New Zealand has officially introduced a new Biometric Processing Privacy Code, aimed at ensuring that the collection and use of biometric data is both safe and proportionate. The Office of the Privacy Commissioner of New Zealand (OPC) confirmed the new code has been established under the Privacy Act of 2020, according to a statement from the agency.

The code will take effect on November 3, 2025. However, businesses already using biometric technologies for identity verification, identification, or categorization will have until August 3, 2026, to fully comply. The OPC has indicated that the rules are designed to safeguard personal data such as fingerprints, facial scans, voice recordings, and iris patterns while balancing the benefits of biometric systems.

New Zealand’s move follows a surge in biometric technology adoption worldwide. Per a statement from the OPC, the initiative, first announced in November 2023, responds to the increasing reliance on biometric authentication as a method of access control. Market data from Grand View Research shows that the global biometric technology sector was valued at USD 34.27 billion in 2022, with projections suggesting it could surpass USD 150 billion by 2030. The Asia-Pacific region is expected to experience the fastest growth during this period.

The code is built around four primary obligations: effectiveness and proportionality, safeguards, transparency, and safe limits. Organizations must have clear reasons for collecting biometric data and ensure that its use is proportionate to potential impacts on individuals. According to the OPC, privacy protections must be implemented before data collection begins, and organizations are required to disclose how the information will be used and provide alternative options for consent. The safe limits provision restricts certain uses, such as detecting a person’s health information without explicit permission, and places added controls on transferring biometric data overseas.

Related: The Controversial Biometric Data Processing of an Ambitious Crypto Asset

The OPC will oversee enforcement of the code and manage related complaints through its Compliance and Regulatory Action Framework. Under the new law, organizations will need to appoint privacy officers and establish formal complaint-handling systems.

Certain entities and technologies will be exempt from some or all of the code’s provisions. Health agencies processing biometric data for healthcare services will continue to follow the Health Information Privacy Code, while the New Zealand Security Intelligence Service and the Government Communications Security Bureau will be exempt from specific requirements. Personal devices like fitness trackers, VR headsets, and smartwatches will generally be excluded, and obligations will not normally apply to individuals handling biometric data privately unless there is a high level of risk, the OPC confirmed.

Source: ICLG