Privacy & Information Security Law Blog

On April 4, 2011, the Article 29 Working Party (the “Working Party”) issued an Opinion finding that New Zealand ensures an adequate level of data protection within the meaning of the EU Data Protection Directive 95/46/EC (the “Data Protection Directive”).  The Working Party’s assessment in the Opinion focuses on the New Zealand Privacy Act 1993 and is based primarily on a comparison of the Act and relevant case law, against the provisions of the Data Protection Directive.

Under the Data Protection Directive, transfers of personal data to countries outside the European Economic Area that are not considered to provide an “adequate” level of data protection are subject to very strict conditions.  To date, the European Commission has recognized Andorra, Argentina, Canada, Faeroe Islands, Guernsey, Israel, Jersey, the Isle of Man, Switzerland and the U.S. Department of Commerce Safe Harbor Privacy Principles, as providing an adequate level of data protection.

Although the Working Party’s Opinion is a major step toward New Zealand being recognized as an “adequate” country, the European Commission will make the final decision regarding adequacy.  As we have previously reported with respect to Israel, the process leading to this adequacy decision might still pose hurdles.  In New Zealand’s case, according to the Working Party, some concerns still exist with regard to direct marketing and the oversight of data transfers from New Zealand to third countries which have not been deemed adequate by the Commission.