One of the key changes to New Zealand’s data protection regime under the Privacy Act 2020 is the introduction of a new information privacy principle 12 (IPP 12), requiring certain controls be put in place before disclosing personal information to foreign entities.The concept itself is not new, and largely follows the approach taken in the EU, Australia and other jurisdictions. The broad intent of these new controls is to ensure that personal information being sent outside of New Zealand is subject to privacy safeguards that are comparable to those under our Privacy Act.

Who needs to read it? Why?

All financial service industry participants that deal with personal information of clients will need to be conscious of these controls.

What does it cover?

Under the new IPP 12, an organisation disclosing personal information to foreign persons or entities may only make that disclosure if it believes on reasonable grounds that the foreign person or entity meets at least one of the following criteria:

• is “carrying on business in New Zealand” and is subject to the Privacy Act;
• is subject to privacy laws that, overall, provide comparable safeguards to those in the Privacy Act;
• is required to protect the information in a way that, overall, provides comparable safeguards to those in the Privacy Act (for example, by agreement between the agencies); or
• is subject to the privacy laws of a country, province or State, or is a participant in a binding scheme for international disclosures of personal information, that has been prescribed in regulations by the New Zealand Government as providing comparable safeguards to the Privacy Act.

An offshore disclosure is also permitted where the New Zealand organisation has obtained the authorisation from the individual concerned.

To comply with the new IPP 12, agencies must first assess whether they disclose personal information to foreign entities and for what purposes. The organisation will then need to consider (and ideally document in some way) what grounds under IPP 12 it is relying on to disclose the information to that foreign entity. This may require agencies to undertake some degree of due diligence in respect of a foreign entity with whom they may share personal information.

Comparable laws

We expect many organisations will seek to rely on the grounds that they are reasonably satisfied that the information is being disclosed to a country that has comparable safeguards to those in our Privacy Act, such as Australia or the EU.  However, the assessment as to whether an organisation is subject to comparable laws to ours is not always straightforward.

Although in recent years many countries have implemented new or updated laws that may look similar to the gold standard EU General Data Protection Regulation (GDPR), organisations should carefully consider whether those laws actually are, in reality, ‘comparable’ to ours.  When undertaking this assessment, organisations will need to take into account factors such as:

• does the country have a truly independent regulator overseeing and enforcing the law?
• does the overseas law incorporate the OECD privacy principles?
• do individuals have the same rights and access to justice and redress in that jurisdiction?
• is there are fair, accessible and enforced complaints regime?
• does the law apply to all businesses?
• does the law apply to all types of personal information?

For example, Australia’s privacy law appears very similar to our Privacy Act in many respects. However, the Australian Act contains exceptions for small businesses, and it also doesn’t apply to employee information. So, if a New Zealand organisation is disclosing significant amounts of employee information to a parent company in Australia, it may be arguable that Australia’s privacy laws are not actually comparable to ours in relation to that specific personal information.

The above factors highlight that making a decision to transfer personal information to a comparable jurisdiction is not a simple exercise to be overlooked and needs to be considered on a case by case basis, with a clear understanding of the scope and applicability of the foreign law. In some cases, local knowledge may be required to make such assessment.

Prescribed countries

Although offshore disclosures are permitted under IPP 12 where the recipient is subject to the laws of a prescribed country, given the complexities noted above in making an assessment as to whether foreign laws are in fact comparable or offer similar levels of protection to ours we don’t expect the Government will rush into issuing a whitelist of prescribed countries – which ultimately leaves it up to organisations to make that assessment themselves.

Contractual protections

Organisations can also rely on the grounds that the foreign entity is otherwise required to protect the information in a way that is comparable to the Privacy Act (i.e. pursuant to a binding contract).

The Office of the Privacy Commissioner is developing guidance to help organisations understand how to comply with the new IPP 12, including releasing standard contractual clauses that organisations can enter into with foreign entities to ensure that personal information will be subject to ongoing protections and prescribe how the foreign entity must handle the personal information.

