Office of the Privacy Commissioner | Media release : New Powers to Block Re-export of Personal Information
8 September 2010
Parliament has amended the Privacy Act to give the Privacy Commissioner new powers to ensure that personal information sent from overseas to New Zealand for processing has effective privacy protection.
'The risk that data could be routed through New Zealand to a third country to get around European law has been tackled by giving the Privacy Commissioner power to issue transfer prohibition notices where needed,' said Privacy Commissioner Marie Shroff. The changes to the law came into effect today.
The Privacy Commissioner today released guidance for business on her approach to the new powers.
'I intend to exercise the new powers in a careful and proportionate way. I will be likely to act where there are serious risks to individuals or a possible misuse of information. I will also co-operate with overseas privacy enforcement authorities. In cases where I decide to issue a transfer prohibition notice I may name the agencies involved,' said Marie Shroff.
The amendment to New Zealand's privacy law was needed to satisfy the expectations of the European Union, so that European businesses can freely send data to New Zealand for processing.
'Ensuring that European business and regulators see New Zealand as a safe place for information processing is important for New Zealand's reputation. We also hope it will assist with achieving a formal finding that New Zealand's data protection law is adequate' under EU law,' said Marie Shroff.
The law change was focused upon a possible loophole that European officials had found in New Zealand law rather than as a reaction to any bad practices by New Zealand data processors. Ultimately, a formal finding by the EU that New Zealand's law provides an adequate standard of data protection will provide New Zealand business with a competitive advantage. No other country in our region yet has such a finding from the Europeans. However, to secure this finding New Zealand's law needed to be amended. The nature of the amendment is in keeping with the light-handed approach of the Privacy Act and will be useful in exceptional circumstances.
'I urge New Zealand businesses to protect personal information when they transfer it out of New Zealand,' said Marie Shroff.
New Zealand businesses that receive personal data from Europe, and transfer it to a third country, need to be aware of the legal protections existing at the receiving end. In future, New Zealand businesses may be subject to a transfer prohibition if they send European data to a third country without ensuring adequate protection of the data.
ENDS
Contact: Cathy Henry on 021 509 735.
Notes to editors
The Privacy (Cross-border Information) Amendment Act 2010 came into force on 8 September 2010. The Amendment Act resulted from the Privacy (Cross-border Information) Amendment Bill. Background resources in relation to that bill are available on the website of the Office of the Privacy Commissioner at www.privacy.org.nz/privacy-amendment-bill. The Fact Sheet is available at www.privacy.org.nz/fact-sheet-on-part-11a-of-the-privacy-act-1993-transfer-of-personal-information-outside-new-zealand/.