A recent amendment to privacy law -- the Privacy (Cross-Border Information) Amendment Act - aims at meeting conditions set by the European Union on the privacy of personal information sent to or through New Zealand. However, the Privacy Commissioner's office acknowledges there are still holes in the protection of personal information that is originated here and leaves our shores.
This not only poses a problem with data sent to an identifiable overseas country; there is a potentially larger challenge for data processed in the cloud. Here it is often not possible to identify the jurisdiction in which the computers that process the data are situated.
Recommendations for laws to cover such protection are still being deliberated by the Law Commission as part of its ongoing study of privacy.
Section 10 of the Privacy Act in its present form covers some of the situations. For example, where a company in New Zealand sends data to an affiliated company overseas, it is still protected by the principles of the Act covering misuse, availability to the subject and opportunity for correction; but where data is sent overseas to an unrelated third party or into the cloud there is no guaranteed protection under the Act, says assistant privacy commissioner Blair Stewart.
For data travelling out of the country one possible solution is for New Zealand to impose a similar condition on destination countries, to that imposed by Europe on us, Stewart says.
Alternatively or additionally, we could pass laws to make New Zealand companies more accountable for misuse of data in their care while it is overseas or in the cloud, he says. This is the solution adopted, for example, by Canada.
A third approach is to rely not on the law but on industry standards and contractual agreements to protect privacy, Stewart says. This, for example, is the rule in India that processes a good deal of data from other countries, but has no privacy law to cover the situation, he says.
In considering a solution, any nation has to be careful not to unduly compromise the trading and business efficiency advantages of sending its data overseas, says Stewart.
Passage of the Privacy (Cross-Border Information) Amendment Act, which came into operation earlier this month, will ensure adequate privacy protection for personal information sent from overseas to New Zealand for processing; but the law change has still to prove itself "adequate" in the context of European law.
New Zealand has applied for a finding of adequacy; the outcome has yet to be determined but the application is "working its way through European Union processes", says a statement from the Privacy Commissioner's office.
"Ensuring that European business and regulators see New Zealand as a safe place for information processing is important for New Zealand's reputation," Commissioner Marie Shroff says.
Justice Minister Simon Power goes further, saying the tightening of the law will "remove a major barrier for businesses operating internationally.
"The Government recognises that in today's difficult economic environment we need to do everything possible to improve the international competitiveness of our businesses," Power says.
"Until now, the Privacy Act 1993 has been silent on cross-border enforcement of privacy laws."
To prevent information being transferred into this country with the intention of moving it on to another country with inadequate privacy protection, the Privacy Commissioner is empowered under the new amendment to issue a "transfer prohibition notice" to prevent the information being moved out.
However, the power to issue such a notice only applies to information that was imported into New Zealand in the first place, not to information collected here.
Ironically, the Search and Surveillance Bill, currently at Select Committee stage, aims to allow online search of remote computers -- which might otherwise be considered a breach of privacy -- if authorised by a search warrant for a local computer system connected to them.
The advanced stage of that law is due to the Law Commission having delivered its analysis of search and surveillance in 2007.