The standard contractual clauses are unlikely to accommodate a ‘one size fits all’ approach, and organisations may need to supplement or amend these to ensure they align with existing contractual provisions and appropriately cater for the particular circumstances of the disclosure, e.g. taking into account the type of personal information to be disclosed, and the purposes for which the foreign entity will use that information.

Importantly, under the Privacy Act, a transfer or disclosure of personal information to an offshore parent company will be caught by the new IPP 12.  In the absence of binding corporate rules, organisations may need to enter into some form of these standard contractual clauses with their parent companies to comply with IPP 12 (for example, banks in New Zealand who disclose certain customer information to parent companies in Australia).

Individual authorisation

Where an organisation chooses to rely on individual authorisation to disclose information to a foreign entity, it must have expressly informed the individual that the foreign entity or person may not be required to protect the information in a way that, overall, provides comparable safeguards to those under our laws.

The Privacy Act doesn’t set out any specific rules around how authorisation / consent should be given. As with the requirements for consent in other jurisdictions, best practice dictates that an active step must be taken by the individual to demonstrate their authorisation (i.e. ticking a box) and the consent must be specific, freely given and unambiguous. Because of this, general forms of authorisation, such as through privacy policies, may not be enough to constitute “authorisation” under the new IPP 12. In our view, authorisation should be an organisation’s last resort, particularly given the risk that an individual could revoke their authorisation at any time.

Exception for transfers to service providers

One of the key points to understand in respect of the new IPP 12 is that sending or transferring information to another organisation to hold or process solely on your behalf (i.e. as your agent) will not be not treated as a disclosure under the new Privacy Act. This could be, for example, where you transfer personal information to a cloud storage provider solely for the hosting and storage of your data, and in some cases may also extend to software as a service providers.

Section 11 of the Privacy Act specifies that where an agency (A) holds information as an agent for another agency (B), the personal information is treated for the purposes of the Privacy Act as being held by B, and not A.  The Privacy Act clarifies that in this situation any transfer of information from B to A is not considered a use or disclosure of the information by B – and therefore the relevant provisions of the Privacy Act that relate to use and disclosure of personal information will not apply (including IPP 12).

Importantly, though, this only applies where the receiving party does not use the personal information for its own purposes.  We expect that the Privacy Commissioner will take a relatively strict approach to determining whether a third party uses information for its own purposes – i.e. even if the third party only uses a subset of the data or even an aggregated or de-identified dataset for its own purposes, this may still be considered a ‘use’ of personal information under the Privacy Act (on the basis that the third party would not have otherwise had access to the information had the full data set not been given to it for safe keeping or processing by the disclosing party).

The effect of section 11 means that any breach of the Privacy Act by the agent in respect of the personal information in their possession or control will be treated as a breach by the disclosing organisation – as it is ultimately the party responsible under the Privacy Act for the personal information that it disclosed to its agent.

Therefore, despite the carve out for ‘agents’ under IPP 12, disclosing organisations should still confirm that they have appropriate contractual provisions in place with their service providers to ensure that any obligations and potential liabilities they may have under the Privacy Act are passed through or back-to-backed with those suppliers, including (as a minimum) that the service provider:

• has appropriate security measures in place to meet the disclosing party’s obligations under the Privacy Act;
• agrees to co-operate with any investigation or requests regarding personal information disclosed to it; and
• notifies the disclosing party immediately of any possible breach of privacy laws or unauthorised access to or loss of personal information in its possession.

Our view

In summary, although the introduction of IPP 12 is a positive step towards better protection of personal information that is disclosed overseas, the assessment and application of it from a practical perspective may not be as straightforward as it appears in the Privacy Act.

What next?

If you have any questions about disclosing personal information outside of New Zealand or compliance with the new IPP 12, please contact one of our experts.