Our website uses cookies so we can analyse our site usage and give you the best experience. Click "Accept" if you’re happy with this, or click "More" for information about cookies on our site, how to opt out, and how to disable cookies altogether.

We respect your Do Not Track preference.

From 1 December, businesses and organisations that send personal information overseas will need to comply with a new privacy principle in the Privacy Act 2020. Principle 12 adds new controls on the disclosure of personal information to overseas organisations and businesses.

Privacy Commissioner John Edwards says the goal of the new principle is to ensure New Zealanders can expect comparable privacy protections to those they enjoy under New Zealand’s Privacy Act when their information is disclosed and used in a foreign jurisdiction.

“A business or organisation will be accountable for the international disclosure of personal information and need to demonstrate that it has carried out the necessary due diligence checks required under the new privacy principle.

“This is the approach taken in Europe where the General Data Protection Regulation (GDPR) ensures privacy protections apply to personal information when it is sent across national borders.”

Cloud providers

Mr Edwards says principle 12 will not apply to offshore cloud providers. “Using cloud providers or other agents to store or process personal data is not treated as a disclosure under principle 12, so long as the agent or cloud provider is not using that information for any of their own purposes.”

Model contractual clauses

A practical way for businesses and organisations to comply with the new principle is to adopt contractual safeguards.

“We recommend that you consider using the model contract clauses developed by my office. The model contract clauses are designed to assist agencies to comply with principle 12 and to reduce the compliance burden for agencies.”

Mr Edwards says these contractual clauses make it clear to the recipient how they are expected to look after the personal information they are being entrusted with.

The model contract clauses are tailored to the requirements of the Privacy Act 2020 and to make it easier to comply with principle 12 – particularly for small and medium-sized businesses. Organisations can modify them to suit their needs or use their own form of contract clauses, so long as the key privacy protections are included.

Privacy Commissioner guidance

The Office of the Privacy Commissioner has produced step-by-step guidance to help organisations and businesses understand and respond to the new principle 12 obligations.

The guidance, Disclosing personal information outside New Zealand – the new principle 12, can be found here.

The model contract clause guidance, Privacy Commissioner’s Model Agreement for IPP 12(f) cross-border privacy transfers, can be found here.

The Office will be issuing further guidance related to the new principle 12 obligations shortly.

ENDS

For further information:

Charles Mabbett - charles.mabbett@privacy.org.nz or 021 509 735.