COMMISSION IMPLEMENTING DECISION
of 19 December 2012
pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data by New Zealand
(notified under document C(2012) 9557)
(Text with EEA relevance)
(2013/65/EU)
THE EUROPEAN COMMISSION,
Having regard to the Treaty on the Functioning of the European Union,
Having regard to Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data(1), and in particular Article 25(6) thereof,
After consulting the European Data Protection Supervisor
Whereas:
(1) Pursuant to Directive 95/46/EC, Member States are required to provide that the transfer of personal data to a third country may take place only if the third country in question ensures an adequate level of protection and if the Member States’ laws implementing other provisions of the Directive are complied with prior to the transfer.
(2) The Commission may find that a third country ensures an adequate level of protection. In that case, personal data may be transferred from the Member States without additional guarantees being necessary.
(3) Pursuant to Directive 95/46/EC the level of data protection should be assessed in the light of all the circumstances surrounding a data transfer operation or a set of data transfer operations and giving particular consideration to certain specified elements relevant for the transfer.
(4) Given the different approaches to data protection in third countries, the adequacy assessment should be carried out, and any decision based on Directive 95/46/EC should be made and enforced in a way that does not arbitrarily or unjustifiably discriminate against or between third countries where like conditions prevail, nor constitute a disguised barrier to trade, regard being had to the Union’s present international commitments.
(5) New Zealand is a former British colony. It became an independent Dominion in 1907, but did not formally sever its constitutional ties with Great Britain until 1947. New Zealand is a unitary State and does not have a written constitution in the conventional sense of an entrenched constitutive document. The country is a constitutional monarchy and parliamentary democracy on the Westminster model, with the Queen of New Zealand as the Head of State.
(6) New Zealand operates on the principle of Parliamentary sovereignty. Nevertheless, by convention there are a number of statutes that are of particular constitutional importance and are regarded as ‘higher law’. This is in the sense that they form part of the constitutional background or landscape by informing government practice and the enactment of other legislation. Moreover, cross-political consensus would be expected in the event of amendment or repeal of this legislation. Several of these statutes — the Bill of Rights Act of 28 August 1990 (Public Act No 109 of 1990), the Human Rights Act of 10 August 1993 (Public Act No 82 of 1993), and the Privacy Act of 17 May 1993 (Public Act No 28 of 1993) — are relevant to data protection. The constitutional importance of this legislation is reflected by the convention that they must be taken into account when developing or proposing new legislation.
(7) The legal standards for the protection of personal data in New Zealand are primarily set out in the Privacy Act, as amended by the Privacy (Cross-border Information) Ammendement Act of 7 September 2010 (Public Act No 113 of 2010). It predates Directive 95/46/EC, and is not limited to automatically processed data or structured data in a filing system, but covers all personal information in whatever shape or form. It covers the entire public and private sectors, with a few specific public interest exceptions that one would expect in a democratic society.
(8) There are a number of regulatory frameworks in New Zealand for dealing with privacy issues in terms of policy, rules, or complaints jurisdictions. Some are statutory while others are self-regulating industry bodies, including media regulation, direct marketing, unsolicited electronic messages, market research, health and disability, banking and insurance and savings.
(9) In addition to legislation enacted by the New Zealand Parliament, there exists a considerable body of common law whose roots stem from English common law, embodying common law principles and rules that are relevant to data protection. Among the fundamental common law principles is the principle that the dignity of the individual is a paramount concern of the law. This common law principle is a key element in the background context to judicial decision-making generally in New Zealand. New Zealand case-law based on common law also contains a number of other aspects of privacy including invasion of privacy, breach of confidence and incidental protection in the context of defamation, nuisance, harassment, malicious falsehood, negligence and others.
(10) The legal data protection standards applicable in New Zealand cover all the basic principles necessary for an adequate level of protection for natural persons, and also provide for exceptions and limitations in order to safeguard important public interests. These legal data protection standards and the exceptions reflect the principles laid down in Directive 95/46/EC.
(11) The application of the legal data protection standards is guaranteed by administrative and judicial remedies, and by independent supervision carried out by the supervisory authority, the Privacy Commissioner, who is endowed with the kinds of powers set out in Article 28 of Directive 95/46/EC, and who acts independently. Moreover, any interested party is entitled to seek judicial redress for compensation for damages suffered as a result of the unlawful processing of his personal data.
