New Zealand's privacy law revamp to come under scrutiny in EU

The overhaul of New Zealand's privacy laws this year is expected to catapult the country's 1993 data-protection laws into the 21st century. But the revamp will face scrutiny in the EU, where the island country will be one of the 11 jurisdictions facing a review of the bloc's adequacy decisions relating to national privacy measures this year.

New Zealand, which prides itself on having a culture of compliance, will be keen to maintain this badge of honor — not least because the country's adequacy status gives it an economic advantage over neighboring Australia, which falls short of EU adequacy standards and has so far not been singled out by the European Commission as a potential candidate.

While EU officials say reviews are about continuity — not the threat of termination — New Zealand policymakers are aware nothing is guaranteed and the cost of losing adequacy status — a threat facing other economies including Israel and Canada — is something it is keen to avoid.

New Zealand isn't alone in the scrutiny it will face this year over its privacy standards. Almost all of the commission's data-transfer deals with third countries — 11 out of 13 — are up for review by May 25, 2020, coinciding with an evaluation of the bloc's General Data Protection Regulation, two years after the stringent data-protection rules entered into force. Part of the broader review will focus on the application and functioning of the rules on international transfers of personal data, in particular the existing deals.

Privacy Shield

Only the adequacy decisions for the US — Privacy Shield — and Japan will be carried out separately as a result of different arrangements. But that separate process doesn't guarantee simplicity. Setting up and maintaining EU-US data transfer deals has been far from trouble-free.

Privacy Shield is being reviewed annually following the annulment of its predecessor, Safe Harbor, by the EU's highest court in 2015. And this month, EU lawmakers again sharply criticized mass surveillance by the US administration saying that EU citizens' personal data are still at risk of being illegally collected, despite the safeguards.

On top of that, the deal is at risk of being invalidated too, as the EU's Court of Justice will rule this spring in a case on whether certain contract clauses that companies use to transfer data to the US are valid under the EU's fundamental-rights principle on the protection of personal data.

New measures for NZ

The EU court case on Privacy Shield is being closely watched in New Zealand, which has enjoyed adequacy status with the EU's data protection measures since 2012.

The country's adequacy status gives New Zealand an advantage when it comes to trade access over its closest competitor, Australia.

But the desire to retain adequacy doesn't mean that New Zealand will replicate all of the EU's signature GDPR measures. That lack of replication could prove an area of scrutiny for EU officials examining the updated laws later this year, when they decide whether New Zealand's new measures are up to scratch.

Details that would have linked the bill more closely to the EU's GDPR have been removed from the draft legislation, including a standalone right to anonymity, the right to be forgotten, requirements for algorithmic transparency and the right to data portability.

The right to data portability has been set aside for later consideration.

Brexit

As New Zealand moves to finalize its laws next year, with policymakers aiming to get the bill through the final stretch of its parliamentary process by the end of March 2020, some uncertainty remains over data transfers with the UK once, or if, Brexit is completed.

Despite the uncertainty, MLex understands New Zealand businesses aren't likely to be preparing for Brexit in relation to data transfers, and for the most part, won't need to, unless they have a presence in — or a substantial reliance on — the EU and UK.

New Zealand companies managing EU citizens' personal data in the EU can transfer this to New Zealand without any additional precautions under the country's data-adequacy decision.

But in a post-Brexit world, New Zealand companies need to make sure, if transferring information from the country to the UK, that the data would be handled appropriately. Transferring information toward New Zealand is less of a concern, because of the already-adequate standards.

Kristin Wilson, a senior associate at New Zealand law firm Bell Gully, said in an interview with MLex that she expects UK law to "provide a level of protection that is likely to be comparable to New Zealand, but it will need to be looked at and carefully considered."

"We are recommending to clients generally that they make sure that contracts where they are providing data offshore to suppliers are robust — that it is clear as to how data transfers will be handled. This is especially important in light of upcoming privacy reform in New Zealand," she said.

Wilson said that "in the event of a no-deal Brexit, if we are left with a situation where the UK hasn't been designated as an adequate privacy regime by the EU under GDPR, individual businesses will need to figure out whether they are able to disclose information to a particular business in the UK."

"Similarly, that could affect businesses caught by EU GDPR, from New Zealand, because they will need to assess adequacy and need to get consent from individuals and ensure data is adequately safeguarded," she added.

Two years after the GDPR entered into force, there's no doubt the rules are having an impact around the world, not just in how governments draft national measures, but in how policymakers aim to meet the bloc's adequacy standards.

While the EU is by no means requiring other countries to create exact replicas of its landmark rules, achieving adequacy status eases national concerns as far afield as New Zealand for governments that are keen to participate in global trade, which is increasingly digital.