International Transfers of Personal Data: Candidate for Adequacy

News & Publications

Sign up

Subscribe to our e-newsletters, case notes and technology/privacy forum alerts

Email this page

Send this page to a friend.

This page is printer friendly.

You are here: News & Publications » Speeches, presentations, articles » International Transfers of Personal Data: Candidate for Adequacy - The New Zealand Case

International Transfers of Personal Data: Candidate for Adequacy - The New Zealand Case

Notes for an address to the Privacy Laws & Business 14th Annual Conference, St John's College, Cambridge

3 July 2001

At this conference two years ago I presented a paper outlining New Zealand's case in terms of the adequacy of data protection measures taken in national law. I opened by stating:

"New Zealand has a first class data protection law in its Privacy Act 1993. In some respects the law is a superior data protection measure to many European laws given its comprehensive application to unstructured manual data. The New Zealand Privacy Act is the only omnibus national data protection law outside Europe covering both the public and private sectors. It is therefore something of a paradox that the New Zealand Privacy Act may be judged 'inadequate' as a data protection measure in the eyes of the European Union."1

Things have moved on in the last two years. Hungary and Switzerland have been assessed as offering "adequate protection" as has the US Safe Harbour arrangement. New Canadian and Australian laws covering the public and private sectors have joined New Zealand's (albeit with delayed commencement and omitting coverage of some significant parts of each sector). There have been significant developments in New Zealand in the last six months which should lead, I suggest, to a finding of adequacy in its case.

In this paper I give an overview of the New Zealand privacy law, explain recent developments and express some opinions about its case for adequacy.

Overview of the New Zealand Privacy Act

For a fuller account of the New Zealand privacy law, I refer anyone interested to my earlier paper.2 The following summarises that material.

New Zealand did not pass its 1993 law as a rushed or superficial response to the prospect of the EU Directive on Data Protection. The Privacy Act 1993 built on many years' experience of sectoral statutory data protection and followed considerable study and consultation. However, legislators had studied early versions of the directive and did expect to achieve adequacy through enacting the law.

The Privacy Act 1993 contains a set of information privacy principles, based on the OECD Guidelines3, which take a similar approach to those in any European data protection law. The principles are applied by law in a broad range of circumstances. They apply to all "personal information" which means any information about an identifiable living individual. They apply to the collection, holding, use and disclosure of personal information by all "agencies", control the use of unique identifiers and confer access and correction rights. "Agency" is defined in an all encompassing fashion (the only notable exemption for present purposes is the news media in their news activities).

The effect is that the Privacy Act covers virtually every data controller in the country, whether in the public or private sectors. The Act's set of information privacy principles apply to personal information in whatever form it is held, whether electronic, manual or otherwise.

The Privacy Commissioner is the national data protection supervisory authority with a range of functions to promote and protect privacy. One important role is to receive complaints from individuals who have suffered an interference with their privacy. On receipt of a complaint, the Commissioner has two principal functions:

to investigate the complaint;
if the complaint appears justified, to attempt to achieve a settlement.

The Commissioner has received and investigated thousands of complaints since 1993. Most have been able to be successfully resolved through investigation, informal conciliation or, if necessary, the rendering of a formal opinion. The Commissioner cannot award compensation (although many negotiated settlements include monetary compensation) nor order any other action to be taken. However, the Commissioner may take cases to the Complaints Review Tribunal if he considers them to be justified and they have not been able to settled. The Tribunal can award damages and issue other enforceable orders. Similarly, if a complaint is unable to be resolved it is open to the aggrieved individual to take proceedings to the Tribunal. Complaints can be laid by anyone, including EU citizens, about processing of personal data in New Zealand.

I will finish this brief commentary by mentioning the Privacy Commissioner's powers to issue codes of practice. These codes are a form of delegated legislation and allow the requirements of the information privacy principles to be modified to better suit a particular type of information or data processing, or an industry or sector.

Questions of adequacy in relation to the New Zealand Act

Article 25 of the EU Directive provides that member states shall provide that the transfer to a third country of personal data for processing may take place only if the country in question "ensures an adequate level of protection". The Directive also provides for the drawing up of a list of third countries which ensure an adequate level of protection by reason of their domestic law.4

Since the Directive was adopted by the European Union in October 1995, it is of surprise to many that it has taken so long to reach conclusions about what constitutes "adequacy". Indeed, at the time of writing definitive decisions have been reached on only two countries, Switzerland and Poland, which may have been relatively easy cases given their proximity to the EU geographically and in their data protection legislation.

