The Privacy Act 2020 introduces a new Information Privacy Principle (IPP 12) which imposes controls on the disclosure of personal information to overseas entities and people.  

The intent of IIP 12 is broadly to ensure that agencies sending personal information overseas first carry out steps to demonstrate that the personal information will be protected by safeguards comparable to those in our Act (either by overseas laws or contract) or otherwise have the express and informed consent of the individual concerned.

Specifically, IIP 12 provides six grounds on which agencies can disclose information overseas. Briefly, these are:

• Express and informed consent – but consent is only “informed” if the individual concerned authorises the disclosure after being informed that the foreign entity may not be required to protect personal information in a way that provides comparable safeguards to those in the Act
• The foreign entity is carrying on business in NZ and the disclosing entity holds a reasonable belief that the foreign entity is subject to the Act
• Reasonable belief that the foreign entity is subject to privacy laws that overall provide comparable safeguards to those in the Act
• Reasonable belief that the foreign entity is part of a prescribed binding scheme[1] or
• Reasonable belief that the foreign entity is subject to the privacy laws of a prescribed country[2]
• Reasonable belief that the foreign entity is required to protect the information in a way that overall provides comparable safeguards to those in the Act by virtue of some other circumstance or fact, e.g. pursuant to an agreement with the foreign entity.

There is also an exception for information which is held by a person as agent for another (for example, cloud providers storing or processing the information). Information provided to such an agent is not treated as a transfer of information under the Act and accordingly not subject to IIP 12. However, as the “agency” reference would suggest, the organisation providing the information to the agent can be held responsible for the agent’s acts and omissions in relation to the information. For that reason, it is important to ensure that any such agreement for data storage or processing includes appropriate privacy obligations on the agent.

Where the agency exception does not apply, one of the grounds in IIP 12 would need to be relied on.

Some of these grounds may not necessarily be straightforward. For example, some may require a degree of investigation into overseas privacy laws, and the “express and informed consent” ground may not always be practical, especially where the agency has already collected and holds the personal information to be disclosed to the overseas entity.

In some cases the solution may be to put a data sharing agreement in place which requires the foreign entity to handle the personal information they receive in a manner consistent with the NZ Act. The Office of the Privacy Commissioner has published a model data sharing agreement[3] that could be used for this purpose. It operates as a standalone agreement, although it does contemplate other related agreements also being in place. In practice parties may prefer to incorporate appropriate privacy clauses into their agreement which records the commercial arrangement under which the information is being disclosed.  Whatever the case, the model data sharing agreement will be a useful resource to benchmark against.

Given the prevalence of personal information, a number of cross-border transactions and arrangements will now need to include consideration of IIP 12. These might include business sales to offshore purchasers, data sharing with offshore group companies, and cross-border distribution, licence and franchise arrangements.

If your organisation requires assistance with understanding and managing its compliance obligations with respect to the offshoring of data, please get in touch with us.

[1] A prescribed binding scheme is one that requires a foreign person/entity to protect personal information in a way that overall provides comparable safeguards to those in the Act. Regulations are expected next year.

[2] A prescribed country is one that has privacy laws that overall provide comparable safeguards to those in the Act and may be prescribed subject to limitations or qualifications relating to the type of foreign person/entity personal information may be disclosed to or the type of personal information that may be disclosed. Regulations are expected next year.

[3] Available at https://www.privacy.org.nz/news-and-publications/guidance-resources/disclosing-outside-nz/