New Zealand's privacy laws have received a welcome vote of confidence from the European Commission (EC), which has decided that New Zealand's privacy laws continue to offer an adequate level of data protection to the General Data Protection Regulation (GDPR).
New Zealand is just one of eleven countries globally who the EC deems as having "adequacy status". The significance of the EC's finding cannot be overstated. It reinforces New Zealand's reputation as a safe haven for doing business. It also means that European businesses can continue to transfer personal data to New Zealand with ease which is a critical benefit that many of our counterparts do not have.
Adequacy status
The EC may grant countries adequacy status if it considers they have a level of data protection that is adequate to the GDPR. Adequacy status means that countries can receive personal data from the European Union (EU) without further special measures needing to be implemented (ie additional contractual measures).
New Zealand first achieved adequacy status in 2012 under the Privacy Act 1993. However, the assessment was carried out under earlier EU and New Zealand privacy laws which were less rigorous. The introduction of the GDPR to the EU in 2018 lifted the bar on the level of protection for data required and raised questions over whether New Zealand would maintain its status.
In reaching the view that New Zealand maintained adequacy status, the EC noted the following:
-
The Privacy Act 2020's (Privacy Act) comprehensive reforms which strengthened our privacy laws and increased the convergence of New Zealand's privacy laws with the EU’s. Introducing further restrictions on collection, stringent rules for international transfers of personal data, a mandatory personal data breach reporting regime and enhancing the Privacy Commissioner's powers have assisted.
-
The use of specific and clear data protection safeguards and measures for public authorities accessing personal data, especially in the areas of criminal law enforcement and national security.
-
Case law and regulatory guidance developments on the rights of personal data subjects to access personal data.
The EC also welcomed the recent introduction of the Privacy Amendment Bill which will allow individuals to better understand who collects their personal data.
A boost for business but where to next?
As our own Privacy Commissioner (Commissioner) noted, adequacy status makes New Zealand "a good place for the world to do business". It means that New Zealand and EU businesses can continue to transfer data with relative ease which avoids potential pitfalls with negotiating data protection measures in commercial transactions.
However, adequacy today is not always adequacy tomorrow. New Zealand will need to keep its finger on the pulse of key privacy trends to ensure our data protection framework still meets expectations as it approaches the next adequacy review in four years.
Already, the Commissioner has identified biometrics, AI and child safety as areas that New Zealand needs to stay abreast of. He has also foreshadowed possible future changes to New Zealand's privacy laws in the following areas:
-
changes to how the Privacy Act addresses digital technologies;
-
a civil penalty regime for major Privacy Act non-compliance;
-
new, stronger privacy rights for New Zealanders to strengthen individual protection;
-
stronger requirements for automated decision-making; and
-
requiring agencies to show how they meet privacy requirements.
If the above gains traction, there is plenty on the horizon for New Zealand's privacy landscape.