New Zealand's case for adequacy was, in part, addressed in a September 1998 report prepared for the European Commission concerning the application of a methodology to assess third country adequacy.5 That report looked at six countries with respect to five categories of data transfer.6 However, it is of limited use for present purposes as it was designed principally to test methodology rather than assess a country's case. It did not deal with New Zealand comprehensively.

The other report of relevance was the New Zealand Privacy Commissioner's review of the operation of the Privacy Act completed in December 1998.7 As with the study commissioned for the EC, this review was not principally devoted to assessing New Zealand's case for adequacy. The Commissioner was fulfilling a statutory function to review the operation of the Act after it had been in effect for three years and to recommend any necessary or desirable amendments. At the time of review the Commissioner was anticipating imminent implementation of the Directive in national law. He was aware that the Directive would ultimately oblige EU states to restrict the transfer of personal data to New Zealand if that data was not to be considered subject to adequate protection. He therefore carefully scrutinised the Privacy Act in an effort to see whether its provisions would be judged by European standards to be "adequate" and, if not, to use the opportunity to offer recommendations to sort things out.

In his report the Commissioner observed:

"To be adequate our law does not need to have identical provisions to the EU Directive. It is believed that the law will largely be judged in its totality. Our Act should, in general terms, pass such an adequacy test with flying colours.

"However, there are two aspects which somewhat cloud this rosy picture. New Zealand's law is in danger of failing an adequacy test in so far as it denies access rights to foreigners except when they are actually in New Zealand. This would effectively deny most Europeans one of the key data protection entitlements in any law. In my view, that should be put right as soon as possible.

"The Office of the Privacy Commissioner, with its complaints jurisdiction, provides the independent national institution that is a central feature of an adequate system for the protection of privacy in European eyes. I have no doubt that the basic legislative arrangements for the Privacy Commissioner would be a feature which supports an adequacy case in European eyes. However, the underfunding of my office which has led to complaints waiting in a 12-month queue, may cause EU Commissioners to question the adequacy of a central feature of our Act. An investigation delayed for that long can lose credibility as a compliance mechanism. It is important in this context, in my view, that the central aspect be put right.

"Another issue relates to the possibility of European agencies diverting data transmissions through New Zealand to another country so as to circumvent the EU prohibition. This also should be put right.

"Amongst my recommendations is one concerning the deletion of details from mailing lists which is modelled upon provisions in the EU Directive. Its current absence in our law is not likely to call into question the adequacy New Zealand's laws. Rather, the EU Directive provides a very promising model to copy from in according appropriate protection to the privacy of New Zealand's personal information."8

From here on I wish to refer to just two of those issues. These are the right of foreigners to have access to personal data held in New Zealand and the possibility of New Zealand being used as a conduit to send personal data to another country. These two issues require legislative change to address them. The others, involving funding of the Office of the Privacy Commissioner (in terms of the complaints backlog) and the manner in which direct marketing complaints are handled, are more peripheral.9

Amendments to the Privacy Act - Standing to make access/rectification requests

On 12 December 2000 the New Zealand Government introduced a bill into Parliament to amend the Privacy Act 1993. The bill implemented two recommendations from the Privacy Commissioner's 1998 report.

The first change will remove the existing requirement that in order to make an access or rectification request an individual must be a New Zealand citizen, permanent resident or in New Zealand at the time the request is made. This change will ensure that Europeans and others have enforceable access and rectification rights which can be exercised from outside the country when information is held or processed in New Zealand.

This amendment makes a simple and clear cut change which will solve an issue which otherwise would undermine a case for adequacy. However, it might be noted, in passing, that foreigners outside New Zealand are not entirely without access and rectification rights even now. For instance:

New Zealand's freedom of information laws confer access rights to information held by public sector organisations.10 It is possible for a European to ask a friend or appoint an agent to make an access request on their behalf.
Many agencies voluntarily extend access and rectification entitlements to foreigners consistent with good information handling practice. For example, the New Zealand Immigration Service, the principal government department likely to receive access requests from foreigners outside the country, already has the practice of granting access requests.
While the rectification right contained in information privacy principle 7 is subject to a standing requirement, principle 8 is not. Principle 8 requires an agency to check data before using it to ensure that it is accurate, up to date, complete, relevant and not misleading. It is unlikely that an agency that failed to act upon a rectification request could maintain, in the event of a complaint, that it had fulfilled its obligations under principle 8 if it used such information. A foreigner is entitled to complain of an agency's failure to comply with principle 8.

