There have been a couple of recent developments that are relevant to the status New Zealand enjoys as an ‘adequate’ third country under the EU Data Protection Directive.
In December 2012 the European Commission formally ruled that New Zealand’s privacy law provided an ‘adequate level’ of privacy protection to meet European standards. This adequacy status means that personal data information can legally be sent here from Europe for processing without special additional measures being taken by the European companies. This adequacy decision is sometimes dubbed New Zealand’s first free trade agreement with the EU. The privileged status is shared by only a handful of countries outside Europe.
Ongoing monitoring of NZ’s adequacy decision
Obviously the European Commission is concerned to ensure that any country judged to meet European standards at one point in time continues to meet those standards as the years pass. It takes an interest, for example, in any significant changes to the Privacy Act. For this reason the European Commission remains in contact with the Office of the Privacy Commissioner which is formally designated under the 2012 decision as the ‘competent supervisory authority for the application of the legal data protection standards in New Zealand’.
Recently the Privacy Commissioner and European Commission officials informally agreed a process for facilitating the ongoing monitoring of the functioning of the 2012 decision through periodic supply of update reports. The first such report was submitted in December 2015. The report highlights developments such as 2013 and 2015 amendments to the Privacy Act and the enactment of the Harmful Digital Communications Act. The Privacy Commissioner has also submitted a supplementary March 2016 report on developments in New Zealand data protection law.
After Edward Snowden’s revelations about the alleged actions of the NSA, a committee of the European Parliament expressed disquiet about New Zealand’s involvement and questioned whether the ‘adequacy’ determination should be revisited in light of the alleged mass surveillance. Accordingly, the periodic report also includes information about the application of privacy law to NZ’s intelligence organisations and to 2013 law changes that imposed additional privacy obligations on GCSB.
Continuation of NZ’s adequacy decision under new EU regulations
Europe’s Data Protection Directive is now 20 years old and is scheduled to be replaced by a new General Data Protection Regulation (GDPR). The Office of the Privacy Commissioner has been concerned that NZ’s status as an adequate third country be smoothly carried into the new regime.
At one stage it had been proposed by the European Parliament that third country adequacy decisions should simply expire after 3-5 years. The former Privacy Commissioner was concerned at the uncertainty this would introduce into cross-border data transfers and for business and made representations to the European Commission.
It is pleasing therefore to report that in the latest version of the proposed GDPR omits any arbitrary expiry of adequacy decisions but will instead carry them smoothly into the new regime until revoked or replaced by the European Commission. There will as now be an expectation of periodic review by the European Commission and this may be put on a more formal footing under the GDPR.
Updated on 30/3/2016 to include Supplementary Report to December 2015 Periodic Update Report on Developments in Data Protection Law in New Zealand.