disclosing personal information outside New Zealand – what you need to know



Share on facebook
Share on twitter
Share on linkedin
Share on email

In an increasingly global world, businesses need to disclose personal information to companies outside of NZ for many reasons, including for data hosting and storage.  The new Privacy Act 2020 (the Act) comes into effect from 1 December 2020, bringing with it a new privacy principle requiring NZ businesses to ensure privacy protections apply to personal information sent overseas.

This blog is our second in a series on upcoming law changes.  To learn more, check out our first blog on mandatory breach notifications or subscribe to our newsletter.  And  keep an eye out for our new template privacy policy that we’ll release shortly.

what is information privacy principle 12 (IPP12) and when does it not apply?

IPP12 enables NZ businesses to disclose personal information to a foreign person or entity who is subject to comparable privacy safeguards.  This seems broad, but there are two key exceptions:

  • cloud providers:  if the recipient of the personal information is an agent for the storage or processing of the information, and the agent does not use the personal information for its own purposes, the provision of personal information is not treated as a disclosure
  • foreign business also operating in NZ:  if the recipient of the personal information also carries on business in NZ (e.g. by offering services to New Zealanders through a website, holding NZ registered trade marks, or if its business involves the collection, use or disclosure of personal information in NZ on a repetitive or continuing basis) then the recipient is already subject to the Act, and you can disclose on this basis.  However, the recipient will obviously need to comply with the Act and you should make sure your contract with them requires this.

what if IPP12 applies?

Before disclosing personal information overseas, you must be satisfied that you have reasonable grounds to believe that the disclosure is permitted under IPP12. To be permitted, you must either be satisfied that comparable safeguards are in place or have the relevant individual’s authorisation to disclose their personal information to the recipient.

comparable safeguards

So how do you know if comparable safeguards are in place?.  You can do this two ways:

  • in your contract:  ensure your contract with the recipient has privacy safeguards comparable to the Act.  The Office of the Privacy Commission (OPC) has developed model clauses to add into their contracts to ensure comparable safeguards are in place.  These clauses are fill in the blanks, so you still need to ensure they are accurately populated.  However, these clauses are intended for SMEs with simple privacy disclosures. if your disclosure of personal information is complex and ongoing, or involves sensitive information (e.g. health information), you should develop your own clauses that address your particular needs in light of the requirements of the Act.
  • comparable privacy laws:  if you have a reasonable basis to believe that the  recipient is subject to comparable privacy laws to the Act (so the personal information will be protected in a similar way as if it were disclosed in NZ), you can disclose.  To be satisfied, you will need to assess the privacy laws to which the recipient is subject, including thinking about the scope of their privacy laws, the protections in place, if individuals can access and seek correction of their personal information, and if, in the recipient’s country, there is an appropriate complaints process and independent oversight and enforcement similar to the OPC in NZ

In regulations, the Government may prescribe that a country has comparable privacy safeguards, meaning no additional steps would be needed before you disclose personal information to a business in that country.  No regulations will be in place when the new Act becomes law.


If you aren’t satisfied that there are comparable safeguards, you can still send personal information overseas if disclosure is authorised by the individual to whom the information relates.  But, authorisation is not as simple as a short note at the bottom of your privacy policy.  You will need to ensure affected individuals are expressly informed that the business you are disclosing their information to may not protect their information in the same manner as in NZ.  And you must inform them clearly and upfront, about the way their information will be used, for what purpose, and by whom.

You’ve got 3 weeks to make sure your overseas disclosures of personal information meet the requirements of the new Act.  We suggest you review your relevant contracts now to ensure that you are ready to comply when the changes happen on 1 December 2020.

explore our other blog posts

Your End of FY To-Do List:  AGMs

This is the first in a small series that Kindrik Partners is working on, pulling together company admin to be thinking about when 1 April comes around each year. 
[partial name="mailchimp-newsletter-horizontal" dir="template-parts/components/component"]

are you based in southeast asia?

If so then you may prefer