Table of Contents
David Harvey
Retired district court judge
The Bill and the Bureaucracy
A bill is currently before parliament. The Social Media (Age Restricted Users) Bill proposes to require providers of designated social media platforms to take all reasonable steps to prevent users under 16 from holding accounts.
The legislation has broad political support. It was introduced by National MP Catherine Wedd. National backs it. Labour will not miss an opportunity to regulate. The numbers are there. In some form it will pass.
What should concern New Zealanders is not the bill itself – the question of whether social media is harmful to adolescents is legitimate and contested – but what is being built in its name, by whom, and on whose authority, before a single clause has become law.
On Monday 20 April 2026, the Department of Internal Affairs posted an advertisement for a programme implementation director (PID) to lead the establishment of a new regulatory regime for under-16 social media restrictions. The advertisement described the programme as “high-profile” and “time-critical”.
By Wednesday 22 April, the advertisement had been withdrawn. Highly ironic for a government agency that deals with censorship.
But not before its contents revealed, in the careful language of bureaucracy, exactly how far advanced the DIA’s preparations already are – and exactly why those preparations should alarm anyone who cares about civil liberties in New Zealand.
What the DIA Is – and Why That Matters
The Department of Internal Affairs is not a neutral administrative body. It is one of the most operationally powerful agencies in the New Zealand state. It issues passports and grants citizenship. It registers births, deaths, and marriages. It operates the RealMe digital identity verification service and administers the Digital Identity Services Trust Framework.
It enforces censorship law under the Films, Videos and Publications Classification Act 1993. It maintains internet blocklists, issues formal takedown notices to online platforms, and investigates and prosecutes individuals for objectionable content online.
Within the DIA, the unit being tasked with the social media age restriction programme is Digital Safety and Identity Investigations – the department’s self-described “front line against online harm”. This unit houses the Digital Child Exploitation Team, the Digital Violent Extremism Team, the content classification function, and the anti-spam enforcement operation. The programme implementation director will sit within this branch, reporting to its general manager.
This is not a technicality. It is a structural choice with profound implications. The agency now being handed the levers of a social media age-verification regime is the same agency that decides what New Zealanders may legally view online, that operates the systems through which New Zealanders prove who they are, and that already holds the biometric data of every passport holder in the country.
The convergence of these functions in a single department – identity management, censorship enforcement, and now platform access regulation – is not the result of careful institutional design. It is the result of administrative convenience and the absence of political will to do this properly.
The Advertisement: Policy Before Law
The job description for the programme implementation director (PID) makes clear that this is not exploratory or contingency work. The DIA is not preparing options for ministers to consider once legislation passes. It is already designing the operational model, building the governance structures, defining the regulatory processes, and preparing to engage with social media companies about compliance expectations.
The role requires the PID to “lead organisation design for the Phase 1 regulator, ensuring clear accountabilities, scalability and alignment with policy intent” and to “lead the translation of legislative policy into operational settings, service models and regulatory processes”.
Early engagement with social media providers is already planned, with the PID expected to “support readiness, cooperation, and shared understanding of regulatory expectations”.
None of this is contingent on parliamentary approval. The DIA is treating the bill’s passage as a foregone conclusion – and acting accordingly.
There is a further irritant in the job description’s priorities. Among the listed responsibilities in a more detailed job description, which is, co-incidentally no longer available, is the requirement to ensure that:
Te Tiriti o Waitangi considerations are embedded in governance, design, engagement, and delivery of online safety interventions.
This is, as a stand-alone aspiration, unobjectionable. But it sits in a document that contains not a single reference to the New Zealand Bill of Rights Act 1990, to freedom of expression under section 14, or to the requirement under section 5 that any limitation on fundamental rights be demonstrably justified in a free and democratic society.
The preference for embedding vague Treaty considerations over statutory obligations to fundamental rights is revealing. It suggests that the DIA’s operational design is proceeding without adequate legal scrutiny of the legislation it is being asked to implement.
The Freedom of Expression Problem
The stated purpose of the bill is narrow: to reduce harm to children from designated social media platforms.
But the mechanism required to enforce it is anything but narrow. To prevent under-16s from holding accounts, providers must verify that every account-holder is 16 or older. There is no workable age verification system that applies only to children. As Privacy Commissioner Michael Webster has stated plainly, “to ensure under-16s are not accessing social media, all users over 16 will be required to verify their age”.
This is the central paradox the bill’s architects have not adequately addressed. A law designed to protect children’s privacy will require every adult in New Zealand to submit to identity verification simply to use the most common communication tools on the internet.
Social media is no longer a luxury or an entertainment product. It is where political debate occurs, where journalists publish, where protest is organised, where communities form and maintain themselves.
A regime that conditions entry to that space on prior identity verification does not merely inconvenience adults. It imposes a chilling effect on speech – the knowledge that participation is logged, verified, and traceable – that strikes at the foundation of free expression.
The bill’s promoters have largely dismissed this concern, asserting the bill does not breach the NZBORA without adequately explaining why mandatory identity verification as a condition of online speech constitutes a reasonable limitation demonstrably justified in a free and democratic society.
That is not an adequate answer. It is not, in fact, an answer at all. The New Zealand Council for Civil Liberties has expressed concern that the bill infringes the Bill of Rights Act, the Privacy Act 2020, and the UN Convention on the Rights of the Child. These are not fringe objections. They are mainstream constitutional concerns that deserve rigorous legislative analysis, not dismissal.
The Identity Infrastructure Trap
The privacy risks of any age verification system are substantial. Webster has warned that such systems could rely on government-issued documents including passports, that age estimation technologies have high error rates, and that age inference technologies rely on data mining.
