The principal legal criteria for assessing a data protection regime are the rules of EU’s data protection Directive 95/46/EC (and more precisely article 25 of the Directive) as construed and applied by the EU Court of Justice. There are as yet no decisions of the Court interpreting the concept of “adequacy”. The principal methodological criteria for assessing a data protection regime are set out by the Article 29 Data Protection Working Party in two ‘Opinions’ by it in 1997 and 1998. While the core criteria suggested by the Working Party are not in themselves legally binding, they are the considered view of Europe’s data protection authorities as to what constitutes “adequacy”. The criteria have formed an important point of departure for European Commission decisions on the adequacy of third country regimes—decisions that are legally binding.
The Working Party’s favourable ‘Opinion 11/2011 on the level of protection of personal data in New Zealand’ (4 April 2011) is the first time a non-European country with legislation that largely predates Directive 95/46/EC and is modelled primarily on the 1980 OECD Guidelines on data protection has been given an adequacy finding. Moreover, the recommendation of adequacy has been given despite considerable shortcomings in the NZ data protection regime. This not only reiterates the by now trite point that adequacy does not equal equivalence, it also illustrates how much variation from the criteria set out in 1997 and 1998 is accepted as not preventing a finding of adequacy. So it is valuable to consider the Opinion in some detail, particularly with a view to drawing lessons on the balance that the Working Party is ready to strike between pragmatism and formalism.
This article concludes that the reasons given by the Working Party for finding adequacy despite putative weaknesses in New Zealand’s regime are primarily very practical ones relating to the geographical and economic position of New Zealand: its relative geographic isolation; the limited EU-sourced data likely to be transferred to New Zealand (which minimises the problem of onward transfers); and the reciprocal lack of direct marketing into the EU that could be expected from NZ. This Opinion signals significant pragmatic preparedness on the part of the Working Party. It also underlines the fact that it is the effect of a third party’s laws on EU citizens that counts toward adequacy, not the effect on the country’s own citizens. It will be relatively rare that personal data on EU citizens ends up in New Zealand, so a good deal of tolerance of variation from the core principles previously set out by the Working Party is permitted by them in delivering an adequacy opinion. We could say (with some exaggeration) that the standard of adequacy is in inverse proportion to proximity, provided that ‘proximity’ is considered to include the economic and social, not only the geographical.
In a country like India, where outsourcing of the processing of European data is of large scale, as are other forms of business and travel involving personal data, different considerations are likely to apply. In Europe they probably will not say ‘Delhi is far away’, even though they have found that Wellington is.
Computer Law | Cyberspace Law | Human Rights Law
Date of this Version
Graham Greenleaf and Lee Bygrave, "Not Entirely Adequate but Far Away: Lessons from How Europe Sees New Zealand Data Protection" (October 2011). University of New South Wales Faculty of Law Research Series 2011. Working Paper 47.