As has been noted in the European Commission's recent two-year review on the EU General Data Protection Regulation (GDPR), whether New Zealand's data protection laws continue to provide an ‘adequate’ level of protection for personal data is currently up for debate. With the Privacy Bill now passed its third reading (and due to come into force on 1 December), attention is turning to whether the Privacy Bill is enough to ensure that New Zealand retains its status as a country with adequate data protection safeguards for the purposes of the GDPR. If New Zealand lost its adequacy status, then the free flows of data that we currently enjoy with the EU will come to an end and that is likely to mean much greater administrative ‘red tape’ for businesses that transact with the EU.
What does adequate mean?
Under the GDPR, the European Commission has the power to determine whether a country outside of the EU offers an adequate level of data protection. If a country is deemed to have an adequate level of data protection safeguards in place, then personal data can flow freely between the EU and that country without any other data safeguards required. Without adequacy, the administrative requirements are more onerous. For example, a company that shares data on an intra-group basis between the EU and New Zealand would need to put in place binding corporate rules (which would need to be approved by the relevant supervisory authority in the EU) or enter into a data transfer agreement based on the European Commission's Standard Contractual Clauses – in each case, the data being transferred and the purpose for the transfer would need to be clearly understood, documented and agreed between the relevant parties. In determining whether a country has adequate safeguards in place, there are a number of factors that the European Commission is to take into account, in particular:
- The rule of law and respect for human rights and fundamental freedoms
- Security measures, including rules for the onward transfer of personal data
- Effective and enforceable data subject rights
- The existence and effective functioning of one or more independent supervisory authorities with adequate enforcement powers.
Does the Privacy Bill get us there?
The Privacy Bill includes a number of provisions that may be helpful to retaining adequacy status, including:
- A new privacy principle to address transfers of data outside of New Zealand. In summary of Information Privacy Principle 12, agencies can now only disclose personal information to a foreign person or entity if that person or entity has been authorised by the relevant individual or the agency otherwise believes on reasonable grounds that the foreign person or entity is subject to the Privacy Bill or privacy laws that, overall, provide comparable safeguards to those in the Privacy Bill.
- Rights for individuals to access and request correction of their personal information. However, despite the Office of the Privacy Commissioner's submissions on the Privacy Bill, it does not otherwise address the broader rights for individuals included in the GDPR (although the non-existence of data portability and restriction of processing rights should not be an obstacle for a country to be recognised as adequate safeguards for the purposes of the GDPR, they would be considered to be a ‘plus’).
- The introduction of a right for the Privacy Commissioner to issue compliance notices to require compliance with the Privacy Act. Before deciding whether to issue or vary a compliance notice, the Privacy Commissioner can also hear and obtain information from any person who the Commissioners considers may have relevant information. Failure to follow a compliance notice may result in fines of up to $10,000. The Privacy Commissioner will also be able to direct agencies to provide individuals with access to their information – these directions will be enforceable by the Human Rights Review Tribunal.
These changes are, in our view, positive and will help to bring New Zealand’s privacy laws in closer alignment with international trends. However, a number of commentators have observed that there are some areas where the Privacy Bill does not appear to have kept pace with developments overseas – particularly in relation to enforcement and fines. With this is mind, whether the Privacy Bill is enough for New Zealand's adequacy status to continue remains to be seen.
In the meantime, we recommend that businesses get started now on preparing for the new Privacy Act. Agencies that share data with the EU may also wish to keep a watching brief on New Zealand's adequacy status to ensure that they are not caught off-guard by the introduction of additional red-tape.