Privacy Law and Policy Reporter
On 12 December 2000 a Bill was introduced into the New Zealand Parliament to amend the Privacy Act 1993. The amendments are designed to secure a finding from the European Commission that New Zealand’s law provides an ‘adequate level of protection’ for the purposes of article 25 of European Union Data Protection Directive.
The New Zealand Privacy Act is already regarded as being the most comprehensive national privacy law outside Europe. The Act applies 12 information privacy principles to the collection, storage, use or disclosure of personal information. It applies to personal information, in whatever form it is held, and to virtually all agencies in the public and private sectors. Additional controls are applied to the assignment and use of unique identifiers and to government data matching programs. Complaints about interferences of privacy may be taken to the Privacy Commissioner and, if not settled, to a Complaints Review Tribunal. Civil remedies are available where harm is established.
However, in a detailed study report the Privacy Commissioner identified two aspects of the law which might preclude an EU finding of adequacy. The Bill addresses both of those issues in the manner recommended by the Commissioner.
First, the Bill will remove the existing requirement that in order to make an access or rectification request, an individual must be a New Zealand citizen, permanent resident, or in New Zealand at the time the request is made. This change will ensure that Europeans and others have enforceable access and rectification rights, which can be exercised from outside the country, to information which is held or processed in New Zealand.
Second, the New Zealand Act has no equivalent to the data export controls which are now a feature of European data protection laws and found in National Privacy Principle 9 in the recent amendments to the Australian Privacy Act 1988 (Cth). It has been suggested, therefore, that data transferred from Europe to New Zealand might remain at risk of an onward transfer to a jurisdiction offering no adequate level of protection. While the approach of existing New Zealand law is not identical to that of Europe it should nonetheless be noted that European data is not entirely without protection in this respect. First, most of the information privacy principles continue to apply to information transferred out of the country where the New Zealand agency continues to hold that information. Second, the New Zealand agency could only lawfully disclose information onward to another agency (whether in New Zealand or elsewhere) if that is in accordance with information privacy principle 11. This would generally require the disclosure to be consistent with the purpose for which the information had been received from Europe. Nonetheless, personal data could theoretically, be routed through New Zealand to a third country and the Bill addresses this possibility.
A new Part is to be inserted into the Privacy Act dealing with the transfer of personal information outside New Zealand. The Privacy Commissioner will be empowered to prohibit a transfer of personal information from New Zealand to another State if satisfied that:
The amendments to the Privacy Act have been introduced by a Parliamentary procedure designed for non-controversial legislation. Accordingly, all parties represented in Parliament have considered the proposed legislation in advance and agreed to its introduction. The Bill will be sent to a select committee for study and public submission. If matters progress smoothly ,it might be expected that the legislation could be enacted by mid-2001.
Blair Stewart is Assistant Commissioner, Office of the Privacy Commissioner, New Zealand.