Kia ora koutou,

Happy New Year. Here in New Zealand and Australia we are trying our best to restart after our summer break, gearing up for a new year of privacy amid high temperatures and humidity. Shorts and t-shirts are the official work uniform right now.

However, a late Christmas present from our colleagues in the EU has given us cause to feel optimistic about the road ahead. New Zealand's Privacy Act first received EU adequacy status in 2012. At that time, the Privacy Act reflected global best practices and was relatively progressive in its scope and approach. Since then, however, global privacy laws have leapt ahead, incorporating privacy breach notification regimes, stronger individual rights and significant financial penalties.

In 2020, the Privacy Act was somewhat overhauled. Privacy breach notification requirements, clear extraterritoriality provisions, and some slightly stronger enforcement powers for the Office of the Privacy Commissioner were added, along with a few other relatively minor improvements. However, the law was still left without many of the more powerful features of our global counterparts, including any meaningful penalties for noncompliance. There was also no effort to future-proof the law to address the rapidly evolving risks of artificial intelligence and automated decision-making.

Despite these shortcomings, the European Commission announced 15 Jan. that Aotearoa New Zealand, alongside 10 other countries, would retain its EU adequacy status. In support of its decision, the Commission cited:

  • Developments in New Zealand's legal framework since the adoption of the initial adequacy decision, including legislative amendments, case law and activities of oversight bodies, which have contributed to an increased level of data protection.
  • The comprehensive reform that resulted in the adoption of the Privacy Act 2020, which "further increased the convergence with the EU's data protection framework, notably as regards the rules for international transfers of personal data and the powers of the data protection authority." In my view, and as noted above, this is a highly positive construction of our recent reform.
  • In the area of government access to personal information, the fact that public authorities in New Zealand are subject to clear, precise and accessible rules under which such authorities can access and subsequently use data transferred from the EU for public interest objectives, in particular for criminal law enforcement and national security purposes.
  • New Zealand's overarching constitutional framework — including the Bill of Rights Act — and case law, as well as specific laws regulating government access to data and provisions of the Privacy Act that also apply to the processing of personal data by criminal law enforcement and national security authorities. This, and the preceding bullet point, reinforce the comprehensiveness of the Commission's review process, which is not limited to the content of privacy laws, but rather the broader legal context within which those privacy laws operate.

On this basis, the Commission found New Zealand continued to provide an adequate level of protection for personal information transferred from the EU. This decision is great news for organizations in New Zealand — particularly in the technology and data processing areas — which are increasingly seeking to enter the EU market. It means customer organizations in the EU can transfer their data to New Zealand for storage or processing without having to jump through the hoops required by Chapter V of the EU General Data Protection Regulation.

However, it has certainly come as a surprise to some in the privacy community, who are well aware of the gaps in New Zealand's Privacy Act compared to overseas laws. The Commission's comment that it would closely monitor developments in relation to a bill before parliament to strengthen the existing Privacy Act transparency requirements is a sobering reminder that our EU adequacy is not guaranteed and is under constant review. The new government will need to take note that this bill must remain on its list of legislative priorities.

I hope you've all had a restful and invigorating break. I really look forward to engaging with you this year and continuing to grow our wonderful, passionate and committed privacy community. Our highly committed KnowledgeNet chapter chairs for Auckland and Wellington have already begun the planning process for the 2024 event program and our ANZ Advisory Board will shortly begin its work assisting in shaping the IAPP ANZ Summit 2024.  

Ngā mihi.