Bills

Bills Digests

Content provider
Information
Date:
18 July 2008
Downloads

Note: The above document(s) are provided as an Adobe PDF (PortableDocument Format) file. you can download a free viewer for PDF files from Adobe's web site.

Related documents
Contact details
Parliamentary Library
Parliament Buildings
Wellington

Digest No. 1630

Privacy (Cross-border Information) Amendment Bill 2008

Date of Introduction: 02 July 2008
Portfolio: Commerce
Select Committee: As at 18 July, 1st Reading not held.
Published: 17 July 2008Prepared by John McSoriley BA LL.B, BarristerLegislative AnalystP: (04) 471-9626 (Ext. 9626)F: (04) 471-1250 Caution: This Digest was prepared to assist consideration of the Bill by members of Parliament. It has no official status.Although every effort has been made to ensure accuracy, it should not be taken as a complete or authoritative guide to the Bill. Other sources should be consulted to determine the subsequent official status of the Bill.

Purpose

The aim of this Bill is to amend the Privacy Act 1993 (the Act) to reduce the likelihood of New Zealand being used as an intermediary for the avoidance of other State's privacy laws by:

  • removing the current restrictions on who may make an information privacy request;
  • enabling public sector agencies to charge for making personal information available to overseas foreign nationals;
  • providing for the referral of cross-border complaints to the appropriate privacy enforcement authority; and
  • establishing a mechanism for controlling the transfer of information outside of New Zealand where the information has been routed through New Zealand to circumvent the privacy laws of the country from where the information originated (Clause 3, the "purpose clause").

Background

The amendments are designed to ensure that personal data originating overseas and sent to New Zealand is subject to New Zealand's privacy protection. "The Bill's transfer prohibition notice mechanism will ensure foreign personal data cannot be sent, via New Zealand, to jurisdictions without adequate privacy protection. These amendments will enable New Zealanders and New Zealand companies to assure their trade partners that New Zealand law will ensure their privacy is protected" [1]   .

Main Provisions

What is an "information privacy request"?

An "information privacy request" is a request made to:

  • obtain confirmation of whether or not an agency holds personal information;
  • be given access to personal information;
  • for correction of personal information (Section 33 of the Act).

Information requests may only be made by individuals

Section 34 of the Act provides that an information privacy request may be made only by an individual who is:

  • a New Zealand citizen;
  • a permanent resident of New Zealand; or
  • an individual who is in New Zealand.
  • The Bill replaces this provision with the simple statement that: "an information privacy request may be made only by an individual" (Part 1, Clause 5, substituting Section 34 of the Act).
  • Comment
  • An information privacy request will be able to be made by any individual in the world.

Charging for requests made from overseas

The Bill provides that the Privacy Commissioner may authorise a public sector agency to impose a charge in respect of the making available of information in compliance, in whole or in part, with the request, if the information privacy request is received from, or on behalf of, an individual who "is residing outside New Zealand" and "is not a New Zealand citizen or permanent resident of New Zealand" (Part 1, Clause 6, amending Section 36 of the Act ("Commissioner may authorise public sector agency to charge") by inserting new subsection (1A)).

Complaints

The Bill provides that when the Privacy Commissioner receives a complaint that he or she considers relates, in whole or in part, to a matter that is more properly within the jurisdiction of an overseas privacy enforcement authority, the Commissioner may consult that authority and then determine whether the complaint should be dealt with, in whole or in part, under the Act. The Commissioner may refer part or the whole of the complaint to the overseas authority. The Bill defines the term "overseas privacy enforcement authority" as "any overseas public body that is responsible for enforcing legislation that protects personal information, and that has the power to conduct investigations and pursue enforcement proceedings" (Part 1, Clause 7, inserting New Section 72C into the Act).

Prohibition on transfer of personal information outside New Zealand

The Bill provides that the Privacy Commissioner may prohibit a transfer of personal information from New Zealand to another State if he or she is satisfied that:

  • the personal information will be transferred to a jurisdiction where it will not be subject to a law providing comparable safeguards to the principal Act; and
  • the proposed transfer may circumvent the laws of the State from where the information originated; and
  • the transfer would be likely to breach the basic principles of national application set out in Part Two of the Organisation for Economic Co-operation and Development Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data (OECD Guidelines).

In exercising his or her discretion in accordance with this new section, the Commissioner must consider the following:

  • whether or not the proposed transfer of personal information affects, or would be likely to affect, any individual; and
  • the desirability of facilitating the free flow of information between New Zealand and other States; and
  • any existing or developing international guidelines relevant to transborder data flows (including the OECD Guidelines and the European Union Directive 95/46/EC on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data) (Part 1, Clause 8, inserting New Part 11A into the Act, New Section 114B).

Transfer prohibition notices

The Bill authorises the Commissioner to prohibit a transfer of personal information by serving a transfer prohibition notice on the agency proposing to transfer that personal information. The Commissioner may vary or cancel all or any part of a transfer prohibition notice, on the Commissioner's own initiative or on an application by the agency on whom the notice is served, if he or she considers that the notice need not be complied with in order to avoid a contravention of basic principles of privacy and data protection. The Bill creates a new offence in relation to a failure or refusal to comply with a transfer prohibition notice served by the Commissioner. An agency on whom a transfer prohibition notice is served may appeal to the Human Rights Review Tribunal against:

  • the whole or any part of the notice; or
  • a decision of the Commissioner that the transfer prohibition notice should come into effect urgently; or
  • a decision of the Commissioner to vary a transfer prohibition notice; or
  • a refusal by the Commissioner to vary or cancel a transfer prohibition notice.

Part 4 of the Human Rights Act 1993 applies to appeal proceedings in the Human Rights Review Tribunal (Part 1, Clause 8, inserting New Part 11 into the Act, New Sections 114C-114G).

Copyright: © NZ Parliamentary Library, 2008
Except for educational purposes permitted under the Copyright Act 1994, no part of this document may be reproduced or transmitted in any form or by any means, including information storage and retrieval systems, other than by Members of Parliament in the course of their official duties, without the consent of the Parliamentary Librarian, Parliament Buildings, Wellington, New Zealand.This document may also be available through commercial online services and may be viewed and reproduced in accordance with the conditions applicable to those services.

  1. Privacy (Cross-border Information) Amendment Bill, 2008 No 221-1, Explanatory note, General policy statement, p. 1.   [back]