Amendment to the Privacy Act - data re-export issue

The Privacy Act has no direct equivalent to the data export controls that now feature in European laws as a result of Article 25 of the EU Directive. The OECD Guidelines, on which the New Zealand Privacy Act is based, never required the establishment of export controls. Impediments to data export were seen as an evil to be avoided through the establishment of consistent and compatible privacy laws between member countries and others.

In his 1998 review of the operation of the Act, the Privacy Commissioner examined the theoretical basis for data export controls, reviewed the international instruments and the schemes existing in other countries, such as in the Hong Kong law. The Commissioner commented:

"In my view, the Privacy Act should be amended to address more precisely the circumstances in which transborder data flows should be prohibited or subjected to additional controls. In doing so it is unnecessary to adopt the restrictive EU model which has also been adopted in Hong Kong.

"New Zealand is not a member of the European Union and it is the OECD Guidelines to which we should primarily direct our attention. However, the EU Directive is relevant in so far as it is desirable to make sure that the New Zealand law, in the context of any transborder data controls, offers 'adequate protection' in EU eyes. By this, I mean any controls adopted should be able to be utilised in circumstances where it appears that a European data controller is transferring information using New Zealand as an intermediary in an attempt to circumvent European laws.

"In this regard, I draw attention to the fact that Europeans might consider New Zealand's law contains no effective restriction on onward transfer in such circumstances. Restrictions on onward transfers have been suggested as a 'core principle' for assessing the existence of 'adequate protection' in a particular jurisdiction."11

The Privacy Commissioner went on to suggest creating a mechanism to control or prohibit the export of personal information in circumstances where an official body from a country that has export controls requests New Zealand to take action in respect of a particular transfer of information that uses New Zealand as a conduit to circumvent that country's privacy laws. The resultant provision might resemble "mutual assistance" provisions found in other contexts. The Privacy Commissioner recommended an enforcement mechanism modelled upon the "transfer prohibition notices" provided for in section 12 of the Data Protection Act 1984 (UK).12 He further noted that any approach must work for both European and non-European countries and be compatible with the OECD Guidelines.

The New Zealand Law Commission in a major report on electronic commerce endorsed the Privacy Commissioner's recommendation.13

The Privacy Commissioner revisited the issue in a supplement to his 1998 report delivered to the Minister of Justice in April 2000.14 In that report the Commissioner prepared a draft amendment to the Privacy Act which would implement the recommendation. This differed slightly from that earlier recommended. As the Commissioner stated:

"The clauses have not strictly followed the 'mutual assistance' model suggested for consideration in the recommendation. My understanding from speaking with European officials and other experts is that the EU will expect the data export controls be able to be activated without awaiting a formal request from an authority in a European state. Nonetheless, the proposals still have a 'mutual assistance' quality in that it provides a mechanism whereby action can be taken where overseas data protection authorities express concerns to me about particular transfers."15

Following the April 2000 report, there were discussions between the Privacy Commissioner and officials from the Ministries of Economic Development and Justice about a possible legislative vehicle to carry it into effect. Initial consideration was given to the Electronic Transactions Bill then in preparation which included among its objectives, to promote:

the development of electronic commerce; and
consistency between New Zealand law and that of our major trading partners.

However, the Electronic Transactions Bill was designed to closely conform with the matters specified in the UNCITRAL model law on electronic commerce and was not therefore suitable. The Ministry of Justice was able to progress policy and drafting work to include the initiative in the Statutes Amendment Bill introduced in December 2000. It is worth noting that the Statutes Amendment Bill is an omnibus measure introduced by a parliamentary procedure designed for non-controversial legislation. All parties represented in Parliament have considered the proposed legislation in advance and agreed to its introduction. This ought to bode well for the smooth passage of the legislation on a nonpartisan basis.

The bill was referred to the Government Administration Committee of Parliament for study. Only two submissions were received by the closing date of 31 March. The Committee is set to hear evidence during May and is required to report back to the House of Representatives by 12 June 2001. By the time of the conference I may have further to report in terms of progress of the legislation.

