The European Commission has recently completed its review of the 11 existing adequacy decisions which were adopted under the EU data protection legislation that preceded the General Data Protection Regulation (GDPR).
Are our privacy laws still equivalent to the EU’s?
In its report the Commission concluded that personal data transferred from the EU to New Zealand continues to benefit from ‘adequate’ data protection safeguards, meaning that data can continue to flow freely from the EU to New Zealand without further conditions or authorisations (such as organisations having to implement additional safeguards like entering into the standard contractual clauses). In effect, the adequacy decision recognises that New Zealand provides an equivalent level of protection for personal data as the EU does.
Maintaining our adequacy status under the GDPR is important and hugely beneficial for New Zealand as it demonstrates our commitment to protecting personal data and individual privacy rights. Having adequacy status provides New Zealand businesses with a certain level of commercial advantage when promoting their services and engaging with EU customers and/or suppliers (compared with Australian competitors for instance who do not have the benefit of adequacy status) and will continue to promote and encourage trade and the flow of information with the EU.
What did the EU Commission take into account?
The Commission’s report noted that since the adoption of New Zealand’s adequacy decision in 2012, New Zealand has undergone a “comprehensive reform” of its privacy framework with the adoption of the Privacy Act 2020, which has strengthened and aligned New Zealand’s privacy and data protection laws with the GDPR.
In particular the Commission noted that:
- IPP 1 has further strengthened the requirements for lawfulness of processing by requiring agencies to only collect information if it is necessary for their functions and clarifying that if such information is not required for such purpose, the agency may not require such information;
- New Zealand public authorities are subject to appropriate safeguards in the areas of access to data, notably for law enforcement or national security purposes;
- the new mandatory data breach reporting obligations have strengthened the requirements around security, transparency and accountability;
- individuals have adequate rights of access to and correction of their information, and although there is no express right of erasure, individuals can effectively obtain erasure in different circumstances, e.g. exercising a right of correction may lead to deletion, or deletion may be necessary to ensure the information is accurate, up to date, complete and not misleading;
- while the Privacy Act does not include an express reference to special categories of data, under New Zealand’s privacy framework the sensitivity of data is a relevant factor to take into account in the application of certain IPPs e.g. IPP 5 (security) and IPP 4 (fairness and intrusiveness), and the Privacy Commissioner’s view of what constitutes sensitive personal information aligns with the categories of data that are also considered sensitive under the GDPR; and
- the rules on international transfers have been significantly strengthened since the adoption of the original adequacy decision, by way of the new IPP 12 which was introduced in the Privacy Act 2020.
What does this mean for the Privacy Amendment Bill?
The Commission expressly referenced the Privacy Amendment Bill introduced to Parliament in September 2023 which proposes to amend the Privacy Act 2020 to extend the proactive notification requirements in IPP 3 to also apply to situations where information is collected indirectly (i.e., where it is obtained from other entities and further used/disclosed). As this amendment is intended to remove a perceived ‘gap’ in our legislation and further strengthen the existing transparency requirements under New Zealand’s legal privacy framework, the Commission noted that it will continue to monitor developments in this space given the legislative reforms are ongoing. Therefore, it will be interesting to watch this space carefully in the coming months to see what direction the new Government takes in relation to those proposed amendments, particularly in light of what impact any decision may have on the future state of our adequacy status.
When will the next review take place?
The GDPR requires the Commission to periodically review adequacy decisions, and as a general rule the Commission reviews its decisions every four years. Therefore, in the absence of any significant changes to EU or New Zealand privacy laws, we don’t expect a further in-depth review of our adequacy status in the near future.
If you have any questions about the Commission’s report or wish to know more about what New Zealand’s adequacy status may mean for your business, please get in touch with one of our experts.