On 19 December 2012, the European Commission (“Commission”) formally recognised the adequacy of personal data protection law in New Zealand, thereby allowing transfers of personal data from the European Economic Area (“EEA”) to New Zealand without the need for any further safeguards.
The EU Data Protection Directive (1995/46/EC) (“Directive”), which applies to all of the 30 EEA countries (i.e. the 27 EU Member States together with Iceland, Liechtenstein and Norway), imposes extensive obligations on those who collect personal data (“data controllers”) as well as conferring broad rights on individuals about whom data is collected (“data subjects”). In particular, Article 25(1) of the Directive provides that personal data may only be transferred by data controllers to a country outside the EEA if such country provides an adequate level of protection.
The Commission has the power to determine whether a non-EEA third country ensures an adequate level of data protection, with the list of formally approved third countries being known as the ‘White List’. The recent decision to add New Zealand to the White List therefore constitutes formal recognition that New Zealand’s Privacy Act 1993 meets the standards required by the Directive and ensures the adequate protection of EU citizens’ personal data when processed in New Zealand.
The effect of this decision is that personal data can now be exported from anywhere within the EEA to New Zealand without the need for the EEA-based data controller to satisfy any of the alternative options provided by the Directive for legitimising data transfers. This development will naturally be welcomed by New Zealand-based companies which operate in the EEA but will also be of interest to multinational companies, such as those offering cloud computing and outsourcing services within the EEA, which may wish to use New Zealand as a location for storing and processing personal data relating to EEA-based data subjects.
The White List of approved countries now comprises the following 11 countries: Andorra; Argentina; Canada; Faeroe Islands (with certain limitations); Guernsey; Isle of Man; Israel (with certain limitations); Jersey; New Zealand; Switzerland; Uruguay. In addition, although no general finding of adequacy has been made in relation to the United States, personal data can be transferred to organisations in the US which have signed up to the US Department of Commerce’s Safe Harbour scheme.