Privacy Commissioner - Te Mana Matapono Matatapu

Skip to content

Human Rights in Foreign Policy

Letter to the Chairperson, Foreign Affairs, Defence and Trade Committee by B H Slane, Privacy Commissioner

Dear Sir

Inquiry into the role of Human Rights in Foreign Policy

I offer these comments as a late submission to your Committee's inquiry.

Information privacy has become an international issue principally because of transborder flows of personal data. Three supra-national organisations, the OECD, Council of Europe and European Union have been particularly active in seeking to establish common minimum standards for the protection of privacy in order to both protect human rights and to avoid unnecessary impediments to data flows and international commerce.

In this brief submission I will not go into matters in detail. However, for the information of the Committee I attach an extract from my 1998 report Necessary and Desirable: Privacy Act 1993 Review which sets the Privacy Act into its international, technological and economic context.

Probably the issue of most international attention in this area has been the practice of some jurisdictions to place restrictions on export of personal data into jurisdictions which fail to provide adequate data protection measures. The main example of this is Article 25 of the European Directive 95/46/EC on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of such Data (24 October 1995). This prohibits EU member states from transferring personal data to a third country outside the European Economic Area for processing except where the country in question ensures an "adequate level of protection." The European Commission has established an "approved list" of countries whose laws provide adequate protection. Switzerland and Hungary have been the first two countries to be listed. I have urged the Governments for more than two years to remedy certain minor shortcomings in the Privacy Act to ensure New Zealand be added to the list. There are important economic reasons to establish New Zealand's case for adequacy.

The issue does not simply involve the 15 member states of the European Union. Virtually all other states in western and central Europe have, or are adopting, laws which follow the approach of the EU Directive. Such laws will not only provide "adequate protection" but also include a data export prohibition modelled upon Article 25 of the EU Directive.

Countries outside Europe are also adopting export controls in their laws. They are mainly motivated to protect the personal data of their citizens when information is transferred into another jurisdiction. However, such provisions also ensure such countries' laws met the EU adequacy test. The EU has taken the view that such prohibitions are necessary to avoid countries with data protection laws being used as a data conduit to other jurisdictions in an effort to bypass EU controls.

The following jurisdictions outside Europe already have within their laws data export prohibitions similar to those in the EU Directive:

Quebec (provincial law);
Hong Kong (relevant provisions yet to be brought into force);
* New South Wales (state law)

Australia is poised to enact a similar data export control in an amendment to its Privacy Act 1988. That data export prohibition would solely apply to applicable private sector agencies. Victoria intends to enact a similar law at state level.

The standards of privacy protection provided in New Zealand law could be judged pursuant to the law in any of those countries. The Committee should be interested in the steps to be taken by our Government to ensure that New Zealand's interests are protected - in particular how we will ensure a robust case for adequacy is established.

Data protection laws of the type found in the Privacy Act in New Zealand are now the norm in developed countries of our type. Such laws exist throughout Europe, Canada (federally and in all provinces), Australia and Hong Kong. The USA also has similar privacy laws at federal level and a limited application of privacy laws through sectoral legislation applying to the private sector and state institutions. The coverage in the USA is very uneven.

Within our region there are, in addition to the privacy laws in Hong Kong, Australia and New Zealand limited information privacy or data protection laws in Japan, Thailand and Taiwan. There are no laws on the OECD/European model in Pacific Island countries or the rest of Asia. (There are some constitutional protections for privacy in several jurisdictions).

The absence of data protection laws in developing countries in our region represents something of a risk. One risk is that the personal information about New Zealanders will be transmitted to places where it is not properly protected. I have, for example, investigated a complaint where sensitive medical information was transferred to a Pacific Island nation and used for a purpose unrelated to the reason it was sent to the detriment of the New Zealander. I have also investigated complaints where personal information obtained by New Zealand agencies has been transferred to Australian entities which have then refused personal access requests. There is also the risk that smaller, poorer, or developing countries in our region will be unable to secure findings of "adequate protection" for EU purposes or those of other national laws. These countries may be "left behind" in the digital economy.

This may therefore be of interest to the Committee as an issue both:

• to ensure protection of New Zealanders' data when transmitted internationally, and
• in relation to development assistance so that the Pacific Islands neither become an unregulated "data haven" nor a backward region missing out on data processing opportunities.

To promote discussion of such issues in our region I hosted, together with the Australian Privacy Commissioner, the Second Asia Pacific Forum on Privacy and Data Protection in Hong Kong in September 1998. As this preceded the 21st International Conference of Privacy and Data Protection Commissioners, it was possible to arrange a good representation from across the region and to enable interaction with data protection experts from around the world. With the assistance of Ministry of Foreign Affairs and Trade's Good Governance Programme, representatives from a number of Pacific Island countries were able to participate.

I would be happy to elaborate on any aspect of this submission if that would be of assistance to the Committee.

Yours sincerely

B H Slane
Privacy Commissioner