New Zealand’s privacy laws still “adequate” for EU — what does this mean for New Zealand?

Digital identity scanner
Related expertise
Special Counsel

Following the European Union (EU)’s review of its existing adequacy decisions involving New Zealand and ten other countries, it’s concluded that personal data transferred from the EU to New Zealand continues to have adequate data protection safeguards.

As a result, data can continue to flow freely and well protected between the EU and New Zealand without additional requirements. This is great news for New Zealand.

Why retaining adequacy status is important for New Zealand

Adequacy status creates a network of thirty states assessed by the EU against the highest standards of data safeguards. This network allows free flow of personal data, encouraging commercial channels and trade agreements without the need for further data safeguards or authorisation. On a global scale, states with adequacy status are seen as safe data destinations and are more attractive to trade with.

By maintaining this status, New Zealand indicates that it has high data safety standards and encourages international data sharing and trade with New Zealand, as well as facilitating deeper cooperation between New Zealand and the EU community.

The EU’s adequacy decision about New Zealand was initially adopted in 2012, and since then New Zealand ’s privacy landscape has evolved significantly. Therefore, this recent EU review involved consideration of many important developments in New Zealand.

What did the EU assess?

In its ‘adequacy assessment’ the EU assessed whether New Zealand continues to ensure a sufficient level of protection for personal data to be transferred to and from the EU.

The review measures adequacy against the protection of data standards currently in place within the EU which are considered to be some of the strongest privacy and security laws in the world.

Adequacy assessment is focused on legislative developments and regulatory reforms in the data protection frameworks and enforcement practices of New Zealand authorities or case law. The adequacy test requires an ‘essentially equivalent’ level of protection to the EU.

Key highlights from the adequacy assessment

In its review, the EU recognised New Zealand’s increased level of data protection since the comprehensive reforms introduced in the Privacy Act 2020 (Privacy Act). The EU concluded that New Zealand continues to provide an adequate level of protection for personal data transferred between the EU and New Zealand.

The EU also acknowledged the recent introduction of the Privacy Amendment Bill 2023 (Bill) before Parliament and will continue to monitor its progression. The Bill proposes amendments to the Privacy Act to further strengthen existing transparency requirements and create additional disclosure requirements, including requiring agencies to notify individuals if their information has been indirectly collected.

If you have any questions about what New Zealand’s adequacy status means for your organisation, please feel free to get in touch with a member of our data protection and privacy team.

Disclaimer: The content of this article is general in nature and not intended as a substitute for specific professional advice on any matter and should not be relied upon for that purpose.​

Related insights

Find an expert