(12) New Zealand should therefore be regarded as providing an adequate level of protection for personal data as referred to in Directive 95/46/EC.
(13) This decision should concern the adequacy of protection provided in New Zealand with a view to meeting the requirements of Article 25(1) of Directive 95/46/EC. It should not affect other conditions or restrictions implementing other provisions of the Directive that pertain to the processing of personal data within Member States.
(14) In the interest of transparency and in order to safeguard the ability of the competent authorities in the Member States to ensure the protection of individuals as regards the processing of their personal data, it is necessary to specify the exceptional circumstances in which the suspension of specific data flows may be justified, notwithstanding the finding of adequate protection.
(15) The Working Party on the protection of individuals with regard to the processing of personal data established under Article 29 of Directive 95/46/EC has delivered a favourable opinion on the level of adequacy as regards protection of personal data in New Zealand(2), which has been taken into account in the preparation of this Implementing Decision.
(16) The measures provided for in this Decision are in accordance with the opinion of the Committee established under Article 31(1) of Directive 95/46/EC,
HAS ADOPTED THIS DECISION:
Article 1
1. For the purposes of Article 25(2) of Directive 95/46/EC, New Zealand is considered as ensuring an adequate level of protection for personal data transferred from the Union.
2. The competent supervisory authority for the application of the legal data protection standards in New Zealand is set out in the Annex to this Decision.
Article 2
1. Without prejudice to their powers to take action to ensure compliance with national provisions adopted pursuant to provisions other than Article 25 of Directive 95/46/EC, the competent authorities in Member States may exercise their existing powers to suspend data flows to a recipient in New Zealand in order to protect individuals with regard to the processing of their personal data in the following cases:
(a) where a competent New Zealand authority has determined that the recipient is in breach of the applicable standards of protection; or
(b) where there is a substantial likelihood that the standards of protection are being infringed, there are reasonable grounds for believing that the competent New Zealand authority is not taking or will not take adequate and timely steps to settle the case at issue, the continuing transfer would create an imminent risk of grave harm to data subjects and the competent authorities in the Member State have made reasonable efforts in the circumstances to provide the party responsible for processing established in New Zealand with notice and an opportunity to respond.
2. The suspension shall cease as soon as the standards of protection are assured and the competent authority of the Member States concerned is notified thereof.
Article 3
1. Member States shall inform the Commission without delay when measures are adopted on the basis of Article 2.
2. The Member States and the Commission shall inform each other of cases where the action of bodies responsible for ensuring compliance with the standards of protection in New Zealand fails to ensure such compliance.
3. Where information gathered under Article 2(1) and under paragraphs 1 and 2 of this Article provides evidence that any body responsible for ensuring compliance with the standards of protection in New Zealand is not effectively fulfilling its role, the Commission shall inform the competent New Zealand authority and, if necessary, present draft measures in accordance with the procedure referred to in Article 31(2) of Directive 95/46/EC with a view to repealing or suspending this Decision or limiting its scope.
Article 4
The Commission shall monitor the functioning of this Decision and report any pertinent findings to the Committee established under Article 31 of Directive 95/46/EC, including any evidence that could affect the finding in Article 1 of this Decision, that protection in New Zealand is adequate within the meaning of Article 25 of Directive 95/46/EC and any evidence that this Decision is being implemented in a discriminatory manner.
Article 5
Member States shall take all the measures necessary to comply with this Decision until 20 March 2013.
Article 6
This Decision is addressed to the Member States.
Done at Brussels, 19 December 2012.
For the Commission
Viviane REDING
Vice-President
(1)
OJ L 281, 23.11.1995, p. 31
.
(2) Opinion 11/2011 dated 4 April 2011 on the level of protection of personal data in New Zealand. Available at http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2011/wp182_en.pdf
ANNEX
Competent supervisory authority referred to in Article 1(2) of this Decision:
Privacy Commissioner:
Te Mana Matapono Matatapu
Level 4
109-111 Featherston Street
Wellington 6143
New Zealand
Tel: +64-4-474 7590
Contact e-mail: enquiries@privacy.org.nz
Website: http://privacy.org.nz/
Feedback