Privacy Law and Policy Reporter
Every company, except for the most dormant ones, processes some personal data; at the very least, there are the names of a company’s directors and their home addresses. Beyond that, the extent of personal data processing by companies can be enormous, and it’s not just the businesses which specifically go seeking personal data (such as marketing companies) which do it. Virtually every business holds personal data about its employees, clients, suppliers, and other business contacts. In addition, personal data can come in many different forms. Under the New Zealand Privacy Act 1993 (NZ Act) any data relating to a living individual are personal data and must be collected, stored, processed and disclosed according to certain rules. Moreover, it’s not enough these days for companies to be only concerned about the privacy laws of the country in which they are established. In particular, a 1995 European Union Directive on data protection contains provisions that regulate the use of equipment located in the EU for personal data processing by companies outside of the EU, and also seeks to restrict the export of personal data from the EU to countries outside the European Economic Area (EEA).
In implementing these provisions the EU would have been concerned about ensuring that organisations did not seek to circumvent European law by either incorporating a company overseas, while its processing functions continue in the EU, or simply moving processing functions outside of the EEA altogether, while still processing personal data collected in the EU. The consequences of these provisions, however, now mean that a New Zealand company will have to at least be aware, if not adhere to, European law if it is dependent upon transfers of personal data from the EU, or if it uses equipment physically located in the territory of a member state of the EU (Member State).
Neither of these possibilities are particularly remote when you consider that in an international group of companies, or in international business generally, it is quite possible for one company to carry out the processing of data for others, or to transfer personal data between countries. It is feasible for a New Zealand company to have access though a database, or otherwise, to personal information that was collected in the EU. International databases these days are often designed to facilitate multi-jurisdictional access like this. Likewise, the phenomenon of outsourcing has meant that many companies will use others to process their personal data and, in many instances, the service provider used for this processing is not necessarily in the same country. With technology the way it is, there is no need for physical proximity to exchange and share data, and transferring personal data internationally is no exception.
On 24 October 1995, the European Council and Parliament adopted Directive 95/46/EC (EU Directive). While the EU Directive itself does not place obligations upon private sector organisations, it does require each Member State to implement its own laws, if required, so as to give effect to its provisions in their respective jurisdictions by 24 October 1998.
Although implementation of the EU Directive has not taken place according to the timeframe set out, Spain, Greece, Italy, Austria, Portugal, Sweden and Finland have already implemented the necessary provisions into their national laws. The United Kingdom and Belgium have enacted implementing legislation but they have not come into force yet.
There are two principal issues for New Zealand companies under the EU Directive. The first arises in situations where a New Zealand company relies upon the provision of personal information from organisations in the EU to its operations in New Zealand. The other issue arises where a New Zealand company uses equipment in the territory of a Member State to process personal information. The first situation will be referred to as the ‘transborder dataflow’ issue and the latter issue is what will be referred to as the ‘offshore EU processing” issue. Otherwise, if your company neither relies upon EU personal information processing facilities or personal information transferred from the EU, then you will not need to concern yourself with the EU Directive.
The EU Directive starts from the position that the free transfer of personal information is beneficial for the economies of the Member States. To this end, personal information can be exchanged freely between countries in the EU. Where a transfer of personal information is to be made outside of the EU, there must be an adequate level of protection.
When considering whether a country such as New Zealand affords an adequate level of protection, EU regulators may take into account a number of factors, but ultimately all of the circumstances of the particular transfer will be taken into account. The factors specified are as follows.
To provide some assistance to companies looking to make these transborder transfers of personal information, the United Kingdom Data Protection Registrar has published non-binding guidelines which provide a fuller discussion of the factors than may be taken into account when determining adequacy. Although these guidelines are not legally enforceable and are specific to the United Kingdom, they nevertheless illustrate how it is that, in the first instance and on a practical level, it will be the organisation in the EU wanting to make the transfer of personal data that will have to decide for itself whether adequate protection exists for that personal data in the recipient country. Even though an EU regulator and the EU courts are the legal arbiters of whether adequacy exists, recipients of personal data outside the EU will have to convince the EU organisations first that they offer adequate protections.