While existing New Zealand law does not take an identical approach on data re-export to that of Europe, European data transfer to New Zealand is not entirely without protection. First, most information privacy principles continue to apply to information transferred out of the country where the New Zealand agency continues to hold the information.16 Second, an agency could only lawfully disclose information onward to another organisation (whether in New Zealand or elsewhere) if it accords with information privacy principle 11. This would generally require the disclosure to be consistent with the purpose for which the information had been received from Europe.17

Nonetheless, personal data could theoretically be routed through New Zealand to a third country. The bill addresses this possibility by inserting a new part into the Privacy Act dealing with the transfer of personal information outside New Zealand. The Privacy Commissioner will be empowered to prohibit a transfer of personal information from New Zealand to another State if satisfied that:

personal information will be transferred to a jurisdiction where it will not be subject to a law providing comparable safeguards to the Privacy Act; and
the proposed transfer may circumvent the laws of the State from which the information originated; and
transfer would be likely to breach basic principles of national application in Part 2 of the OECD Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data.

In exercising his new power, the Commissioner must consider several matters, including any existing or developing international guidelines relevant to transborder data flows. The bill mentions the EU Directive explicitly.

The Privacy Commissioner will act by issuing transfer prohibition notices modelled on similar notices given under current and previous legislation in the UK and Ireland.18 Persons subject to transfer prohibition notices will be able to appeal to the Complaints Review Tribunal.

As a result the Privacy Act should, in my opinion, meet the reasonable expectations of the EU on potential data re-export, albeit that the approach is not identical to that currently taken by EU member states.

Suggestions as to approach in judging third country adequacy

It is right that the European Commission should be careful and methodical in the approach taken to judging adequacy of national laws of third countries. It should, of course, take a principled and reasoned approach to the task. That it is doing so is seen in the quality of its decisions and published views. The Commission is ably assisted by the collective expertise of the Article 29 Working Group and the Article 31 Committee.

I have no wish to see the EU recognising just any law or scheme at face value merely because it describes itself as a "data protection" or "privacy" measure. It is in the interest of everyone to see consistent minimum privacy laws and equivalent protections in all jurisdictions.

Indeed recognition by the EU will be relevant to a range of other judgments about adequacy taken around the world. For example, Quebec, New South Wales, Victoria, Australia and Hong Kong are all jurisdictions with data export controls in their laws. Hopefully, a finding by the European Commission will be suitable for those other laws if we are to avoid a great deal of new complexity in the transborder data flow environment in the future. (I might add that the New Zealand Privacy Commissioner is also required to provide an opinion as to the adequacy of a receiving jurisdiction under a law that allows for data matching in social security matters between New Zealand and other countries.19 He will shortly be assessing the laws in the Netherlands and Australia in that context.)

Despite that, I suggest the European officials should be slow to harshly judge the New Zealand law based on certain particular features. Instead, they should look at the Privacy Act in its totality. It is an advanced data protection law which has been operating successfully for individuals in New Zealand since 1993.

The temptation to pick through the New Zealand legislation word-by-word with a view to suggesting replacement by words and phrases more familiar to the European law should be resisted. It is the substance that matters. There is a risk that if one focuses too much on, say, the wording of a particular exception to a single principle that one will lose sight of the complex interrelationship in any set of data privacy principles and the compensating features that the law or practice in one jurisdiction may offer to balance minor deficiencies in other ways

It may also be necessary to bear in mind some differences in cultural or legislative traditions. For example, some jurisdictions spell certain matters out in great detail in their primary legislation whereas others leave details for secondary legislation or guidelines. Parts of the mosaic of data protection will be found in other laws altogether. I offer two contextual New Zealand examples:

New Zealand has had freedom of information law since 1982. New Zealand places a high value on "open government" and the courts have found access rights to government held information to be of a constitutional nature. This is an area where the UK and much of Europe (excepting, of course, Sweden) somewhat lags.
The New Zealand Privacy Act has no "sensitive categories" provision. However, the Human Rights Act 1993 and the New Zealand Bill of Rights Act 1990 outlaw discrimination in a range of circumstances on a wide range of grounds. These grounds would encompass most found in a typical list of "sensitive categories" with some additional ones.

Higher standards?

On a closing note I raise the idea that the EU Directive will not always provide a standard of data protection that is as good as that in a third country. I certainly acknowledge the EU Directive as a leading international instrument on data protection. It arguably deals with a number of issues in a way that is more effective from a data protection perspective than the 1980 and 1981 instruments (albeit, I suggest, without the clear expression and conceptual simplicity of the OECD Guidelines).

However, the Directive represents a compromise between member states. In translation into national law there may be further compromising.

There will be cases where privacy laws in third countries have provisions with no equivalent at all in the EU Directive. To illustrate I would mention the Australian National Privacy Principle 8 which states:

"Anonymity - Wherever it is lawful and practicable, individuals must have the option of not identifying themselves when entering transactions with an organisation."

