Kia ora koutou,

At 18,732 kilometers, the New Zealand capital of Wellington is officially the farthest capital city from Luxembourg. And yet, even down here, the Court of Justice of the European Union's recent decision on the "Schrems II" case has relevance.

As NZ agencies increasingly turn to cloud data storage and processing solutions — many of which are either based in the U.S. or store data there — the expert testimony on U.S. surveillance law and practice provides us with valuable information to make our own assessments of jurisdictional risk.

However, we also need to remember that this is about much more than the situation in one country. It has implications for all third-country adequacy decisions. The U.S. is not the only country in the world with lawful access and surveillance legislation in place. New Zealand — a member of the Five Eyes alliance — has similar laws, giving its intelligence and law enforcement agencies many similar powers. The timing of the CJEU’s decision may be highly inconvenient for us in NZ, as it will inevitably have an impact on the European Commission’s review of NZ’s EU adequacy status. Losing that status could have significant consequences on our place in the global market.

Finally, the court’s findings on standard contractual clauses and the practical mechanisms required to ensure that both data importers and data exporters can, in fact, meet the contractual requirements of such contracts are of great interest to us here as we prepare for the commencement of the Privacy Act 2020 1 Dec. The act will implement a new privacy principle 12, which prohibits the disclosure of personal information to an overseas agency unless that agency is subject to comparable privacy safeguards. One option to facilitate such overseas transfers is a reliance on model contract clauses, the development of which will now be informed by "Schrems II."

If you haven’t already done so, I’d highly recommend that you take a few minutes to watch one of several excellent panel sessions the IAPP ran in the immediate aftermath of "Schrems II" and, in particular, Caitlin Fennessy’s excellent sessions with Max Schrems and Eduardo Ustaran, as well as with Irish Data Protection Commissioner Helen Dixon.

In the meantime, day-to-day privacy issues still arise, particularly as we make our slow way through the COVID-19 pandemic. The NZ privacy commissioner has taken a very critical view of a recent contact-tracing initiative called CovidCard, a piece of hardware that would be distributed to the entire population. The commissioner has raised a number of practical, legal and privacy concerns that he considers unanswered. It’s worth a read.

Enjoy the digest, and stay safe and well wherever you are.

Nga mihi nui,
Daimhin Warner