We might be small, but we're still adequate

The European Commission has decided that Aotearoa New Zealand will retain its EU adequacy status. This is important news for local organisations which market their products or services into the EU. 

Aotearoa NZ’s Privacy Act first received EU adequacy status in 2012. At that time, the Privacy Act reflected global best practices and was relatively progressive in its scope and approach. Since then, however, global privacy laws have leapt ahead, incorporating privacy breach notification regimes, stronger individual rights and significant financial penalties.

In 2020, the Privacy Act was somewhat overhauled. Privacy breach notification requirements, clear extraterritoriality provisions, and some slightly stronger enforcement powers for the Office of the Privacy Commissioner were added, along with a few other relatively minor improvements. However, the law was still left without many of the more powerful features of our global counterparts, including any meaningful penalties for non-compliance. There was also no effort to future-proof the law to address the rapidly evolving risks of artificial intelligence and automated decision-making.

Despite these shortcomings, the European Commission announced on 15 January 2024 that Aotearoa NZ, alongside 10 other countries, would retain its EU adequacy status. In support of its decision, the Commission cited:

  • Developments in New Zealand’s legal framework since the adoption of the initial adequacy decision, including legislative amendments, case law and activities of oversight bodies, which have contributed to an increased level of data protection.
  • The comprehensive reform that resulted in the adoption of the Privacy Act 2020, which “further increased the convergence with the EU’s data protection framework, notably as regards the rules for international transfers of personal data and the powers of the data protection authority.”
  • In the area of government access to personal information, the fact that public authorities in New Zealand are subject to clear, precise and accessible rules under which such authorities can access and subsequently use data transferred from the EU for public interest objectives, in particular for criminal law enforcement and national security purposes.
  • New Zealand’s overarching constitutional framework — including the Bill of Rights Act — and case law, as well as specific laws regulating government access to data and provisions of the Privacy Act that also apply to the processing of personal data by criminal law enforcement and national security authorities.

On this basis, the Commission found Aotearoa NZ continued to provide an adequate level of protection for personal information transferred from the EU. This decision is great news for organisations in Aotearoa NZ — particularly in the technology and data processing areas — which are increasingly seeking to enter the EU market. It means customer organisations in the EU can transfer their data to Aotearoa NZ for storage or processing without having to jump through the hoops required by Chapter V of the EU General Data Protection Regulation.