New Zealand introduces legal code to regulate use of biometric technologies

New Zealand’s Privacy Commissioner announced the adoption of the Biometric Processing Privacy Code, a set of legally binding rules under the Privacy Act that specifically regulate the automated processing of biometric data. The Code applies to technologies such as facial recognition and aims to balance the benefits of innovation with the protection of sensitive personal information.

According to Privacy Commissioner Michael Webster, biometrics are uniquely sensitive because they are directly tied to an individual’s identity. ‘It is not just information about us, it is us,’ he said, emphasising that while biometrics offer potential benefits like improved security and efficiency, they also raise serious privacy risks such as surveillance, discrimination, and profiling.

The Code, which comes into force on 3 November 2025, establishes new obligations for agencies (both public and private) that collect or process biometric data. Those already using such technologies have until 3 August 2026 to bring their practices into compliance.

Key provisions include:

• Assessing whether the use of biometrics is necessary, effective, and proportionate to the purpose.
• Implementing appropriate safeguards to minimise privacy risks.
• Informing individuals when biometric systems are in use before or at the point of data collection.
• Prohibiting certain high-risk uses, such as emotion detection or inferring sensitive traits like ethnicity, sex, or other characteristics protected under the Human Rights Act.

The Code holds the same legal weight as the Information Privacy Principles in the Privacy Act but replaces them in contexts involving automated biometric processing. It provides clarity for agencies and enhances individual rights protection in a context where many comparable jurisdictions already enforce heightened biometric safeguards.

The Privacy Commissioner has also issued detailed guidance and factsheets to help organisations understand and implement the Code effectively. The guidance includes practical examples and encourages agencies to evaluate their own systems carefully.

‘Biometrics should only be used if they are necessary, effective, and proportionate,’ said Commissioner Webster. ‘The key is ensuring that the benefits outweigh the privacy risks.’

Agencies are encouraged to consult the full Biometric Processing Privacy Code, its summary, and the accompanying guidance materials to assess their compliance obligations.