Our website uses cookies so we can analyse our site usage and give you the best experience. Click "Accept" if you’re happy with this, or click "More" for information about cookies on our site, how to opt out, and how to disable cookies altogether.

More Accept ×

We respect your Do Not Track preference.

Close ×

Website logo 275x60

Print | Email this page

Report by the Privacy Commissioner to the Minister of Justice on the Privacy (Cross-border Information) Amendment Bill

1.Introduction

1.1 The Privacy (Cross-border Information) Amendment Bill is focused upon trans-border data flows and the operation of a privacy law in a globalised economy.

1.2 In particular, the bill will:

  • ensure that individuals can exercise access rights when outside the country;
  • enable the Privacy Commissioner more effectively to cooperate with overseas privacy enforcement authorities;
  • enable enforcement action in certain cases involving transfer of information to another jurisdiction.

1.3 The amendments will help ensure that New Zealand meets the privacy standards expected by our major trading partners. The Act will be updated to better cope with some cross-border information issues.

1.4 The bill should enable New Zealand to obtain a formal finding from the European Union that our law provides an adequate standard of data protection. Such a finding will enable European businesses more freely to transfer information to New Zealand for processing. Without such a finding businesses must undertake more cumbersome and expensive processes under European law to legitimize such data transfers. A finding will be potentially advantageous to New Zealand from a trading perspective. No other country in our time zone has obtained such a finding from the EU. Conversely, if New Zealand cannot secure such a finding, our information processing businesses might in due course be at a competitive disadvantage as other nations move to meet the EU criteria or apply their own data export controls. Obtaining a formal finding of adequacy from the EU will also act as a way of demonstrating that New Zealand meets the standards of any other jurisdiction having data export controls given that the EU is recognised as having the strictest standards.

1.5 The bill is not a complete answer to all the privacy and security risks associated with cross-border information flows. The Law Commission is currently undertaking a major review of privacy and may offer further recommendations for reform. Nonetheless, the bill is an important step and I recommend its enactment.

1.6 This report discusses the two major substantive provisions, concerning referral of complaints overseas and issuing transfer prohibition notices, and offers several recommendations. The several small changes to the bill suggested will help improve the bill's effectiveness both as a measure for privacy protection and to secure an EU finding of adequacy. The report also provides an annex setting out background information in relation to data export controls.

2. Clause 7: Referral of complaint to overseas privacy enforcement authority (new section 72C)

2.1 Over the last decade or more there have been increasing concerns about the privacy risks associated with cross-border data flows, particularly as those data flows change in character and grow in volume. As the OECD has observed:

Globalisation, the emergence of 'follow the sun' business models, the growth of the Internet and falling communication costs dramatically increase the amount of personal information flowing across borders. This increase in transborder information flows benefits both organisations and individuals by lowering costs, increasing efficiency and improving customer convenience. At the same time, these personal information flows elevate concerns about privacy, and present new challenges with respect to protecting individuals' personal information.

When personal information moves across borders it may put at increased risk the ability of individuals to exercise privacy rights to protect themselves from the unlawful use or disclosure of that information. At the same time, privacy enforcement authorities may find that they are unable to pursue complaints or conduct investigations relating to the activities of organizations outside their borders.[1]

2.2 A consensus has emerged at international level on the need to promote closer cooperation amongst privacy enforcement authorities to enable them exchange information and carry out investigations with their foreign counterparts. Proposed section 72C is a measure designed to facilitate such cooperation.

2.3 A legal framework for privacy protection at a global level remains incomplete. However, we have reached a point where many countries now have enforceable privacy laws. For example, when the OECD Guidelines were adopted in 1980, only about one third of OECD member countries had privacy legislation. Today, nearly all OECD countries have laws protecting privacy and have established authorities with enforcement responsibilities. Looking more widely, there are now 80 data protection authorities accredited to the International Conference of Privacy and Data Protection Commissioners covering 37 countries. All of these authorities possess complaints or enforcement powers. While global solutions to privacy risks may take many years to complete, more effective cross-border enforcement of the laws that already exist is an achievable short term step that can be taken.

2.4 If a New Zealander has a privacy complaint involving a business based in another country there might already be an enforcement authority to which that complaint could be taken. The amendment will empower the Privacy Commissioner to transfer a complaint received in New Zealand to the correct authority. In some cases, simple transfer of a complaint may be insufficient and there may be a need for joint or coordinated investigations in both countries.

2.5 The proposed amendment provides the Privacy Commissioner with authority to consult with and transfer complaints to overseas privacy enforcement authorities. This statutory authority will act as an implied exception to the secrecy provision in section 116 of the Act.

