Last review date: 20 December 2024

Yes.

Under the Privacy Act, agencies wishing to disclose personal information to a foreign person or entity must only do so if they can satisfy one or more of the requirements listed in IPP 12. The Privacy Act defines a foreign entity or person as:

1. An individual who is neither:
   1. Present in New Zealand
   2. Ordinarily present in New Zealand
2. A body, incorporated or unincorporated, that:
   1. Is not established under the law of New Zealand
   2. Does not have its central control and management in New Zealand
3. The Government of an overseas country.

Transfers of personal data to third countries are only permissible if there is a legal basis for the processing/transfer and one of the following applies:

☒  approved adequate/whitelisted jurisdictions

☒  to holders of specific certifications or followers of specific code of conduct programs each approved by the relevant data protection and cybersecurity authority (e.g., EU-US Data Privacy Framework)

☒  approved standard contractual clauses

☒  other solutions

Please see separate question for information on data localization provisions that are not restricted to personal data.

Under IPP 12, an agency may only disclose personal information to a foreign person or entity if the agency can meet one or more of the requirements listed in IPP 12. The requirements are:

• The individual concerned authorizes disclosure after being expressly informed that the foreign person/entity may not be required to protect the information in a way that provides comparable safeguards to those under the Privacy Act.
• The foreign person/entity is carrying on business in New Zealand and is subject to the Privacy Act.
• The disclosing agency believes on reasonable grounds that the foreign person/entity is subject to laws that provide comparable safeguards to those under the Privacy Act.
• The disclosing agency believes on reasonable grounds that the recipient is a participant in a prescribed binding scheme.
• The disclosing agency believes on reasonable grounds that the recipient is subject to privacy laws of a prescribed country.
• The disclosing agency believes on reasonable grounds that the foreign person/entity is required to protect the information in a way that provides comparable safeguards to those under the Privacy Act, e.g., pursuant to an agreement between the disclosing agency and the foreign person/entity (noting that the Privacy Commissioner has provided Model Clauses for small/medium enterprises to use).

Under the Privacy Act:

• Prescribed binding scheme means a binding scheme specified in regulations made under Section 213 of the Privacy Act. Currently, no such regulations have been made.
• Prescribed country means a country specified in regulations made under Section 214. Currently, no such regulations have been made.

  Under Section 193 of the Privacy Act, the Privacy Commissioner may prohibit a transfer of personal information from New Zealand (by a transfer prohibition notice) to another State if the Privacy Commissioner is satisfied, on reasonable grounds, that:

• The information has been or will be received in New Zealand from another country and is likely to be transferred to a third country that will not be subject to a law providing comparable safeguards to the Privacy Act.
• The transfer would likely lead to a contravention of the basic principles of national application set out in Part Two of the OECD Guidelines and set out in Schedule 8 of the Privacy Act.

Note that the requirements of IPP 12 only apply to the disclosure of personal information to a foreign person or entity. It would not apply where the foreign person or entity will be held for or on behalf of the transferring agency.