If instead the Government cherry-picks aspects of the Cullen-Reddy report then the gaps would quickly be exploited by the agencies concerned and we may as well not have bothered with any reform.
To give just one example, one of the currently neglected areas is "incidentally gathered information". Electronic surveillance tends to "vacuum up" vast amounts of information. Most is undoubtedly discarded by the likes of the GCSB but currently it can be sent to its partners in the Five-Eyes network who can do what they want with it.
The report recommends plugging this gap by requiring the New Zealand agency to decide which part of the data it wants to keep or share and to go through procedures (such as an obtaining an interception warrant). This would mean all surveillance is targeted and mass surveillance such as that exposed by Edward Snowden could not occur.
Into this heady mix must be factored the restrictions imposed on New Zealand by the TPP. Although this free-trade agreement requires its parties to adopt or maintain a legal framework providing for the protection of personal information, the requirement is weakly defined. It can be satisfied by laws providing for enforcing voluntary undertakings by enterprises relating to privacy. This is essentially the American approach and has not prevented frequent privacy invasions by the likes of Facebook and Google, for instance.
The TPP's article 14.11.2 mandates that cross-border data flows of personal information not be restricted, and article 14.13 prohibits laws that require data to be held in New Zealand and not, for example, elsewhere such as Australia.
Exceptions are subject to a complex four-step test with the onus being on the country imposing restrictions to show why they are essential for its public policies, and that they are non-discriminatory and proportionate.
Finally, there are the investor-state dispute settlement provisions prohibiting direct or indirect expropriation of overseas investors targeting New Zealand.
Should the Government follow recommendations for strengthening the Privacy Act by imposing strict liability on local agencies that outsource information or use cloud providers, it is likely that the agencies would seek to obtain indemnities from the overseas providers involved. This may lead to the latter refusing to provide the services.
Where existing facilities (say data storage) have already been built with a view to serving customers here, this may amount to indirect expropriation and lead to our government being sued by investors under investor-state provisions in the TPP. This may not be far-fetched and illustrates why delaying much-overdue reform of the Privacy Act has weakened our ability to project a privacy-friendly image.
Gehan Gunasekara is an associate professor in commercial law at the University of Auckland Business School and advised the Law Commission on reform of the Privacy Act 1993.