Not Entirely Adequate but Far Away: Lessons from how Europe Sees New Zealand Data Protection

Privacy Laws & Business International Report, Issue 111, 8‐9, July 2011

UNSW Law Research Paper No. 2011-44

3 Pages Posted: 25 Nov 2011 Last revised: 7 Feb 2012

See all articles by Graham Greenleaf

Graham Greenleaf

Macquarie University - Macquarie Law School (Sydney, Australia)

Lee A. Bygrave

Norwegian Research Center for Computers and Law - Law Faculty, University of Oslo

Date Written: October 27, 2011

Abstract

The principal legal criteria for assessing a data protection regime are the rules of EU’s data protection Directive 95/46/EC (and more precisely article 25 of the Directive) as construed and applied by the EU Court of Justice. There are as yet no decisions of the Court interpreting the concept of “adequacy”. The principal methodological criteria for assessing a data protection regime are set out by the Article 29 Data Protection Working Party in two ‘Opinions’ by it in 1997 and 1998. While the core criteria suggested by the Working Party are not in themselves legally binding, they are the considered view of Europe’s data protection authorities as to what constitutes “adequacy”. The criteria have formed an important point of departure for European Commission decisions on the adequacy of third country regimes — decisions that are legally binding.

The Working Party’s favourable ‘Opinion 11/2011 on the level of protection of personal data in New Zealand’ (4 April 2011) is the first time a non-European country with legislation that largely predates Directive 95/46/EC and is modelled primarily on the 1980 OECD Guidelines on data protection has been given an adequacy finding. Moreover, the recommendation of adequacy has been given despite considerable shortcomings in the NZ data protection regime. This not only reiterates the by now trite point that adequacy does not equal equivalence, it also illustrates how much variation from the criteria set out in 1997 and 1998 is accepted as not preventing a finding of adequacy. So it is valuable to consider the Opinion in some detail, particularly with a view to drawing lessons on the balance that the Working Party is ready to strike between pragmatism and formalism.

This article concludes that the reasons given by the Working Party for finding adequacy despite putative weaknesses in New Zealand’s regime are primarily very practical ones relating to the geographical and economic position of New Zealand: its relative geographic isolation; the limited EU-sourced data likely to be transferred to New Zealand (which minimises the problem of onward transfers); and the reciprocal lack of direct marketing into the EU that could be expected from NZ. This Opinion signals significant pragmatic preparedness on the part of the Working Party. It also underlines the fact that it is the effect of a third party’s laws on EU citizens that counts toward adequacy, not the effect on the country’s own citizens. It will be relatively rare that personal data on EU citizens ends up in New Zealand, so a good deal of tolerance of variation from the core principles previously set out by the Working Party is permitted by them in delivering an adequacy opinion. We could say (with some exaggeration) that the standard of adequacy is in inverse proportion to proximity, provided that ‘proximity’ is considered to include the economic and social, not only the geographical.

In a country like India, where outsourcing of the processing of European data is of large scale, as are other forms of business and travel involving personal data, different considerations are likely to apply. In Europe they probably will not say ‘Delhi is far away’, even though they have found that Wellington is.

Suggested Citation

Greenleaf, Graham and Bygrave, Lee A., Not Entirely Adequate but Far Away: Lessons from how Europe Sees New Zealand Data Protection (October 27, 2011). Privacy Laws & Business International Report, Issue 111, 8‐9, July 2011, UNSW Law Research Paper No. 2011-44, Available at SSRN: https://ssrn.com/abstract=1964065

Graham Greenleaf (Contact Author)

Macquarie University - Macquarie Law School (Sydney, Australia) ( email )

North Ryde
Sydney, New South Wales 2109
Australia

HOME PAGE: http://www2.austlii.edu.au/~graham/

Lee A. Bygrave

Norwegian Research Center for Computers and Law - Law Faculty, University of Oslo ( email )

PO Box 6706 St Olavsplass
Oslo, 0130
Norway

Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Downloads
210
Abstract Views
1,596
Rank
295,205
PlumX Metrics