4 Feb 2023

Ministry's 'competing demands' delay red tape-cutting project for two years

12:55 pm on 4 February 2023
Padlock over a smartphone and EU map, symbolizing the EU General Data Protection Regulation or GDPR. Designed to harmonize data privacy laws across Europe.

Companies that comply with EU data protection laws would be prime contenders for a privacy white list, which would make it easier for New Zealand companies to do business with them. Photo: 123RF

Frustration is building over government promises to make it easier to do business abroad without hitting privacy tripwires.

The Justice Minister has had the power to change the rules for two years, to create a "white list" of countries you can readily share personal data with because their privacy systems have been okay-ed as at least as good as New Zealand's.

But the Ministry now admits it has been too hard pressed to get this done.

"The Ministry of Justice has not, as of yet, completed the process of prioritising the countries to be assessed by the Office of the Privacy Commissioner ... but will do so as soon as is practicable," the ministry told RNZ.

"This is due to competing demands and allocation of resources to other necessary work", especially work to fit in with a European Union review of privacy standards here.

The government consulted three years ago about the white-list powers, anticipating one or two countries a year might be assessed and given the all clear from 2022 onwards.

That has yet to occur, so all the risk of a privacy breach here from dealings overseas continues to sit with local companies.

Auckland corporate lawyer Nick Valentine said companies faced having to ask individuals to allow their data to be shared, or imposing demands on clients overseas, or having to research themselves if a country's privacy regime was strong enough, all of which could be very difficult.

A government signal of approval would save time, and nerves.

"It has been frustrating for our clients, both our local clients and our international clients that do business in New Zealand, that this power exists, but it has just been sitting idle for two years," Valentine said.

"This white-list framework ... would remove a lot of red tape and remove a lot of uncertainty for businesses.

"But, unfortunately, efficiency that could exist just hasn't eventuated."

A prime candidate for the white list would be any entity that complies with EU data protection laws.

The US is more problematic due to its intelligence agencies' ability to access personal data. Australia, too, does not have EU approval for its data protections in the way New Zealand did, Valentine said.

The white-list power was described as "one of the key changes" of amendments to the Privacy Act in 2020, law firm Bell Gully said late that year.

"The initial regulations will not be available until early 2022," it said.

That has not worked out.

The Justice Ministry in 2020 said it would be prioritising which countries to "prescribe" for privacy clearance. Law firms responded that it was "a great time to explain why country should receive priority assessment".

"It would be very enabling," Valentine said.

"Everyone would appreciate a bit more focus on simplifying this red tape around overseas transfers of personal information, really creating some efficiencies for cross-border data transfers and our ability to continue to do commerce in a modern environment with major trading partners."

Get the RNZ app

for ad-free news and current affairs