February 2009

01 Feb 2009

Privacy and Cross-Border Data Flows

The Privacy (Cross-border Information) Amendment Bill (Bill) was introduced to Parliament on 2 July 2008. If passed, the Bill will amend the Privacy Act 1993 (Act). The Bill is primarily designed to address two main issues:

• to ensure that New Zealand privacy law meets the expectations of New Zealand's trading partners, by assuring them that their privacy will be protected; and
• to enable people living overseas (who are not citizens or permanent residents of New Zealand) to access their personal information held in New Zealand.

We outline and comment on the key changes to the Act proposed by the Bill.

Key Changes Proposed in the Bill

Transfer of Personal Information Outside New Zealand

One purpose of the Bill is to "establish a mechanism for controlling the transfer of information outside of New Zealand where the information has been routed through New Zealand to circumvent the privacy laws of the country from where the information originated."

The Bill provides the Privacy Commissioner (Commissioner) with a discretion to prohibit the transfer of personal information from New Zealand to another State if the Commissioner is satisfied, on reasonable grounds, that:

• the information has been, or will be, received in New Zealand from another State and is likely to be transferred to a third State where it will not be subject to a law providing comparable safeguards to those that apply under the Act;
• the transfer of the information may circumvent the privacy or data protection laws of the State(s) from which it has been, or will be, received; and
• the transfer would likely breach the OECD guidelines governing the protection of privacy and transport flows of information.

In determining whether to prohibit such a transfer, the Commissioner must also take into account the following:

• whether the transfer affects, or would be likely to affect, any individual;
• the general desirability of facilitating the free flow of information between New Zealand and other States; and
• any existing or developing international guidelines relevant to transborder data flows.

The Commissioner may not prohibit the transfer of information where the transfer is required or authorised by any enactment, convention or other instrument imposing international obligations on New Zealand.

A transfer prohibition notice may prohibit the transfer of information either absolutely or until the particular agency has taken any steps stated in the notice to protect the interests of any individual(s) affected by the transfer. An agency served with a transfer prohibition notice may appeal against the notice to the Human Rights Review Tribunal. Any person who, without reasonable excuse, fails or refuses to comply with a transfer prohibition notice is liable to a fine of up to $10,000.

Individuals Who May Make Information Privacy Requests

The Bill removes any residence restriction on who may make an information privacy request under the Act (Request) to:

1. confirm whether or not an agency holds personal information;
2. be given access to personal information; or
3. correct personal information.

Currently the Act provides that an individual must be a citizen or a permanent resident of New Zealand, or be in New Zealand, to make a Request. If the Bill is passed in its current form the only requirement would be for the Request to be made by an individual. 

Commissioner May Authorise Public Sector Agency to Charge

The Bill enables the Commissioner to authorise a public sector agency to impose a charge for making personal information available, if the relevant Request is made by or behalf of an individual who is residing outside New Zealand and is not a New Zealand citizen or permanent resident.

Referral of Complaint to Overseas Privacy Enforcement Authority

The Bill provides for complaints of breaches of the Act to be referred to overseas privacy enforcement authorities. The Commissioner may refer complaints overseas if the Commissioner determines that the complaint should be dealt with, in whole or in part, by the overseas privacy enforcement authority and both that authority and the complainant agree.

Comment

The changes proposed by the Bill reflect the fact that the movement of personal information increasingly transcends national borders. The Act, like the privacy laws in many other jurisdictions, was formulated in the 1990s. At that time, most personal information was provided and stored manually, and it was not as easy to collect, copy or distribute information as it is today with the extensive use of technology.

By extending the scope of persons who may request access to personal information in New Zealand, the Bill is especially pertinent to the growing number of New Zealand businesses that trade offshore. These businesses have often amassed large databases of information about overseas employees, customers or suppliers. Should the Bill pass in its current form, these employees, customers or suppliers may be entitled to request disclosure of personal information held about them. Businesses may need to update their privacy policies and procedures in order to adequately process requests under the Act for personal information from overseas. 

The Bill does not expressly allow for the possibility of private sector agencies charging for the cost of processing these requests. However, the provisions of the Act allowing private sector agencies to charge for assistance provided in responding to a Request remain unchanged by the Bill.

From a wider policy perspective, the changes proposed by the Bill are considered necessary because many States will not allow personal information held within their borders to be transferred to a jurisdiction where the personal information will not receive equivalent protection. These changes are also understood to be intended to address concerns of New Zealand's trading partners (especially EU members) that overseas businesses had been locating operations and computer servers in New Zealand to benefit from our more flexible regulatory regime.

The Bill has not yet had its first reading in Parliament, but appears to have bipartisan support. The Commissioner has welcomed the introduction of the Bill and has publicly stated that she expects the Bill to be the first part of a more extensive modernisation of the Act. Privacy laws in New Zealand are currently the subject of a four part review being undertaken by the Law Commission and the Law Commission is expected to release recommendations in stages three and four of that review. Refer to Privacy Law Reform Review.

Author

Karen Ngan

Partner - Corporate & Commercial

DDI: +64 9 977 5080

Mobile: +64 21 648 977

Email:

View Profile