The EU Directive requires that Member States prohibit transfers to jurisdictions outside of the EU where there is inadequate protection. Sanctions can, therefore, be imposed upon an organisation in a Member State which makes transfers to countries like New Zealand if the local regulator determines that there is inadequate protection for the personal information transferred. Consequently, the transborder data flow provisions in the EU Directive do not have extraterritorial effect — it will not be the recipient New Zealand organisation that is liable, but the EU organisation which initiated the transfer. Nevertheless, it may be the New Zealand organisation which is most concerned with the EU organisation’s ability to comply with the EU Directive; if the EU organisation decides that it would be easier from its perspective to simply freeze all transfers of personal data to New Zealand than to worry about the complexities of compliance, this could deprive the New Zealand organisation of information that it needs to operate its business.
Transfer is not a defined term in the EU Directive and consequently, given the technological nature of business today, we should assume that a transfer of personal data will occur in situations where there is a physical transfer of the medium upon which the information is stored (for example, paper, disk, video tape), but also where there is an intangible transfer by, for example, a telephone call, or the inputting of personal data in a Member State onto a computer database where access to that database is granted to people and organisations in other countries. In this way, you can see that the idea of having a global database in an international company or group of companies, where personal information is stored and all countries of operation have access, is particularly problematic from a data protection point of view.
The EU Directive does set out a number of ways in which an EU organisation can transfer personal information out of the EU even if the country to which the transfer is being made is not judged adequate by EU authorities. Such a transfer can be made in a number of circumstances, but for a private sector business the main exceptions to be concerned about are the following.
Many international organisations will decide that rather than risk a breach of the EU Directive, and to allow for the international flow of personal data connected with its business, they will ask their non-EU offices to sign up to or adopt a policy which imposes a regime at least as stringent as the provisions of the EU Directive. In the absence of any indication from an EU regulator or the European Commission as to New Zealand’s adequacy, this may be the simplest way to ensure adequate protection in New Zealand. After all, it would be strange if an EU regulator were to hold that a business which adopts the EU Directive standard is not providing adequate protection for the personal data that it controls.
Furthermore, it may not be possible for an organisation to be able to always identify which exemption to the adequacy requirement covers which type of transfer of personal data — if indeed it is even possible to cover all of the transfers that the organisation wishes to make. This is another reason why the adoption of an adequate standard of data protection by the recipient organisation can act as a blanket protection against arguments that individual transfers out of the EU ought to be prohibited.
In order to adopt an EU Directive standard, New Zealand organisations will want to know what additional obligations they will be expected to perform over and above what is already required of them under the NZ Act. These relevant differences can be summarised as follows.
The NZ Act grants the right to access and rectify personal data only to those data subjects who are New Zealand citizens, residents, or are physically located in New Zealand at the time that they make the request for access or rectification. Therefore, a German national who has given personal information to a New Zealand company has no rights to access that information if he is outside New Zealand. If a New Zealand company were to adopt an EU policy on data subject access and rectification rights, it would have to allow all data subjects, regardless of nationality or country of residence, to be able to access and ask for corrections to be made, if necessary, to personal data held about them. The New Zealand Privacy Commissioner has picked up on this point and is of the opinion that the NZ Act should be changed to allow subject access and rectification rights to all data subjects.
Although certain provisions of the NZ Act will extend to personal data held outside New Zealand, it is generally assumed that this will only be the case where the organisation which holds the personal data is a New Zealand organisation (for example, a New Zealand company sending personal information to its Australian branch or processing agent). The NZ Act is not thought to apply to an organisation which has no presence in New Zealand. This is in contrast with the EU Directive transborder data flow provisions, which restrict the transfer out of the EU regardless of the nature of the organisation to which the personal data are being transferred.
The New Zealand Privacy Commissioner has proposed the view that in spite of this apparent discrepancy between the laws of New Zealand and the EU, the NZ Act contains provisions which have, if not the same, perhaps similar effects. He points to the obligation under the NZ Act not to disclose personal data unless it is one of the purposes in connection with which the data were originally obtained or, at least, is directly related to such a purpose. It should be noted, however, that while this will prevent disclosures which are contrary to the purpose of collection, such as in a situation where an organisation is trying to circumvent EU and New Zealand data protection laws, it will not do much to protect personal data if the transfer to New Zealand and the on-transfer from New Zealand to some other country are both made innocently and the transfers are directly related to the original purpose of collection. For example, personal data may have been collected for marketing purposes in the EU and sent to New Zealand on the assumption that New Zealand can provide adequate data protection. The New Zealand organisation could legitimately and innocently send the personal data to Australia or the United States for the purpose of having an organisation in those countries carry out the marketing that was originally intended. Once released into an unregulated country, the best of intentions on the part of the EU and New Zealand organisations making the transfers don’t matter. Personal data in Australia or the United States could be used for all sorts of purposes, other than marketing, with impunity if the organisations in those countries decide to do so. This would not be possible if New Zealand had equivalent transborder data flow restrictions to the EU Directive, because the New Zealand organisation would need the consent of the data subject to the on-transfer in the absence of another exemption under art 26 of the EU Directive applying (for example, if it was necessary in order to perform a contract entered into with the data subject).
