European Commission privacy law endorsement opens way for NZ businesses

Article  \  3 May 2013

In December last year, the European Commission (EC) formally recognised the adequacy of data protection regulation in New Zealand, opening the way for increased trade with the European Union (EU).

The formal declaration that New Zealand has adequate standards of data protection for the purposes of EU law means that personal data can be transferred from the EU to New Zealand without further safeguards having to be put in place.

By 20 March 2013, all EU member states were required to take the necessary measures to recognise New Zealand's adequacy. This acknowledgment of our high standards of data protection, and becoming the first western Asia-Pacific country to receive this recognition, is timely as 2013 marks 20 years of privacy regulation in New Zealand. 

Background: EU Data Protection Directive

Consistent with the vision of creating a single market within Europe, all 27 EU states harmonised their privacy laws under a 1995 EU Data Protection Directive. This Directive sought to remove barriers for data transfer across borders between states of the EU, while protecting and maintaining the high standard of protection for Europeans' personal data.

To this end, the Directive prohibits the transfer of personal data to any country outside Europe (known as 'third countries') unless that third country offers an 'adequate standard of data protection' or other alternative safeguards were in place. These alternative safeguards are usually developed at an individual company, transaction or process level.

The declaration from the EC recognises New Zealand as having adequate standards of privacy regulation, meaning that EU business can transfer personal information to New Zealand for processing without having to put in place alternative safeguards.

The process of recognition for New Zealand

The declaration is the result of a lengthy assessment process involving a complex set of data protection and legal considerations. New Zealand also enacted the Privacy (Cross-border Information) Amendment Act 2010 to align our Privacy Act 1993 to the European standards. This declaration is recognition that New Zealand privacy laws are now on par with Europe's - commonly considered the most stringent in the world. 

What it means for Kiwi businesses

Since the Directive in 1995, electronic data transfers have increased significantly with rapid advances in computing technology. Today, cross-border data flow is an integral tool for business on a global scale. It is common for information to be shared across borders for processing, or hosted on servers in other countries.

The Directive facilitates the free flow of data between Europe and New Zealand entities, with no need for costly, and often inflexible, approvals. New Zealand can now offer a unique competitive advantage over other countries trading with the EU, as it is one of relatively few countries having received the EC's approval. The benefits can easily flow to companies dealing with data processing, cloud computing or other information technology based ventures, through to law firms, call centres, accounting firms or any other agencies that offer services from this side of the world.

New Zealand companies should use this declaration to pitch for new business, knowing they can reassure any European or other company that our data privacy laws stand up to the EU's stringent requirements. Kiwi businesses should use this to their benefit and be creative and innovative in terms of the opportunities presented by the free flow of personal data from the EU.