Trans-border data flow legislation is back on the agenda

After languishing in Parliament for almost two years, the Privacy (Cross-border Information) Amendment Bill has reappeared on the Government Order Paper for its second reading. Solicitor Nick Laing looks at the key features of the bill.

The bill was first introduced in July 2008 but did not receive its first reading until April 2009. The Justice and Electoral Select Committee issued its report on the bill in September 2009, recommending that it be passed with some additional amendments.

The bill amends the Privacy Act 1993 to:

• ensure that individuals located overseas can access and correct their personal information;

• allow the Privacy Commissioner (the Commissioner) to more effectively co-operate with overseas privacy enforcement authorities when dealing with complaints; and

• enable the Commissioner to prohibit the transfer of personal information to another jurisdiction in cases where that information has been routed through New Zealand in an attempt to circumvent the originating country's privacy laws.

Why does New Zealand need the bill?

One of the driving forces behind the bill is to enable New Zealand to obtain a formal finding from the European Union (the EU) that New Zealand's privacy laws adequately protect personal information being transferred from the EU to New Zealand. Currently, New Zealand businesses receiving personal information from the EU must undertake somewhat cumbersome and expensive processes to legitimise the transfer, such as entering into a contract that provides the necessary safeguards to give effect to EU privacy law.

As the EU is recognised as having some of the strictest data export controls in the world, if New Zealand meets these standards through provisions in its own privacy legislation, it will place New Zealand at a competitive advantage with major trading partners by allowing for the more free exchange of data to and from New Zealand.

Access by overseas individuals

The bill will allow any individual, including foreign nationals, to make an "information privacy request" (i.e., a request to access and correct their personal information held by an agency) under the Privacy Act. Currently, only New Zealand citizens, permanent residents and individuals located in New Zealand may make such a request. In addition to this, a public sector agency may levy a charge responding to an information privacy request where the requester is an individual residing outside New Zealand or is not a New Zealand citizen or permanent resident.

Co-operation with overseas enforcement authorities

Under the bill, the Commissioner may refer any complaint relating to a matter within the jurisdiction of an overseas privacy enforcement authority to that authority, and consult with that authority in order to determine the appropriate means of dealing with the complaint. Under the Privacy Act, there is no formal process set out. The bill also allows the Commissioner to share and transfer information to the overseas enforcement authority in relation to any investigation that the Commissioner commences themselves.

Transfer of information outside New Zealand

The bill authorises the Commissioner to issue notices that prohibit the transfer of personal information to another state. This is where the Commissioner is satisfied on reasonable grounds that:

• the information has been, or will be, received in New Zealand from another state and is likely to be transferred to another state where the privacy protection is not comparable to that established by the Privacy Act;

• the transfer would circumvent the laws of the state where the information originated; and

• the transfer would be likely to contravene the basic principles of national application set out in Part 2 of the 1980 OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (which set out general principles concerning an individual's right to information privacy, and their access to the information held by an agency).

The bill sets out a right of appeal against the issue of a transfer prohibition notice to the Human Rights Review Tribunal, and also provides for a criminal penalty (upon summary conviction) of up to $10,000 for failing or refusing to comply with the notice.

Next steps

The Government has yet to give any indication on when the bill is likely to be passed, but its position on the Government Order Paper suggests that it may be during the first half of this year. Once enacted, it will send a signal that New Zealand can no longer be used as a "staging post" for cross-border data transfers that flout the originating country's privacy laws. Its operation in practice is eagerly awaited.

Enquiries and information

For more information on any of the cases, articles and features in Commercial Quarterly, please email Diane Graham or call her on 64 9 916 8849.