If a New Zealand organisation is looking to protect transfers of personal data from EU organisations, the EU organisations will either have to apply one or more of the exemptions discussed above under art 26 of the EU Directive, or, if not all of the personal data to be transferred will be covered by such exemptions, will need to adopt a policy which has the same effect as the EU Directive transborder dataflow provisions. This will mean restricting transfers of personal information received from the EU outside New Zealand unless ‘adequate safeguards’ are in place. Again, in the absence of further guidance, the EU Directive will provide the principal reference when determining what adequate safeguards are.
Automated decision-making is the practice of using computers to evaluate an individual’s personal data and identify characteristics of that data which would automatically result in a decision being made in respect of that individual. The EU Directive stipulates that a data subject must have the right to object to automated decision-making about them where that automated decision-making is going to be the sole determining factor in producing a legal effect concerning them or which significantly affects them. This protection will not apply where the automated decision-making is taken in order to perform or enter into a contract requested by the data subject, or where the automated decision-making is required by some other law.
The NZ Act contains no such protection for data subjects. New Zealand organisations engaged in automated decision-making will need to reflect on whether they process EU personal data and if they have a procedure in place to cease automated decision-making if requested by an EU data subject.
The EU Directive requires that data subjects have the right to object to direct marketing (such as telemarketing, leaflets and advertising emails). No such right exists under the NZ Act. As is the case with automated decision-making, New Zealand organisations receiving personal data from the EU will want to review their policies on how they respond to requests from EU data subjects objecting to direct marketing. To avoid any transborder dataflow issues, the best approach would be to cease direct marketing if such an objection is made.
In accordance with the EU Directive, some Member States have prohibited the processing of ‘sensitive’ data, which are defined as:
personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, and the processing of data concerning health or sex life.
There are some limited exceptions where processing of this type of data is allowed. The principal exception arise where a Member States decides to allow processing if the data subject has given ‘explicit consent’. Alternatively, other Member States allow for data subject consent to authorise processing of sensitive data. If a New Zealand organisation receives sensitive data from one of these countries, an EU regulator could require that New Zealand law ensures the processing will be in respect only of the purposes to which the data subject has explicitly consented.
So long as the New Zealand organisation processes for the purposes that the data subject explicitly consented to in the EU, there shouldn’t be a problem. What happens if the New Zealand organisation decides to depart from the explicitly authorised purposes and considers other processing purposes? The NZ Act permits processing for a purpose other than the purpose that the personal data were collected for if there are reasonable grounds to believe that the other processing is authorised by the data subject. This is a lower standard than the absolute requirement of ‘explicit’ consent. It opens the door to speculation as to whether implied consent is possible. The Privacy Commissioner has himself published a discussion paper which asks the question about what the nature of consent ought to be. In it, he argues that some positive step ought to be necessary and that implied consent is not sufficient. Whatever the New Zealand position is, it’s the kind of discussion that EU regulators would be wary of entering into in respect of processing sensitive personal data originating from the EU. The EU directive requires explicit consent and recipient countries outside the EU may be expected to provide for the same. New Zealand organisations mindful of providing adequate safeguards should ensure that only the purposes explicitly consented to by the EU data subject are pursued.
You might be a New Zealand organisation, but where do you process the personal data that you collect? Many international group companies like to centralise their data processing functions through the use of a single database. Group members collect personal data on their clients, employees, suppliers and other business contacts and often send these data to another country to be stored and used. In the case of New Zealand companies it is quite common for personal information to be transferred to their Australian branch or related company where operations are centralised. Other New Zealand organisations may use another group company or even a third party service provider located in the EU to carry out the processing of its personal data.
