Overseas data transfers: new guidance

• The new Privacy Act 2020 comes into force 1 December 2020
• The Office of the Privacy Commissioner (OPC) last week published guidance on the new rules for disclosure of personal information overseas
• OPC has released model contract clauses for international data transfers

‍

‍The new Privacy Act 2020

On 1 December 2020 the Privacy Act 2020 will come into force. The new Privacy Act introduces changes aimed to strengthen New Zealand’s privacy laws based on international trends. The update is also timely, as New Zealand’s status as an adequate country[1] under European data protection laws is up for review.

We have written in detail on the new Privacy Act – see this link for more.

Disclosure of personal information overseas

Information Privacy Principle (IPP) 12 in the new Privacy Act places controls on the cross-border disclosure of personal information. Under IPP 12, an agency may only transfer personal information to a foreign entity if one of the following applies:

• the individual concerned authorises disclosure after being expressly informed that the receiving party may not be required to protect their information in a way that is comparable to that required by the Privacy Act;
• the discloser believes on reasonable grounds that the receiving party is subject to the Privacy Act or to similar safeguards as provided by the Privacy Act;
• the discloser believes on reasonable grounds that the receiving party is subject to the laws of a “prescribed country”, meaning a country with a data protection framework comparable to that of New Zealand and recognised as such[2];or
• the discloser believes on reasonable grounds that the receiving party will protect the data in a way that is comparable to the protections required by the Privacy Act.

The entity disclosing information must satisfy itself that one of the above criteria is met.

However, the protections regarding overseas disclosures will not apply where information is transferred to a service provider solely for the purpose of safe custody or processing on behalf of the agency.  This means that where a service provider is not using the personal information for its own purposes, the transfer of personal information outside of New Zealand from an agency to the service provider will not constitute 'disclosure' for the purposes of the new IPP 12. Therefore, if you are transferring personal information overseas to, for example a Sydney based cloud storage provider, then this would not trigger the application of IPP 12 provided that the cloud services provider solely stores and processes the data on your behalf.

Model agreement / model clauses

The OPC has released “model clauses” (aka a model agreement) for use by organisations that wish to send personal information overseas.

The model agreement is a welcome resource to help small-to-medium enterprises navigate the complexities of overseas data transfers under the Privacy Act 2020.

The model agreement is essentially a template agreement that organisations can fill out and require the overseas recipient to sign prior to disclosing personal information overseas. The model agreement seeks to impose the protections on the use and disclosure of personal information that are contained in the Privacy Act itself. This would in turn allow for the organisation to meet its obligations under IPP 12.

The OPC has helpfully published detailed guidance on how to use the model agreement, and what the obligations mean for businesses.

Get in touch

Do get in touch if you have any queries on what the new Privacy Act means for your business. We are working with both suppliers and customers of technology products and services in navigating the new playing field for privacy and would be happy to help.

[1] Adequacy status means that the European regulator has deemed transfers to New Zealand as having adequate protections for the purposes of European data protection regulation

[2] As at the date of this article, no countries have been prescribed under regulations.