The new IPP 12
Focus: the new globalised digital data economy
Recognising the free flow of data – trade talks, international economic conversations, etc, but with some limits on disclosure internationally
All international players are subject to NZ’s law whether they are doing business here, live here, have an office here or a server here (or not)
13 IPPs going forward in the new Privacy Act
The new IPP 12 – adds an obligation on any NZ agency to take extra steps to ensure it has a clear authorisation for disclosing information to an entity offshore (i.e. based in another jurisdiction)
The agency has to be satisfied that the personal information about New Zealanders is going to a place with comparable safeguards. If it can’t do that then it has to be very explicit that every individual authorises taking the risk of international disclosure
The Office of the PC will be able to provide model clauses for contacts to industry to assist with managing risk
It will be possible to disclose information to a business operating in a country that the Office of the PC has assessed and which the Minister has made a regulation declaring it as “a prescribed country”, and there may be particular arrangements in some regions which are “prescribed schemes” that give industry comfort that they can disclose
Privacy protection is therefore more joined up as a result, and follows personal information moving around the globe. NZ is catching up by including this obligation, and ensures DD is being done when data leaves the NZ jurisdiction. This is actually a lighter touch than many jurisdictions have
Important points to note:
- The new IPP 12 is not going to prevent agencies receiving the benefits of service providers based overseas
- NZ businesses using service providers based overseas, like cloud software, will simply need to make sure their providers are meeting NZ privacy laws
- Storing data in data centres outside of NZ will not amount to a disclosure and there is therefore no need to go through the steps of satisfying yourself that you meet the legal system in the country of destination (note: this could be different if the service provider is using the information for a purpose of their own)
- Extraterritorial application of NZ law and the prohibition/restriction on disclosure to unapproved countries
- The Privacy Act will apply to any agency doing business in NZ, whether their legal basis is in Ireland or California or anywhere else in the world, if they are actively carrying on business in NZ using New Zealanders’ information
Example: running a platform out of California, which enables New Zealanders to add their personal information, which then sells advertising to NZ businesses (i.e. such activity involves revenue and personal information transactions), then it is clear that agencies are carrying on business in NZ and are therefore subject to the Privacy Act
Two main benefits to this approach:
- The agency is subject to the entire NZ Privacy Act regime – it creates a level playing field for other domestic business operating in the same areas
- NZ business using those services or disclosing information to them can disclose seamlessly without further transaction costs, without having to write contractual closes or having to invest in understanding the legal system of the country of origin
- The new Privacy Act makes it clear that if you disclose to an overseas entity carrying on business in NZ, then they will be subject to the obligations under the NZ Privacy Act – it doesn’t matter what type of entity it is – it could be an international church, a governmental agency or a charitable organisation