of te ao Māori approaches to identity and the establishment of a Māori Advisory Group do not result in a disadvantage to any class of people. Rather, they are ensuring that the regime provides protection for te ao Māori approaches to identity and Māori interests and knowledge, thereby upholding the Crown’s obligations under the Treaty of Waitangi. Additionally, Māori have a broader right to active participation within the Māori Crown partnership; a right that arises from the Treaty of Waitangi. The Treaty creates a basis for civil government, based on protections and acknowledgement of Māori rights and interests within New Zealand’s shared citizenry.6
    

5 See, for example, Atkinson v Minister of Health and others [2010] NZHRRT 1; McAlister v Air New Zealand

[2009] NZSC 78; and Child Poverty Action Group v Attorney-General [2008] NZHRRT 31.

6 Cabinet Office Circular CO (19) 5.

21. For these reasons, we do not consider that clause 46(1) of the Bill engages the right to freedom from discrimination under s 19 of the Bill of Rights Act.

Section 25 – Minimum standards of criminal procedure

22. Section 25(c) of the Bill of Rights affirms the right to be presumed innocent until proved guilty according to law. The right to be presumed innocent requires that an individual must be proven guilty beyond reasonable doubt, and that the State must bear the burden of proof.7
23. The Bill creates several strict liability offences:
    1. Clause 97(1): An applicant fails without reasonable excuse to give the Authority key information or specified information in their application for accreditation.8
    2. Clause 98(1): An applicant has made an application for accreditation and fails without reasonable excuse to tell the Authority of any change to key information or specified information within the relevant time period before the application is decided.
    100. Clause 98(2): A Trust Framework provider fails without reasonable excuse to tell the Authority of any change to key information or specified information for the period during which they are accredited.
    4. Clause 99: A person obstructs, without reasonable excuse, the Authority when it is carrying out its functions or exercising its powers.
24. Strict liability offences prima facie limit s 25(c) of the Bill of Rights Act because the accused is required to prove a defence, or disprove a presumption, in order to avoid liability.
25. We consider that the limits to the right under s 25(c) of the Bill of Rights Act appear to be justified, for the following reasons. In reaching this conclusion we have taken into account the nature and context of the activity being regulated, the ability of the defendants to exonerate themselves, and the penalty levels:
    1. Strict liability offences are more easily justified where they are in the category of ‘public welfare regulatory offences’ created in order to protect the public. They recognise the importance of protecting the personal and organisational information of users and the trust that is placed in the accredited Trust Framework providers in handling and protecting that information. The strict liability offences in the Bill arise in the context of preventing fraudulent accreditation and obstructing a regulatory authority from carrying out its function. Fraudulent applicants or Trust Framework providers could undermine the integrity of the Trust Framework and therefore the purpose of the Bill. Preventing fraudulent and obstructive activity is necessary in the public interest as it will assist in creating a
       

7 See R v Wholesale Travel Group (1992) 84 DLR (4th) 161, 188 citing R v Oakes [1986] 1 SCR 103.

8 What constitutes key information will be prescribed by regulations. Specified information on the other hand is defined in cl 24(1) as whether the applicant: (a) has been convicted of a criminal offence, whether in New Zealand or overseas; (b) is subject or has been the subject of a formal investigation or proceeding by the Privacy Commissioner; and (c) information relating to accreditation.

sound legal framework for the provision of secure and trustworthy digital identity services.

2. The Bill contains the general defence of ‘reasonable excuse’. This defence relies on information that is more likely to be in the defendant’s knowledge, and provides them with a suitably broad range of defences.

100. The penalty levels are fines not exceeding $10,000 in the case of an individual, and fines not exceeding $20,000 in the case of a body corporate for all four offences. We consider that these penalties are proportionate to the importance of the Bill’s objective.

26. For the above reasons, we consider the strict liability offences to be justified in terms of s 25(c) of the Bill of Rights Act.

Conclusion

27. We have concluded that the Bill appears to be consistent with the rights and freedoms affirmed in the Bill of Rights Act.
    

Jeff Orr

Chief Legal Counsel Office of Legal Counsel