2.6 The amendment does not go as far as the OECD Recommendation on Cross-border Cooperation in the Enforcement of Laws Protecting Privacy. Some of the more extensive OECD recommendations should be considered by the Law Commission in its broader review, taking into account other reforms related to domestic enforcement machinery.

2.7 However, one useful amendment that should be considered is to make explicit in the provision that information held or obtained by the Privacy Commissioner may be shared with the privacy enforcement authority along with the complaint. In my view this is implicit in the provision (taken together with s.116(2)) but it might be more effective to make it explicit to help avoid legal disputes in relation to sharing information beyond the actual complaint itself.

Recommendation: That proposed new section 72C be amended to make it explicit that the Privacy Commissioner can share information held or obtained that is relevant to a complaint being transferred to an overseas privacy enforcement authority.

2.8 Section 72C is focused upon complaints. However, the Act also allows for the commissioner to initiate an investigation in the absence of a complaint (see section 69(2)). Most of the provisions in the Act dealing with complaints also apply to such investigations. I recommend that it be made clear that information can be transferred under the provision to an overseas enforcement authority in relation to an investigation that is commenced on the Commissioner's own initiative. This will make the provision a far more effective measure in relation to cross-border enforcement cooperation.

Recommendation: That proposed section 72C be amended to make it clear that information can be transferred in relation to a Commissioner-initiated investigation.

3.Clause 8: Transfer of information outside New Zealand (new Part 11A)

3.1 Clause 8 inserts a new Part 11A into the Privacy Act which relates to the transfer of personal information outside New Zealand. In particular, it authorises the Privacy Commissioner to issue a notice prohibiting the transfer of personal information to another state where the Commissioner is satisfied that the information has been received from another state and is likely to be transferred from New Zealand to a third state where it will not be subject to comparable privacy safeguards.

3.2 The objective of creating this new enforcement power is to provide reassurance to trading partners that New Zealand would not be used as a staging post for circumventing their privacy laws. The transfer prohibition notice would enable the Privacy Commissioner to act in such cases.

3.3 The approach outlined in Part 11A gives effect to a recommendation in the former Privacy Commissioner's 1998 review of the operation of the Privacy Act. In that report the Commissioner recommended that:

The Act should be amended to include express provision controlling transborder data flows, consistent with clause 17 of the OECD Guidelines and the emerging international approach to data export. In particular, consideration should be given to providing:
(a) a mechanism which would enable mutual assistance to be extended to prohibit data exports in circumstances where New Zealand is being used as a conduit for transfers designed to circumvent controls in EU and other privacy laws;
(b) mechanisms for imposing restrictions concerning categories of personal information for which there are particular sensitivities and in respect of which the recipient countries would provide no adequate protection.[2]

3.4 Clause 17 of the OECD Guidelines provides:

A member country should refrain from restricting transborder flows of personal data between itself and another member country except where the latter does not yet substantially observe these Guidelines or where the re-export of such data would circumvent its domestic privacy legislation. A member country may also impose restrictions in respect to certain categories of personal data for which its domestic privacy legislation includes specific regulations in view of the nature of those data and for which the other member country provides no equivalent protection.[3]

3.5 The former Privacy Commissioner further elaborated upon the 1998 recommendation in a report in 2000 providing a draft which has become the proposed Part 11A.[4] The intent was to develop a mechanism to meet European concerns in a manner consistent with the OECD Guidelines. Thus while the actual legal mechanisms were modeled upon enforcement provisions found in European laws, namely the UK and Irish Data Protection Acts, the tests to be applied by the Commissioner in exercising those powers were based on the standards laid out in the OECD Guidelines. The then Commissioner acknowledged that this mechanism represented the minimum necessary to ensure that New Zealand's law could be shown to provide 'adequate protection' for EU purposes.

3.6 The Part 11A recommended by the former Commissioner (and essentially replicated in the bill) does not strictly follow the 'mutual assistance' model suggested for consideration in the 1998 recommendation. In the period between the two reports, discussions with European officials made it clear that the EU would expect the controls to be able to be activated without awaiting a formal request from an authority in a European state. The transfer prohibition notice procedure can be initiated without such a request. Nonetheless, the proposal still had a 'mutual assistance' quality in that it provides a mechanism whereby actions can be taken when overseas data protection authorities express concerns to the Commissioner about particular transfers.

3.7 While supporting the amendment and recommending its enactment, I have several suggestions for further amendment. They build upon the need to ensure that the provision is seen as effective in our trading partners' eyes and to ensure that the Privacy Commissioner can act without necessarily receiving a formal request from an overseas enforcement authority.

