The New Zealand Privacy Act 1993 was formally recognised by the European Commission (EC) in 2012 as meeting European legal standards of data protection thereby facilitating the free flow of personal data from EU countries to New Zealand for processing.

But the picture is not quite as settled as it might at first appear. For instance:

• The EU law under which New Zealand was assessed is changing
• There has been a court judgment overturning another EC decision
• New Zealand’s status remains under continuing monitoring
• The EC recognition does not extend to certain law enforcement information.

This article briefly reflects on developments affecting New Zealand’s status including a recent EC decision.   

1991-2012: New Zealand obtains adequacy under EU’s 1995 Data Protection Directive

The EC issued a formal decision in December 2012 recognising New Zealand’s legal standards as being sufficient for Article 25(2) of European Union (EU) Directive 95/46/EC: that is that New Zealand’s law provides an “adequate level of data protection”. The shorthand often used is that New Zealand has “EU adequacy” or is “an adequate third country”.

Many countries aspire to EU adequacy but few achieve it. Only a tiny handful of countries outside Europe have been found ‘adequate’. Canada has been but Australia has not. No other country in our time zone has adequacy, which is a competitive advantage in a global ‘follow the sun’ data processing model.

The EU tends to have the strictest privacy laws. Accordingly, a finding that New Zealand’s laws are adequate for the EU is equivalent to being certified to a ‘gold standard’. In other words, our laws should also meet similar tests increasingly included in the laws of other countries too.  

New Zealand companies should take advantage of this favourable status in our competitive globalised world. It is a factor that few competitor economies cannot boast and should bolster that most valuable of assets, trust - although this is, of course, only one factor and may not cancel out potential disadvantages such as distance from market, small population or the propensity for the ground to shake beneath us. The advantage will not last forever in its current stark form as there are economies only a few time zones to our west that are actively working towards adequacy.

The favourable 2012 decision by the EC was a significant milestone in efforts made since 1991 by successive New Zealand Governments (and privacy commissioners) to have major trading partners recognise New Zealand as a trustworthy destination for the processing of personal information and thus, to facilitate the free flow of data and support economic activity. The period from 1995 to 2012 was frustratingly protracted but, following multiple assessments, exchanges and a law change, the goal was achieved.

Following the 2012 decision, the Office of the Privacy Commissioner (OPC), in conjunction with New Zealand Trade and Enterprise, undertook some efforts to highlight the usefulness of the new status to New Zealand exporters.  

It might have been thought that the task of obtaining adequacy is complete. Alas, not so. Ongoing work is needed to maintain the status. More work will eventually be needed to obtain adequacy in additional areas.

The 1995 EU Directive is being replaced by new regulations in 2018

In 2012 the European Commission announced its intention to replace the 1995 Data Protection Directive with a new law. Thus, just as New Zealand was reaching the finishing line in obtaining adequacy, the rules were poised to be changed.

The EC issued its replacement law - known as the General Data Protection Regulation or GDPR - in 2015. It will commence in mid-2018.

One small upside is that New Zealand ‘squeaked in’ just before the EC diverted attention from assessing third country adequacy to law reform. No new adequacy decisions have been issued since 2012. When the EC returns to undertaking assessments, the task will be complicated by needing to have regard to the new GDPR rather than the reasonably well settled standards of the 1995 directive.

One concern held by our Privacy Commissioner during the EU’s process to replace the 1995 law was to ensure that New Zealand’s adequacy decision would be carried into the replacement regime. This was briefly reported on in an earlier blog entry. The adequacy decision will be continued under the GDPR subject to periodic review. The risks, contained in proposals in European Parliament reports, that an expiry date would be attached to the EC decision, or that New Zealand’s adequacy decision would be reviewed because of ‘Five Eyes’ links to the US National Security Agency, did not finally eventuate.

There remains some uncertainty about the whether the standard to gain or maintain adequacy under the GDPR will remain identical to that applying under the 1995 directive or be more stringent. The standards to be applied under the 1995 law were not fully clarified until some considerable time after the law commenced and it remains to be seen if that will be the case under the GDPR as well. The EC published some views on 10 January 2017 in a paper entitled Exchanging and Protecting Personal Data in a Globalised World.

Decision overturning US adequacy decision also affects New Zealand

In October 2015, the Court of Justice of the EU issued a decision in the case of Maximillian Schrems v Data Protection Commissioner. The Schrems case, which has been widely reported, overturned the adequacy decision covering the US Safe Harbour arrangement.

But the case also had implications for all third country adequacy decisions. This effect has now been manifested in an amendment to existing adequacy decisions, including New Zealand’s. On 16 December 2016, the EC issued a decision amending a series of adequacy decisions from 2000 to 2013 to align aspects with the court judgment.

Monitoring existing adequacy decisions

Obviously the EC is concerned to ensure that any country judged to meet European standards at one point in time continues to meet those standards as the years pass. It takes an interest, for example, in any significant changes to the Privacy Act. For this reason, the EC remains in contact with OPC, which is formally designated under the 2012 decision as the ‘competent supervisory authority for the application of the legal data protection standards in New Zealand’.

The EC recently announced:

Adequacy decisions are "living" documents that need to be closely monitored and adapted in case of developments affecting the level of protection ensured by the third country. Under the General Data Protection Regulation, the Commission will carry out periodic reviews at least every four years, to address emerging issues and exchange best practices between close partners. This dynamic approach applies also to already existing adequacy decisions that will need to be reviewed in case they no longer meet the applicable standard. The EU-US Privacy Shield is subject to an annual joint review.

In late 2015, our Privacy Commissioner and EC officials informally agreed a process for facilitating the ongoing monitoring of the functioning of the 2012 decision through periodic supply of update reports. The first such report was submitted in December 2015 with the most recent update provided in December 2016.

The December 2016 amendment to the 2012 decision formalised this arrangement with a new clause stating:

The Commission shall, on an ongoing basis, monitor developments in the New Zealand legal order that could affect the functioning of this Decision, including developments concerning access to personal data by public authorities, with a view to assessing whether New Zealand continues to ensure an adequate level of protection of personal data.

Adequacy of law enforcement information transfers

For constitutional reasons relating to limitations on the EU’s competence back in 1995, the EU Directive under which New Zealand’s 2012 adequacy decision was issued had limited application to law enforcement transfers. Once the EU gained competence in this area, bespoke agreements were negotiated to facilitate transfers.

But roughly concurrent with the development and issue of the GDPR was the development and issue of a new EU Directive on data protection of law enforcement data. This directive has provision similar to the 1995 directive and GDPR for recognising country adequacy. 

Given that the swift exchange of personal data is essential for successful law enforcement cooperation and an effective response to transnational crime, it may be that New Zealand will wish to obtain a decision on third country adequacy in due course.

The future

The future does not provide an absolute assurance that New Zealand will retain adequacy nor even the competitive advantage over our regional rivals. The EC must continue to be convinced that our law meets EU standards, which may be viewed, in the light of the GDPR, as requiring even more of a third country in the future.

Weakening of the Privacy Act would risk our favourable trade status. We remain in slightly uncertain times as the approach to the interpretation of the GDPR has yet to be fleshed out.

As recent experience has shown, court judgments can also challenge interpretations that seemed to be settled. There remains scope to gain further advantage by obtaining a law enforcement adequacy decision, although past experiences suggest that it may take years to gain that status once the process has been initiated.

Image credit: Wikipedia

International, Europe, General Data Protection Regulation (GDPR)