With the end of Flybuys NZ, what happens to the personal data of nearly 3 million Kiwis?

After almost three decades in New Zealand, loyalty programme Flybuys announced it would be closing in 2024. The company behind the scheme, Loyalty New Zealand, has since entered liquidation, leaving the future of one of Flybuys’ key assets uncertain.

That asset is a customer database containing sensitive personal information about millions of New Zealanders. So what happens to it matters.

Founded in 1996, some 2.9 million New Zealanders representing 74% of the nation’s households eventually signed up to Flybuys. Members collected points at affiliated retailers which they could then redeem through the Flybuys website.

But over the past decade, partners such as Air New Zealand, Mitre 10 and New World pulled out of the scheme to either join other loyalty programmes or start their own.

In May last year, Loyalty New Zealand announced it was closing Flybuys New Zealand and liquidators were called in to manage the company’s end. Flybuys Australia continues to operate, jointly owned by Coles Group and Wesfarmers (which owns retailers K-mart and Bunnings).

According to the first liquidator’s report from early April, Loyalty New Zealand is solvent. This means it is not bankrupt and can pay all debts in full.

Once creditors are paid, the remaining funds will go to shareholders – Z Energy, BNZ, IAG and Foodstuffs Ventures (NZ), a joint subsidiary of Foodstuffs North Island and Foodstuffs South Island.

However, the report is silent on Flybuys’ customer database. That data likely includes years of shopping histories, behavioural profiles and potentially sensitive demographic or inferred financial information.

When the end of Flybuys was announced, Loyalty New Zealand assured customers and retailers it would manage private data according to the New Zealand Privacy Act. But with the liquidation of the company, it is unclear what will now happen to this information.

While no one has publicly said the information will be sold, there is no assurance it will be deleted either. And the database is arguably Loyalty New Zealand’s most valuable, albeit intangible, asset. Unless liquidators explicitly commit to deletion, the data could potentially be transferred or sold.

Data ownership, privacy and sovereignty

The risks are far from theoretical. In March this year, DNA ancestry company 23andMe filed for bankruptcy. The genetic data held by the company was put up for sale as an asset, exposing users and their relatives to substantial privacy risks.

While privacy laws vary by country, the 23andMe case showed how personal data can make customers vulnerable. Flybuys’ data may not be genetic, but it is similarly rich, detailed and easily re-identifiable when combined with other datasets.

If sold or reused without proper controls or oversight, it might potentially expose former members to discriminatory insurance profiling, targeted scams, manipulative political advertising and algorithmic credit scoring.

In extreme cases, such data can be used to infer sensitive customer characteristics such as financial stress or health-related behaviours. This could lead to political profiling or surveillance captialism – the collection and commodification of personal data.

New Zealand’s Privacy Act 2020 is designed to protect personal information. If data is reused for purposes beyond its original intent, or transferred without proper consent, it may breach the law. But the act does not clearly prohibit the sale of data during a liquidation. Nor is it clear on how the rules could be enforced.

Australia’s Privacy Act 1988 offers even less protection. It allows companies to send personal data overseas if they take “reasonable steps” to ensure recipients follow similar privacy rules. This means Australian Flybuys’ data could be sent to countries such as the United States.

That is especially worrying given the power of US tech giants, which routinely collect, profile and monetise data with little oversight. In the wrong hands, Flybuys’ trove of shopping habits, preferences and behavioural patterns could be repurposed to build invasive consumer profiles without people’s knowledge or control.

Setting a global standard

If Flybuys New Zealand’s data is treated as an asset during the liquidation process, could set a precedent and shape future regulatory standards internationally.

We have seen this before. In November 2022, Deliveroo Australia entered voluntary administration, raising concerns about how it would handle its extensive customer data. Users were told they had six months to download their own information, but there was no clarity on whether the data would then be deleted, retained or sold.

This lack of transparency revealed a gap in Australia’s data protection laws during liquidation. While the ultimate fate of the data remains publicly unknown, experts have suggested it was transferred to Deliveroo’s UK-based parent company.

While Australia’s 1988 Privacy Act requires organisations to handle personal information responsibly, it does not clearly regulate the sale or transfer of data during insolvencies or liquidations. There is a legal grey area which leaves customers and consumers vulnerable, as their data could be treated as a tradable asset without their consent.

The need for ethical stewardship

Customer data accumulation is the product of a relationship built on trust that should end when the company and relationship does. Ethical stewardship demands deletion, not redistribution.

This aligns with global norms such as the “right to be forgotten” under the European Union’s General Data Protection Regulation.

When a company winds down, users should be clearly informed of their options: to retrieve their data, delete it or consent to its transfer. That decision should rest with the member or customer, not be made behind closed doors for potential financial gain.