3.8 The first recommendation is that paragraph (b) of new section 114B(1) be deleted from the clause. European officials have expressed concern that this paragraph might make the provision less effective by imposing a complex legal test that may be difficult to satisfy. They question whether the Commissioner will have necessary information on that criterion to be able to act in appropriate cases. They are concerned that there might be complexities, making it difficult to act, in cases where information is routed through another country before arriving in New Zealand for onward transfer. European officials question whether that paragraph is necessary so long as the circumstances outlines in paragraphs (a) and (c) exist.

3.9 The provision found in paragraph (b) is derived from the OECD Guidelines, as earlier quoted. However, in the OECD Guidelines that reference is given as an alternative to the circumstances laid out in paragraphs (a) and (c) rather than as an additional requirement. Thus I support dropping that paragraph as being unnecessary and potentially making the provision less workable and unduly restrictive.

3.10 It is important that the EU officials have confidence that the provision can be activated in appropriate circumstances. If they do not have that confidence then New Zealand's case for seeking a finding of adequacy could be jeopardised.

3.11 I also recommend that it be made clear that I have all the necessary powers of investigation that will be needed to operate the enforcement regime anticipated in Part 11A. The inclusion of the new Part 11A will make clear that my functions have been expanded but that does not necessarily carry with it the powers that may be necessary.

3.12 As mentioned, the initial conception of this provision was to be a kind of 'mutual assistance' arrangement whereby the Commissioner would typically act when requested by an overseas privacy enforcement authority that had already established relevant facts. However, the provision is now conceived as one that the Privacy Commissioner will need to be able to initiate if it is to have full credibility in the eyes of trading partners. It is not clear that the Commissioner's investigative powers laid out in Part 9 of the Act will be available as they are premised on there being a breach of an information privacy principle, code of practice or Part 10 of the Act[5] or there being an inquiry under s.13(1)(m).[6]

3.13 It does not appear that merely including the new Part 11A in the Act will provide the Commissioner with the necessary powers to obtain evidence to conclude that the circumstances exist to enable the issue of transfer prohibition notice or to detect breach or compliance with such a notice. I recommend that Part 11A be amended to provide the Commissioner with the necessary investigative powers. These powers might either be set out in detail tailored to the new enforcement role or be provided by a simple cross-reference to Part 9 powers.

3.14 Enforcement of transfer prohibition notices is achieved by way of a criminal offences provision. I support there being such sanctions. However, I recommend that there should also be the possibility of civil consequences of breach of a transfer prohibition notice. This could be achieved simply by inserting into section 66(1)(a) of the Act a reference to a breach of a transfer prohibition notice issued under Part 11A. Through this simple amendment an individual who is harmed by a disclosure in breach of transfer prohibition notice will have a clear remedy under the Privacy Act.

Accordingly I recommend that:

(a) Paragraph (b) of new section 114B(1) be struck out;
(b) Part 11A be amended to confer clear investigative powers on the Commissioner necessary for operating that Part of the Act;
(c) Section 66(1)(a) be amended to enable individuals to take complaints in cases of breach of transfer prohibition notices.

4.Summary of recommendations

I recommend:

1. That proposed new section 72C be amended to make it explicit that the Privacy Commissioner can share information held or obtained that is relevant to a complaint being transferred to an overseas privacy enforcement authority.

2. That proposed section 72C be amended to make it clear that information can be transferred in relation to a Commissioner-initiated investigation.

3. That:
(a) Paragraph (b) of new section 114B(1) be struck out;

(b) Part 11A be amended to confer clear investigative powers on the Commissioner necessary for operating that Part of the Act;

(c) section 66(1)(a) be amended to enable individuals to take complaints in cases of breach of transfer prohibition notices.

Marie Shroff
Privacy Commissioner

12 May 2009

Annex

Background to data export controls

The Privacy Act was enacted in 1993 after several years of study. It is an Act to promote and protect individual privacy in general accordance with the OECD Guidelines governing the Protection of Privacy and Transborder Flows of Personal Data adopted in 1980. The bill particularly drew upon the Australian Privacy Act 1988 which was itself a measure to give effect to the OECD Guidelines.

It was hoped at the time that the Privacy Act was enacted that the law would be sufficient to meet European Union standards. However, in 1993 the precise detail of EU requirements was not known; although a draft law had been published, the final form was not settled until the Data Protection Directive[7] was finally adopted in 1995.

The EU Directive substantially changed the global landscape with respect to privacy regulation. In particular, it introduced data export controls on European businesses and created a process whereby countries, such as New Zealand, might have their laws assessed to see if they offered an 'adequate' standard of data protection as judged against the standards that Europe had imposed upon itself.

The EU Directive was a measure designed to promote the free flow of data within Europe in order to promote growth and economic activity. It was part of building a genuine single market, a Europe without borders. To achieve that free flow of information, it was essential to harmonise data protection standards in EU countries so as to ensure citizens obtained the same protection wherever their information travelled in the EU and to avoid distortions that would have arisen if information processing could be moved to jurisdictions with least controls.