This principle is contained in an amendment recently passed to the Australian Privacy Act and which applies to certain private sector agencies.20 The right of anonymity may turn out to be extremely important in the context of e-commerce and e-government where merely offering reasonable protection in a myriad of data trails may not equate to a real sense of privacy protection.

In other cases, it may be that the third country's law has provisions dealing with the same subject as European law, but in a stronger or more detailed fashion. Individuals may be accorded rights that they would not receive in a EU jurisdiction. In the New Zealand context, I would mention, for example:

the principles in the Privacy Act apply to all "personal information" which covers a wider class of information than the European notion of "structured manual data";
the New Zealand privacy principles have applied to personal information since 1993 and individuals do not have to wait for some future point for rights to fully come into effect in relation to manual data;
the Privacy Act contains special additional principles governing public register personal information;
special statutory controls on government data matching programmes may exceed the safeguards obtained under the EU Directive in terms of "automated decision making" and "fair processing";
subject access must be given free of charge by public sector agencies and all agencies in the health sector.

I merely offer these examples to suggest that sometimes it is not a case of a third country law straining to reach the heights of the EU Directive. Instead, a law may offer similar standards on most issues but somewhat higher in some other cases. Focusing on minor differences suggesting a slightly lower standards on some such issues may be unproductive if the law in its totality offers a superior standard.

Conclusion

I conclude by suggesting that New Zealand's Privacy Act offers a suitable model to be recognised as providing adequate protection. Two clear problems have been identified. New Zealand authorities have done their best to assess what Europe expects and the Government is making amendments in good faith to address those problems. I hope that it will be possible for the European Commission to promptly add New Zealand's name to the "white list" of approved countries after the amendments have been enacted.

Blair Stewart
Office of the Privacy Commissioner

8 May 2001

Footnotes

1 Blair Stewart, "Adequacy of Data Protection Measures: The New Zealand Case", 12th Privacy Laws & Business Annual International Conference, "New Data Protection Law, Issues, Solutions, Action", Cambridge UK 29 June 1999.
2 The paper is to be found in the conference proceedings and also on the New Zealand Privacy Commissioner's website: www.privacy.org.nz.
3 Recommendation of the Council and Organisation for Economic Cooperation and Development Concerning Guidelines Governing the Protection of Privacy and Trans-border Flows of Personal Data, 1980.
4 EU Directive, Articles 25(6), 29 and 31.
5 Raab, Bennett, Gellman and Waters, European Commission tender number XV/97/18/D Application of a Methodology Designed to Assess the Adequacy of the Level of Protection of Individuals with Regard to the Processing of Personal Data: Test of the Method on Several Categories of Transfer - Final Report, September 1998.
6 The six countries were Australia, Canada, China (Hong Kong), Japan, New Zealand and the USA.
7 Privacy Commissioner, Necessary and Desirable: Privacy Act 1993 Review, December 1998.
8 Necessary and Desirable: Privacy Act 1993 Review, page 9
9 My paper to the 1999 conference touched upon those issues and also the issue of processing sensitive categories of data. In common with the OECD Guidelines, the New Zealand Privacy Act does not create specific "sensitive categories" controls. However, sensitive categories can, and have, been dealt with by code of practice.
10 See the Official Information Act 1982 and the Local Government Official Information and Meetings Act 1987.
11 Necessary and Desirable, pages 105-106.
12 Necessary and Desirable, recommendation 35(a).
13 Law Commission, Electronic Commerce: Part 2 - A Basic Legal Framework, November 1999, paragraph 177.
14 Report by the Privacy Commissioner to the Minister of Justice supplementing Necessary and Desirable: Privacy Act 1993 Review (December 1998) and offering further recommendations, 7 April 2000.
15 Supplementary report, paragraph 3.7.5.
16 Privacy Act 1993, section 10.
17 Privacy Act 1993, section 6.
18 See Data Protection Act 1984 (UK), sections 12-14; Data Protection Act 1988 (Ireland), section 11; Data Protection Act 1998 (UK) sections 41, 48, 49.
19 See Social Welfare (Transitional Provisions) Act 1990, section 19(2A)(b) in which the Privacy Commissioner is required to report to the Minister of Social Welfare and the Minister of Justice on the "adequacy of the privacy protection given in the other country to information about any individual that may be supplied by New Zealand under the provisions".
20 This principle has not yet come into force.

Privacy Commissioner - Te Mana Matapono Matatapu Skip to content