With the end of Flybuys NZ, what happens to the personal data of nearly 3 million Kiwis?
Customer data has become a valuable asset for businesses. But privacy laws need to be clearer about what happens to this information when businesses go into liquidation.
That asset is a customer database containing sensitive personal information about millions of New Zealanders. So what happens to it matters.
Founded in 1996, some 2.9 million New Zealanders representing 74% of the nation’s households eventually signed up to Flybuys. Members collected points at affiliated retailers which they could then redeem through the Flybuys website.
But over the past decade, partners such as Air New Zealand, Mitre 10 and New World pulled out of the scheme to either join other loyalty programmes or start their own.
In May last year, Loyalty New Zealand announced it was closing Flybuys New Zealand and liquidators were called in to manage the company’s end. Flybuys Australia continues to operate, jointly owned by Coles Group and Wesfarmers (which owns retailers K-mart and Bunnings).
According to the first liquidator’s report from early April, Loyalty New Zealand is solvent. This means it is not bankrupt and can pay all debts in full.
Once creditors are paid, the remaining funds will go to shareholders – Z Energy, BNZ, IAG and Foodstuffs Ventures (NZ), a joint subsidiary of Foodstuffs North Island and Foodstuffs South Island.
However, the report is silent on Flybuys’ customer database. That data likely includes years of shopping histories, behavioural profiles and potentially sensitive demographic or inferred financial information.
When the end of Flybuys was announced, Loyalty New Zealand assured customers and retailers it would manage private data according to the New Zealand Privacy Act. But with the liquidation of the company, it is unclear what will now happen to this information.
While no one has publicly said the information will be sold, there is no assurance it will be deleted either. And the database is arguably Loyalty New Zealand’s most valuable, albeit intangible, asset. Unless liquidators explicitly commit to deletion, the data could potentially be transferred or sold.
Loyalty schemes such as Flybuys can gather a great deal of information on those who sign-up. That information can become a valuable – and potentially tradable – asset.Zamrznuti tonovi/Shutterstock
While privacy laws vary by country, the 23andMe case showed how personal data can make customers vulnerable. Flybuys’ data may not be genetic, but it is similarly rich, detailed and easily re-identifiable when combined with other datasets.
In extreme cases, such data can be used to infer sensitive customer characteristics such as financial stress or health-related behaviours. This could lead to political profiling or surveillance captialism – the collection and commodification of personal data.
New Zealand’s Privacy Act 2020 is designed to protect personal information. If data is reused for purposes beyond its original intent, or transferred without proper consent, it may breach the law. But the act does not clearly prohibit the sale of data during a liquidation. Nor is it clear on how the rules could be enforced.
Australia’s Privacy Act 1988 offers even less protection. It allows companies to send personal data overseas if they take “reasonable steps” to ensure recipients follow similar privacy rules. This means Australian Flybuys’ data could be sent to countries such as the United States.
That is especially worrying given the power of US tech giants, which routinely collect, profile and monetise data with little oversight. In the wrong hands, Flybuys’ trove of shopping habits, preferences and behavioural patterns could be repurposed to build invasive consumer profiles without people’s knowledge or control.
Setting a global standard
If Flybuys New Zealand’s data is treated as an asset during the liquidation process, could set a precedent and shape future regulatory standards internationally.
We have seen this before. In November 2022, Deliveroo Australia entered voluntary administration, raising concerns about how it would handle its extensive customer data. Users were told they had six months to download their own information, but there was no clarity on whether the data would then be deleted, retained or sold.
This lack of transparency revealed a gap in Australia’s data protection laws during liquidation. While the ultimate fate of the data remains publicly unknown, experts have suggested it was transferred to Deliveroo’s UK-based parent company.
While Australia’s 1988 Privacy Act requires organisations to handle personal information responsibly, it does not clearly regulate the sale or transfer of data during insolvencies or liquidations. There is a legal grey area which leaves customers and consumers vulnerable, as their data could be treated as a tradable asset without their consent.
The need for ethical stewardship
Customer data accumulation is the product of a relationship built on trust that should end when the company and relationship does. Ethical stewardship demands deletion, not redistribution.
When a company winds down, users should be clearly informed of their options: to retrieve their data, delete it or consent to its transfer. That decision should rest with the member or customer, not be made behind closed doors for potential financial gain.
The authors do not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and have disclosed no relevant affiliations beyond their academic appointment.
RUGBY Moana Pasifika loose forward Sione Havili Talitui's eager to hit the ground running in his return to the starting side against the Brumbies this afternoon at Pukekohe More...
BUSINESS Powerball will be worth $23 million on Wednesday night after eluding players in tonight's Lotto draw More...
