EU declares that New Zealand’s Privacy Act is 'adequate'

The European Commission announced on 19th December that it had on that day recognised New Zealand’s Privacy Act as “adequate”. This decision follows more than 10 years of studies, the first of which was conducted by Privacy Laws & Business. These studies identified some areas in New Zealand’s law which needed amendments to ensure that personal data could be transferred easily and legally from the European Economic Area for processing in New Zealand.

From the EU perspective, the decision shows that the Art. 29 Data Protection Working Party is becoming increasingly pragmatic – see Privacy Laws & Business International Report July 2011 pp.7-8 which shows how this analysis has been applied to New Zealand. Evidence to support New Zealand’s application includes Privacy Commissioner investigations and judicial decisions of the Human Rights Review Tribunal (Privacy Laws & Business International Report February 2012 pp. 8-13).

From now on, companies will have legal certainty in their transfers of personal data to New Zealand and individuals will have confidence that their personal data will have a high standard of protection. Vice-President Viviane Reding, the EU’s Justice Commissioner stated: "This decision is another step to boosting trade with our international partners while helping to set high standards for personal data protection at a global level.”

New Zealand Privacy Commissioner, Marie Shroff, declared on 20th December: “The European decision is a vote of confidence in our privacy law and regulatory arrangements. This decision establishes New Zealand, in the eyes of our trading partners, as a safe place to process personal data.”

Assistant Commissioner, Blair Stewart, who has led more than 10 years of work on EU adequacy said, “Europe and New Zealand share a common commitment to upholding human rights. ….“Providing the special safeguards in the manner required by EU law can be expensive and difficult even where companies are already operating with comprehensive privacy laws like New Zealand’s. This is why it has been so important for New Zealand to obtain an official decision that our law is adequate to meet EU standards. The European Commission decision establishes that all New Zealand companies in all circumstances can meet those European requirements…..

“The decision to recognise New Zealand law for the purposes of EU data protection requirements is a small step in making privacy laws around the world work together to protect people better. Substantial variations in legal standards and incompatible regulation are also a problem for businesses that operate across national borders. Global interoperability of privacy regulation has the twin underlying goals of creating a trustworthy environment and avoiding unnecessary barriers to cross-border information flows.”