On 15 January 2024 the European Commission (the Commission) finalised its review of 11 existing adequacy decisions originally made under legislation preceding the EU's General Data Protection Regulation (GDPR), including an assessment of New Zealand's adequacy status. The Commission found that all 11 adequacy decisions are to remain in place. Regarding New Zealand, the Commission found that it "continues to provide an adequate level of protection for personal data transferred from the EU". Maintenance of our adequacy status means that personal data can continue to flow freely into New Zealand from the European Economic Area (EEA).
What is an adequacy decision and why is it important?
An adequacy decision is a finding made by the Commission regarding the data protection frameworks in countries and territories outside the EEA. The Commission adopts an adequacy decision when it is satisfied (after detailed dialogue and taking into account certain criteria) that the country or territory ensures an adequate level of protection for personal data transferred from the EU. Obtaining an adequacy decision means that personal data can move freely from the EU Member States and the three EEA member countries to the country or territory which benefits from the adequacy decision without the need for additional authorisations or safeguards otherwise required by GDPR. In the absence of an adequacy decision, further steps - such as implementing standard contractual clauses, binding corporate rules, certification mechanisms, or codes of conduct - need to be put in place by the parties wishing to make or receive a transfer of EU personal data.
Retaining adequacy status under GDPR has important benefits for New Zealand businesses and organisations by streamlining the way in which EU personal data can flow into New Zealand - whether between entities in the same corporate group, or from EU-based customers to New Zealand service providers or SaaS businesses. It strengthens the country's reputation as a good place to do business because of its strong privacy laws, as recognised by a 'gold standard' jurisdiction. An adequacy decision also allows for more seamless trade with the EU, lower compliance costs for businesses, and provides New Zealand companies with an advantage over competitors based in countries or territories not subject to an adequacy decision.
What did the European Commission say about New Zealand?
Concluding that New Zealand continues to provide an adequate level of protection for personal data transferred from the EU, the Commission welcomed developments to New Zealand privacy law since the adoption of its first adequacy decision in 2012. Unsurprisingly it noted that the introduction of the Privacy Act 2020 (the Act), new rules relating to international transfers of personal data, and further powers conferred on the Office of the Privacy Commissioner have brought New Zealand further into line with the EU's data protection framework.
Also of importance to the EU, as demonstrated by the saga of the Schrems decisions in recent years, is the ability of government and public authorities to access EU data. In this respect the Commission assessed New Zealand's rules as clear, precise, accessible, and subject to appropriate oversight and redress mechanisms.
Privacy Amendment Bill – Information Privacy Principle (IPP) 3A
The Commission specifically made a note of the Privacy Amendment Bill (the Bill) introduced to Parliament shortly before New Zealand's general election last year. As discussed in our article 'Amendment to the Privacy Act 2020 proposed', the Bill seeks to introduce a new IPP 3A to address a perceived gap in the Act in relation to what happens when an agency collects personal information about an individual other than from the individual concerned (eg where personal information is collected from another agency). Part of the rationale for introducing the Bill was to ensure New Zealand keeps in step with international best practice, in order to retain the trade benefits it enjoys as a result of EU adequacy status. Considering that the Commission mentioned that it will be closely monitoring future developments surrounding the Bill, it will be interesting to see how the legislation progresses under the new Government.
The New Zealand Privacy Commissioner's response
New Zealand's Office of the Privacy Commissioner (OPC) welcomed the determination, stating that "New Zealand is 'adequate', and we couldn't be happier about it". However, the OPC also noted that adequacy is not a 'set and forget' situation and that New Zealand needs to evolve its data protection laws if it wants to retain adequacy. To keep up with global standards, the OPC is advocating for the following enhancements to the Privacy Act:
- A set of specific amendments to make the Privacy Act fit-for-purpose in the digital age
- A civil penalty regime for major non-compliance alongside new privacy rights for New Zealanders to better protect themselves
- Stronger requirements for automated decision making and agencies demonstrating how they meet privacy requirements.
While the GDPR requires the Commission to review adequacy decisions every four years, it also stipulates that the Commission is to monitor developments that could affect adequacy decisions on an ongoing basis. Proposed reform around IPP 3A, and any developments in areas such as biometrics, privacy implications of AI, and enhanced enforcement powers will presumably be relevant to this ongoing assessment.
In the meantime, the retention of New Zealand's adequacy status means that New Zealand businesses and organisations can continue to receive data from the EU freely without the need to comply with other safeguards mandated by GDPR. This has the benefit of lowering compliance costs for businesses and bolstering New Zealand's reputation as a privacy conscious jurisdiction.
If you have any questions or would like further information, please get in touch with a member of our team.
This article was co-authored by Allan Yeoman (partner), Roscoe Moore (solicitor) and Hugo Young (summer clerk).