The EU's new data protection regime will soon take effect - but what does this mean for us in New Zealand?
The General Data Protection Regulation (GDPR) will come into force on 25 May 2018. Companies subject to the GDPR will be required to comply with comprehensive rules regarding the use of personal data, including requirements for record keeping, data breach notification and data protection officers.
One of the key features of the GDPR is that it will apply outside of the EU in some cases. The GDPR regulates the processing of personal data by two types of entities. Firstly, all companies established in the EU will be subject to the GDPR. Secondly, non-EU companies will be required to comply with the GDPR if they process data in relation to: (a) offering goods or services in the EU; or (b) monitoring the behaviour of individuals present in the EU. If a non-EU company falls within (a) or (b) then the same GDPR rules will apply to them as if they were based in the EU.
As an example, a New Zealand company could be subject to the GDPR if it sells goods through an online store and these goods are "offered" to customers in Germany e.g. the site can be accessed by German IP addresses, prices can be viewed in Euros, and goods can shipped to a physical address in Germany. That company would be required to comply with the GDPR when collecting and processing data about German customers.
The GDPR is broadly consistent with New Zealand's Privacy Act, and New Zealand has been formally recognised as having an ‘adequate level’ of privacy protection to meet European standards. However, this doesn't mean that a New Zealand company will be able to comply with the GDPR simply by complying with the Privacy Act as there are specific requirements in the GDPR that do not exist in the Privacy Act (e.g the requirement to notify data breaches to the relevant authority).
It is also important to understand that New Zealand's 'adequate' status simply means that data can be lawfully transferred from the EU to New Zealand, as the EU recognises that New Zealand's privacy law is sufficiently robust to ensure the safety of personal data of EU individuals - it doesn't have the blanket effect of deeming all New Zealand companies and individuals to be EU privacy law-compliant. In addition, New Zealand's status may be revisited in light of the enhanced EU laws and the Privacy Act is accordingly under review (see our previous article for more information on this).
Some key points to remember are:
(1) If your company does not have a presence in the EU and does not process the data of EU residents then it is most likely that the GDPR will not apply to you.
(2) If the GDPR does apply, you will need to comply with all of the applicable rules, which may require you to go above and beyond what is required of you under New Zealand's Privacy Act.
(3) While the GDPR may not apply to you directly, if you have business dealings with a company to which the GDPR does apply, that company may try to pass some of its obligations under the GDPR on to you through contract.
If you are unsure what the GDPR rules are, or how they apply to you, you should seek advice before the new regime comes into effect in May.