EUDATA PROTECTION ADEQUACY
Backgrounder
This backgrounder explainsthe recent European Commission decision that New Zealand privacy law provides an adequate standard of data protection for the purposes of EU law.
New Zealand meets EU Data Protection Standards
On 19 December 2012 theEuropean Commission issued a decision formally declaring that New Zealand law provides a standard of data protection that is adequate for the purposes of EU law. The decision was taken after many years of study and positive recommendations by two specialist EU Committees. EU law imposes a prohibition on the flow of data unless certain stringent requirements are met. The effect of the decision is that personal data can flow from the 27 EU member states to New Zealand for processing without any further safeguards being necessary. A copy of the European Commission decision is attached.
Why was a European Commission decision on the adequacy of New Zealand privacy law necessary?
As part of the project to create a single market within Europe, all European Union member states – and there are now 27– harmonised their privacy laws (called ‘data protection laws’ in Europe) pursuant to the EU Data Protection Directive of 1995[1]. The Directive sought to remove barriers to data transfer across the borders between states within the EU.
Prior to the Directive, some European countries had laws prohibiting data transfer to states that did not have data protection laws. Those ‘data export controls’ were intended both to protect consumers and to ensure that national regulation was not circumvented by businesses moving data processing to a neighbouring state. With the harmonisation of data protection laws, transfer prohibitions were no longer justified within Europe since information would be protected by similar laws in all member states. However, both to protect consumers and to ensure that EU-wide regulation was not circumvented, the 1995 Directive prohibited the transfer of personal data to any country outside Europe (referred to as ‘third countries’) unless the third country offered an ‘adequate standard of data protection’ or certain alternative safeguards were in place. Alternative safeguards include, for instance, obtaining consent of the individual concerned or using certain approved contractual clauses. These alternative safeguards can be provided on an individual company, transaction or process basis.
Accordingly, European businesses are prohibited by law from transferring personal data to third countries unless special safeguards are in place. Since 1995 there has been huge growth in cross-border data processing and significant changes in business practice. Providing the special safeguards in the manner required by EU law can be inflexible and costly for business. As New Zealand has a comprehensive privacy law applying to all New Zealand businesses, it has been possible to obtain an adequacy decision that covers the whole country, i.e. all New Zealand businesses in all circumstances. This decision facilitates a free flow of data between EU member states and New Zealand and simplifies the task for New Zealand businesses of providing assurances that personal data will remain adequately protected.
When does the European Commission decision take legal effect?
The decision by the European Commission to recognise New Zealand as providing an ‘adequate standard of data protection’ is binding on 27 EU member states. Member states are required to take the measures necessary to comply with the decision within three months of the date of its notification. Accordingly, member states must take the necessary measures to recognise New Zealand’s adequacy by 20 March 2013.
What is the effect of the European Commission decision?
The effect of such a decision is that personal data can flow from the 27 EU member states and three EEA member countries (Norway, Liechtenstein and Iceland) to New Zealand without any additional special safeguards of the type prescribed in the EU Directive being necessary.
Have the laws of any other country outside Europe being recognised by the European Commission as providing an adequate standard of data protection for the purposes of EU law?
Four other countries outside Europe have been found to provide an adequate standard of data protection: Argentina, Canada, Israel and Uruguay.
(In addition, the European Commission has found several non-EU countries within Europe to be adequate for the purposes of EU law – namely, Andorra, Switzerland, and some island dependencies of Denmark and the UK.)
Has Australia being recognised as having an adequate standard of data protection for the purposes of EU law?
No.
What process led to this decision from the European Commission?
Assessing whether a third country offers an adequate standard of data protection involves a complex set of data protection and legal considerations. Furthermore, an adequacy decision by the European Commission (EC) must be given effect at national level. Accordingly, the EC has an elaborate set of processes to assess the issues and to consult national governments and their regulatory bodies.
When the EC becomes aware of a third country that might be likely to meet European standards, it commences a thorough study by officials and may also, as it did in the New Zealand case, commission external experts to undertake further research. When the EC is satisfied that a good case exists, the matter is referred to a committee representing the data protection commissioners from all 27 states. If a favourable opinion is received from that body, the matter progresses to a committee representing member governments for opinion. Unless there is objection from the European Parliament or from the European Data Protection Supervisor, the case then proceeds to a final decision by the College of Commissioners.
Why has it taken so long for New Zealand’s privacy law to be recognised as adequate?
The European Commission’s preliminary analysis of New Zealand privacy law revealed that amendment to our law was necessary. An early attempt to amend the Privacy Act ran into problems and it was not possible for several years to find another opportunity to amend the Act. Eventually, in September 2010 the Privacy (Cross-border Information) Amendment Act 2010 was enacted which paved the way for the elaborate EU assessment to be completed.
Will the EC decision be legally relevant to New Zealand’s relationships with any non-EU countries?
The countries of the European Economic Area (Norway, Liechtenstein and Iceland) each have data export controls modelled on the EU Data Protection Directive. New Zealand’s law will be recognised as providing an adequate standard of protection for those countries.
Like the EEA countries, it is understood that many of the third countries that have already obtained an adequacy decision have data export controls in their domestic laws for which this finding will likely be applicable or relevant. Together, the group of EU, EEA and adequate third countries, total nearly 40 states and territories.
In addition, a number of other jurisdictions have data export controls that apply a variety of standards. For example, Australia has statutory controls that recognise third countries’ laws that are “substantially similar” to Australian privacy principles. While the standards applied under the laws of these other jurisdictions may not precisely accord with European standards, an EU adequacy decision is likely to be highly persuasive given that the European data protection requirements are generally regarded as the most stringent in the world.
Where can I find further information about the European Commission decision?
A European Commission press release entitled “EU approves New Zealand’s data protection standards instep to boost trade” is available at
In due course the NZ decision will be posted online at:
A joint statement by the Minister of Justice and Minister of Tradeis available at
Attached to this background is a letter from the European Commission and its formal decision.
Office of the Privacy Commissioner, New Zealand
20 December 2012 (updated 5 March 2013)
[1]Directive 95/46/EC of the European Parliament of the Council of 24 October 1995 on the Protection of Individuals with regard to the Processing of Personal Data and on the Free Movement of such Data.