The EU Directive requires Member States to make sure that if an organisation with no establishment in the EU nevertheless uses equipment located in that Member State’s territory to process personal data (other than for mere transit through the EU) then that Member State’s implemented version of the EU Directive will apply. Furthermore, the relevant organisation must designate a repre-sentative in that Member State.
These provisions will only apply if the non-EU organisation remains the data controller, even though the personal data may be out of its physical possession. A data controller, as defined by the EU Directive, is the person or organisation which alone or jointly determines the purposes and means of processing. If you are a New Zealand organisation which uses the facilities of a processing agent or a group company located in a Member State, but you retain control over what happens to the personal data, you will be expected to ensure that the personal data are collected, stored, processed and generally treated in accordance with the EU Directive as enacted in that Member State. This can be a significant obligation, as it requires full compliance with that Member State’s law not only in respect of storing and processing but also in the collection of personal data.
In addition to the discrepancies identified above between the NZ Act and the EU Directive, New Zealand organisations in this situation will need to have regard to the following EU Directive collection requirements which go beyond the NZ Act. It is also important to realise that the EU Directive represents the minimum standard required in Member States. Each Member State may enact more restrictive regimes, but it is beyond the scope of this article to deal with the individual laws of Member States.
The main requirement when collecting and processing personal data under the NZ Act is to process for a lawful purpose in connection with your organisation’s business or activities. By comparison, the EU Directive requires organisations to have a justification for processing personal information. There are six justifications that an organisation can use, but it must be able to use at least one before it is permitted to process personal data. Of the six justifications, the principal ones that a business would be concerned with are:
(a) the data subject has unambiguously consented to the processing;
(b) the processing is necessary for performance of a contract which the data subject is a party to, or such processing as may be requested by the data subject prior to entering into a contract;
(c) the processing is necessary for compliance with a legal obligation; or
(d) the processing is necessary to fulfil the legitimate interests of the organisation unless such interests are overridden by the fundamental rights of the data subject. (It is not clear to what situations this justification will apply. Under the relevant legislation which has been enacted in the United Kingdom, it is possible for there to be subordinate legislation enacted in order to clarify situations where this justification will, or will not apply. At this time, no such subordinate legislation has been enacted.)
The principles relating to collection of personal data under the NZ Act do not apply to unsolicited data. This is because the receipt of unsolicited data is specifically excluded from the definition of ‘collect’. No such exclusion exists in the EU Directive, so New Zealand organisations which use equipment in the EU to process personal data will need to treat personal data which are unsolicited (such as unsolicited job applications) in the same way as they would treat personal data that they positively collect.
Although the NZ Act generally requires personal data to be collected from the data subject, there are circumstances where that will not be the case (for example, if direct collection is not reasonably practicable). Where personal data are collected from someone other than the data subject, there is no obligation expressed in the NZ Act for the collector to notify the data subject of such things as the identity of the collector, any non-obvious processing purposes, the data subject’s right of access and so on. If an organisation needs to adhere to the EU Directive, it will need to make these notifications to data subjects even where the personal data are collected from someone else.
The aspects of the EU Directive raised above describe only the main differences between the provisions of the EU Directive and the NZ Act. A New Zealand organisation must already be complying generally with the NZ Act. A description of those obligations is not set out here. Furthermore, in respect of the use of processing equipment in a Member State, it will be the laws of the particular Member State that will be applied. The EU Directive is only used as a guide as to the extra obligations that a New Zealand organisation would expect to have regard to. Without taking account of any Member State specific requirements, the provisions of the EU Directive ought to at least be reflected in the laws of all Member States. Lastly, the European Commission has not yet made a decision about whether New Zealand law offers adequate protection for the purposes of transfers of personal data from the EU. In theory it is possible that, at some point, New Zealand will be assessed as adequate. If this happens, it may be possible to disregard the points made above about any extra requirements regulating the storage and processing of personal data received from the EU, unless the European Commission places conditions upon transfers to New Zealand. Such conditions could have the effect of imposing some, if not all, of those extra requirements. Until such time, organisations in the EU will need to make judgements for themselves as to whether the conditions that they impose upon themselves will satisfy EU regulators when their personal data are sent to New Zealand. The points raised above are intended to be a guide at reducing the risks involved in making such a judgment.
Bruce Legorburu is a Solicitor (England & Wales) with Russell McVeagh, Auckland.