Privacy Law and Policy Reporter
These notes were prepared for a panel discussion on ‘Global rules for privacy across borders’ at a conference, The Global Privacy Summit, held in Washington DC, September 2000. They provide a useful summary for those new to New Zealand’s privacy laws —General Editor.
My perspective is from the national data protection supervisory authority of the country, outside Europe, with the best claim to offer an ‘adequate standard of data protection’ for the purposes of the European Union Directive.
New Zealand’s Privacy Act 1993 is an ‘omnibus data protection law’ which covers all ‘personal information’ (not merely automatically processed data or structured data), and covers the entire public and private sectors (with limited specific exceptions, the only notable private sector one being the news media in their news activities).
A few features of the New Zealand law are as follows.
New Zealand therefore offers what the EU looks for in adequate data protection measures:
This rosy picture has a couple of blemishes. The law has a standing requirement to exercise access and rectification rights: a requester must be a NZ citizen or permanent resident or be in NZ at the time of the request (I understand that this shortcoming is a feature shared in part in the laws of Canada and Australia). In addition, the Privacy Act has no data export prohibition on the EU model.
The access/rectification shortcoming can be put right by a simple amendment to the Act which the Commissioner has recommended. The data export issue is a little more involved.
Further information about New Zealand’s Privacy Act can be found at <http://www.privacy.org.nz>.
It is unsurprising that NZ’s Act does not contain a data export prohibition. It may be fair to say that the OECD Guidelines of 1980, which NZ’s law implements, was supposed to pre-empt or prevent the creation of such barriers to transborder data flows. The theory behind the OECD Guidelines, and the Council of Europe Convention No 108 of 1981, roughly speaking, was to encourage trading partners to have compatible minimum data protection laws and, accordingly, to remove any need to restrict transborder flows using the justification of the need to protect privacy.
The 1980/81 approach was sound but almost bound to fail. It was doomed in my opinion because while Convention No 108 had ‘teeth’, the counterpart OECD Guidelines (which were otherwise arguably superior in their conception) did not prescribe implementation mech-anisms to ensure adoption, compliance and redress. In addition, neither the OECD nor European institutions are universal and so were unlikely to ensure a global solution.
Added to these elements have been the general lack of will of non-European OECD members to meaningfully implement data protection measures in any comprehensive way until prodded by the EU. I count NZ in this given that it merely studied the issue until the first drafts of the EU Directive appeared. Those OECD governments that had acted earlier did so in a piecemeal fashion, generally only covering the public sector (as in Canada) or only the central government (as in Australia, the US and Japan) notwithstanding that information does not respect such boundaries.
Europe realised that an absence of data protection law outside its borders represented a risk to data about its citizens when transmitted abroad. Indeed it left open the real risk of undermining its own protections by encouraging data processing across borders to circumvent its laws. Both these risks were recognised and acknowledged in the 1980 and 1981 instruments. Each instrument allowed for data export controls to meet such risks where other states had not implemented compliant measures.
I understand that the NZ Government is likely to legislate to address the two flaws mentioned above. Rather than adopt a full blown data export control on the EU or Hong Kong model, the Privacy Commis-sioner has recommended a more focused procedure to issue ‘transfer prohibition notices’ in identified cases of data re-export where NZ is being used as a conduit to a third country with inadequate data protection measures in place.
The new trend of creating data export controls is not limited to the European Union. Such controls now exist in the national laws of European Economic Area countries (Norway) and in other European nations (Switzerland and Hungary). They appear also in laws in Quebec, Hong Kong and New South Wales. They are proposed for Australia. This raises new issues that haven’t been widely debated. Will consistent findings of adequacy be established? Are the legal tests similar? Will the EU’s standards be found adequate under other tests? (This is not an entirely flippant question given limitations in the EU approach to such matters as law enforcement and national security data, limited coverage of manual data, long lead in times for the full Directive provisions to apply).
This seems to be forgotten by some even though the issues were in the forefront of the minds of the experts who crafted the 1980/81 instruments.
TBDF issues have tended to have been discussed largely in relation to well off countries only. In NZ’s region there are a host of tiny Pacific Island states which certainly don’t have privacy laws. The debate has also generally omitted from mention Africa, Latin America and most of Asia. Perhaps some issues to consider might include whether data export controls will contribute to a digital divide at national level, and whether the EU will assist developing countries to establish necessary laws and institutions for data protection.
Blair Stewart, Assistant Commissioner, Office of the Privacy Commissioner, New Zealand.