As part of the process of removing internal barriers, the EU needed to look at the position of countries outside the EU (referred to as 'third countries') or else the objectives of the reform could be undermined. In particular, unless some controls were applied to data exports was feared that the Directive's protections would be rendered ineffective if data could simply be sent for processing in third countries. Indeed, if the issue had been left unaddressed the difference in regulatory standards might have provided an incentive for global or European businesses to relocate data processing offshore simply to avoid regulatory controls.

The result was that one of the EU Directive's requirements was that national laws have data export controls whereby information could only be sent outside the EU for processing when it could be shown that certain minimum standards were met.[8] These minimum standards could be met by sending information to a country which had obtained a formal finding from the EU that had an 'adequate standard' of data protection. In the absence of a formal finding, data must be protected in one of several other permitted ways including, most commonly, through contractual means.

The EU prohibition on the transfer of personal data outside EU countries for processing in the absence of suitable protections initially found its way into the law of 15 EU member countries. The number of EU countries later increased to 27. The requirement also found its way into the EFTA countries such as Norway in order to meet EU requirements.[9] In 2001 the Council of Europe, which has a wider membership than the EU, adopted an additional protocol to its data protection convention which similarly provided for data export controls.[10]

When the New Zealand Privacy Act was enacted in 1993 there were very few countries with such data export controls. As will be clear, such controls now exist throughout Europe.

Nor do data export controls exist only in Europe. A number of other countries have controls and new ones continue to appear. For example, controls of one sort or another exist in Quebec,[11] Victoria,[12] Australia,[13] Hong Kong[14] and Argentina.[15]

The essence of the data export control approach is that an obligation is placed upon businesses in the jurisdiction to assess the level of privacy protection in the jurisdiction to which information is to be transmitted for processing. Different laws prescribe different standards that must be met with the 'adequate level of protection' being the common standard in the EU and Council of Europe. Other national laws typically prescribe standards similar to those existing in their own legislation. Australia's standard, for example, decrees that the recipient be subject to controls that are 'substantially similar' to Australia's national privacy principles. Quebec uses an 'equivalency' standard while Argentina uses 'adequacy'.

The importance for a trading country such as New Zealand is that our domestic measures for the protection of privacy are now to be judged by other counties to ensure that the consumers of those other countries can be assured of proper protections if information is transferred to New Zealand for processing. Not all countries with privacy laws have taken this data export prohibition approach (for example, Canada and the USA and New Zealand, do not). Indeed, there is a lively debate internationally as to whether data export controls are the best way to deal with the risks to privacy in the globally economy. However, the fact is that many of New Zealand's key trading partners already have data export controls and from an economic perspective that has to be faced. There is likely to be advantage in New Zealand being about to show that it is a trusted recipient of personal information for processing and can meet such standards.

At present, the EU is the only trading bloc operating a system whereby a third country can obtain a formal finding that it meets applicable standards. Obtaining a formal finding of adequacy from the EU will also act as a way of demonstrating that New Zealand meets the standards of any other jurisdiction having data export controls given that the EU is recognised as having the strictest standards.

[1] OECD Recommendation on Cross-border Cooperation in the Enforcement of Laws Protecting Privacy, 2007, preface.
[2] Privacy Commissioner, Necessary and Desirable: Privacy Act 1998 Review, Recommendation 35.
[3]OECD Guidelines on the Protection of Privacy and Trans-border Flows of Personal Data, clause 17.
[4] Report by the Privacy Commissioner to the Minister of Justice supplementing Necessary and Desirable: Privacy Act 1993 Review, April 2000.
[5] Privacy Act 1993, sections 66(1)(a) and 91.
[6] Privacy Act 1993, sections 13(1)(m) and 91.
[7] Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 with regard to the processing of personal data and on the free movement of such data.
[8] EU Directive, Chapter IV.
[9] The European Free Trade Area (EFTA) countries include Iceland, Lichenstein, Norway and Switzerland.
[10] Council of Europe, Additional Protocol to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (ETS 108) regarding Supervisory Authorities and Transborder Data Flows (ETS 181), Strasbourg, 8 November 2004.
[11] An Act respecting Protection of Personal Data in the Private Sector (1994), s.17, an Act respecting access to documents held by public bodies and the protection of personal information (2006 amendment), s.70.1.
[12] Information Privacy Act, information privacy principle 9.
[13] Privacy Act 1988, principle 9 Transborder Data Flows.
[14] Personal Data (Privacy) Ordinance, s.33.
[15] Law for the Protection of Personal Data, 2000, s.12.

Back to top