Each of these pathways creates risks of data collection, data retention, and data misuse that the bill, as currently drafted, does not adequately address.
Australia’s equivalent legislation includes explicit protections: platforms are barred from requiring government-issued identity documents such as passports for age verification, and verified data must be promptly destroyed.
New Zealand’s bill contains no equivalent safeguards. This is not an oversight. It is an open door through which the DIA’s existing identity infrastructure – RealMe, the Digital Identity Services Trust Framework, the Identity Check facial recognition service already used by more than 75,000 New Zealanders – could naturally expand into the governance of social media access.
The civil liberties organisation PILLAR has argued the bill would do little to protect children but would instead “create serious privacy risks” and limit digital freedoms, warning that forcing citizens to share personal data for age verification could increase the risk of surveillance and data misuse. These concerns are not theoretical.
Any age verification system generates metadata at scale: records that a particular individual of a particular age sought access to a particular platform at a particular time. Even where underlying identity documents are not retained, this metadata is a surveillance resource of extraordinary scope. Verification tools that are supposed to delete data after processing have, in practice, stored that data for longer than declared, and data can be intercepted and stolen before deletion.
The DIA already holds the details and photographs of every passport holder. It already holds biometric data from the Identity Check facial recognition service.
Adding social media verification to this portfolio does not merely expand the DIA’s administrative remit. It creates a single point of failure – and a single point of potential abuse – for the digital identity of every New Zealander.
Censorship by Institutional Creep
The DIA’s censorship function is not peripheral to its operations. It is structural.
The Films, Videos and Publications Classification Act provides the legal foundation for the Digital Safety Group’s work, authorising the department to restrict access to harmful content and prevent access to banned material.
The department maintains internet blocklists, issues takedown notices to platforms, and investigates individuals for content-related offences. This is not passive regulation. It is active enforcement.
Placing this same agency in charge of designating which platforms are age-restricted – a power that rests with the minister but which the DIA will operationalise – and of enforcing compliance creates an institutional pathway through which the scope of restricted content can expand over time.
Platforms designated as age-restricted become, in practical terms, platforms made difficult to access. The history of censorship regimes provides no examples of agencies that, once given authority to restrict access, consistently chose to exercise that authority narrowly. Institutional incentives run in the other direction.
The parliamentary Education and Workforce Committee acknowledged that VPNs can circumvent local restrictions – an observation that amounts to an admission that the regime will be technically ineffective against determined users. When enforcement fails against technically sophisticated users, the institutional pressure will be to expand enforcement powers, not to accept the limitation.
Under DIA administration, that pressure will fall on an agency already oriented, by its existing mandate, towards content control and platform restriction.
The Political Question Nobody Is Asking
The original location of this legislation, once the National Party decided to back it, was in the education portfolio, under Minister Erica Stanford. The inquiry by the Education and Workforce Committee, which received 430 submissions and produced two reports, reflected a harm prevention framework centred on children’s wellbeing and digital literacy. That inquiry – whatever its limitations – was at least grounded in the right institutional question: how do we protect children from online harm?
Somewhere between that inquiry and the DIA job advertisement, the framing shifted. The question is no longer how to protect children. It is how to build a regulatory enforcement regime – one that sits, not in the education sector, nor in an independent regulator, but in the same department that censors content, issues passports, builds digital identity infrastructure, and investigates citizens for what they say and share online.
That shift deserves political scrutiny it has not received. The ACT minister previously responsible for the DIA – Brooke van Velden, who abandoned the ill-conceived Safer Online Services and Web Platforms project – is leaving politics. Her departure appears to have created a vacuum in which the DIA has been permitted to advance this programme without adequate ministerial oversight.
ACT’s stated position – that digital ID for age verification should not be a government priority, and that a careful, sophisticated response is needed – has been overtaken by events inside the department ACT is nominally responsible for.
The question of how pre-emptive platform regulation squares with ACT’s opposition to market intervention, and whether this programme represents a coalition concession by ACT, has not been answered publicly. It should be.
What Should Happen Instead
None of this is an argument that social media harm to children is not real, or that no legislative response is warranted. It is an argument about institutional design, the separation of powers, and the conditions under which fundamental rights can be legitimately constrained.
If New Zealand is to implement a social media age-restriction regime, it should do so by establishing an independent online safety regulator – as the parliamentary committee itself recommended – rather than assigning administration to the DIA.
It should prohibit the use of government-issued identity documents for age verification, as Australia has done.
It should require immediate destruction of all verification data after each transaction is completed.
It should subject any designated verification system to independent oversight by the Privacy Commissioner.
And it should ensure that the legislation contains robust, judicially reviewable protections for freedom of expression – not a perfunctory assertion that the bill raises no rights concerns.
The protection of children from online harm and the protection of adult New Zealanders from an overreaching surveillance state are not competing priorities.
A properly designed regime can honour both.
What the DIA is building – before the legislation has passed, without adequate rights analysis, in a department that already combines identity management, censorship enforcement, and digital infrastructure administration – does not honour either.
Post Script
The withdrawal of the job advertisement two days after it was posted suggests that someone, somewhere, recognised the problem. That is not reassuring. It means the programme continues – only now, less visibly.
As it happens a new advertisement was posted here after this article was finished. It makes little difference to the article and its argument, although some of the language is less strident.
Positive words like “will” and “can” become “could”. References to a “regulatory regime” becomes a “potential new regime”.
Importantly a detailed document relating to the expectations of the applicant in various key areas, which was referenced with a link in the original advertisement, is not mentioned. This document contains quite a bit of detail that is now less visible.
The words may have changed but the message and the sentiment remain the same.
This article was originally published by A Halfling’s View.
