The European Commission decided that New Zealand Privacy Act is conform with the EU data protection requirements, hence it has an adequate standard of data protection, allowing data transfers to take place between EU and New Zealand. The adequacy rule is enforced through Article 25 of the Data Protection Directive (Directive 95/46).
In a media release, NZ Privacy Commissioner Marie Shroff welcomed the announcement of the European Commission.
“The European decision is a vote of confidence in our privacy law and regulatory arrangements. This decision establishes New Zealand, in the eyes of our trading partners, as a safe place to process personal data.”
The Office of the Privacy Commissioner (OPC) has been working for a number of years towards this outcome. It has assisted successive governments in amending the Privacy Act to meet EU requirements and has worked with European institutions to gather the information they need to make an assessment.
Assistant Commissioner Blair Stewart, who has led more than 10 years of OPC work on EU adequacy said, “Europe and New Zealand share a common commitment to upholding human rights. As part of this, all European countries have data protection laws much like New Zealand’s Privacy Act 1993. However, since 1995 European businesses have been prohibited by law from transferring personal data to countries outside Europe for processing unless special safeguards prescribed in law are in place.
“Providing the special safeguards in the manner required by EU law can be expensive and difficult even where companies are already operating with comprehensive privacy laws like New Zealand’s. This is why it has been so important for New Zealand to obtain an official decision that our law is adequate to meet EU standards. The European Commission decision establishes that all New Zealand companies in all circumstances can meet those European requirements. Few countries outside Europe have achieved this status.
“The decision should be helpful to New Zealand businesses that trade with Europe or hope to do so as it substantially simplifies compliance with data protection requirements.