“34 Individuals may make information privacy requests

• An information privacy request may be made only by an individual.”

• “(1A) The Commissioner may authorise a public sector agency to impose a charge in respect of the matter referred to in section 35(1)(e) if the information privacy request is received from, or on behalf of, an individual who—

  • “(a) is residing outside New Zealand; and

  • “(b) is not a New Zealand citizen or a permanent resident of New Zealand.”

“72C Referral of complaint to overseas privacy enforcement authority

• “(1) Where, on receiving a complaint under this Part, the Commissioner considers that the complaint relates, in whole or in part, to a matter that is more properly within the jurisdiction of an overseas privacy enforcement authority, the Commissioner may consult with that authority in order to determine the appropriate means of dealing with the complaint.

  “(2) As soon as practicable after consulting with the overseas privacy enforcement authority under subsection (1), the Commissioner must determine whether the complaint should be dealt with, in whole or in part, under this Act.

  “(3) If the Commissioner determines that the complaint should be dealt with, in whole or in part, by the overseas privacy enforcement authority, and both the authority and the complainant agree, the Commissioner may refer the complaint or, as the case requires, the appropriate part of the complaint, to the authority to be dealt with.

  “(4) In this section, overseas privacy enforcement authority or authority means any overseas public body that is responsible for enforcing legislation that protects personal information, and that has the power to conduct investigations and pursue enforcement proceedings.”

“Part  11A
“Transfer of personal information outside New Zealand

“114A Interpretation

• In this Part, unless the context otherwise requires,—

  “OECD Guidelines means the Organisation for Economic Co-operation and Development Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data

  “State includes any State, territory, province, or other part of a country

  “transfer prohibition notice means a notice given under section 114B prohibiting the transfer of personal information from New Zealand to another State.

“114B Prohibition on transfer of personal information outside New Zealand

• “(1) The Commissioner may prohibit a transfer of personal information from New Zealand to another State if he or she is satisfied, on reasonable grounds, that—

  • “(a) the information has been, or will be, received in New Zealand from another State and is likely to be transferred to a third State where it will not be subject to a law providing comparable safeguards to this Act; and

  • “(b) the transfer of the information may circumvent the privacy or data protection laws of the State from which it has been, or will be, received; and

  • “(c) the transfer would be likely to lead to a contravention of the basic principles of national application set out in Part Two of the OECD Guidelines (as defined in section 114A).

  “(2) In determining whether or not to prohibit a transfer of personal information, the Commissioner must also consider, in addition to the matters set out in subsection (1) and section 14, the following:

  • “(a) whether or not the transfer affects, or would be likely to affect, any individual; and

  • “(b) the general desirability of facilitating the free flow of information between New Zealand and other States; and

  • “(c) any existing or developing international guidelines relevant to transborder data flows, including (but not limited to)—

    • “(i) the OECD Guidelines:

    • “(ii) the European Union Directive 95/46/EC on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data.

  “(3) Subsection (1) does not apply if the transfer of the information, or the information itself, is—

  • “(a) required or authorised by or under any enactment; or

  • “(b) required by any convention or other instrument imposing international obligations on New Zealand.

“114C Transfer prohibition notice

• “(1) A prohibition under section 114B(1) is to be effected by the service of a transfer prohibition notice on the agency proposing to transfer the personal information concerned.

  “(2) A transfer prohibition notice must—

  • “(a) state the name of the agency to whom it relates; and

  • “(b) describe the personal information concerned; and

  • “(c) state that the transfer of the personal information concerned from New Zealand to a specified State is prohibited either—

    • “(i) absolutely; or

    • “(ii) until the agency has taken any steps stated in the notice to protect the interests of any individual or individuals affected by the transfer; and

  • “(d) state the time when the notice takes effect; and

  • “(e) state the ground for the prohibition; and

  • “(f) state that the agency on whom the notice is served may lodge an appeal against the notice to the Human Rights Review Tribunal, and the time within which the appeal must be lodged.

  “(3) The time when the notice takes effect under subsection (2)(d) must not be before the end of the period within which an appeal against the notice can be lodged.

  “(4) If an appeal is brought, the notice does not take effect pending the determination or withdrawal of the appeal.

  “(5) If the Commissioner, by reason of special circumstances, considers that the prohibition should take effect as a matter of urgency in relation to all or any part of the notice,—

  • “(a) subsections (3) and (4) do not apply; and

  • “(b) the notice takes effect on the sixth working day after the date on which the notice is served; and

  • “(c) the notice must include—

    • “(i) a statement that the Commissioner considers that the prohibition must take effect as a matter of urgency; and

    • “(ii) a statement of the reasons why the Commissioner has reached that conclusion.

  “Compare: Data Protection Act 1988 s 11 (Ire)

“114D Commissioner may vary or cancel notice

• “(1) If, at any time, the Commissioner considers that all or any of the provisions of a transfer prohibition notice served on an agency need not be complied with in order to avoid a contravention of basic principles of privacy or data protection, the Commissioner may vary or cancel the transfer prohibition notice by serving notice to that effect on the agency concerned.

  “(2) An agency on whom a transfer prohibition notice has been served may, at any time after the end of the period during which an appeal under section 114F(1)(a) can be lodged, apply in writing to the Commissioner for the notice to be varied or cancelled under subsection (1).

  “(3) The Commissioner must, within 20 working days after the date on which an application under subsection (2) is received, notify the agency of—

  • “(a) his or her decision; and

  • “(b) his or her reasons, if the application is refused.

  “(4) If the Commissioner exercises his or her discretion under subsection (1), the variation or cancellation of the transfer prohibition notice takes effect on the day after the date on which notice of the Commissioner’s decision to vary or cancel the transfer prohibition notice is served.

  “Compare: Data Protection Act 1998 s 41 (UK)

“114E Offence in relation to transfer prohibition notice

• Every person who, without reasonable excuse, fails or refuses to comply with a transfer prohibition notice commits an offence and is liable on summary conviction to a fine not exceeding $10,000.

“114F Appeals against transfer prohibition notice

• “(1) An agency on whom a transfer prohibition notice is served may appeal to the Human Rights Review Tribunal—

  • “(a) against the whole or any part of the notice; or

  • “(b) if the notice contains a statement by the Commissioner in accordance with section 114C(5)(c), against the decision to include that statement in respect of all or any part of the notice; or

  • “(c) against the decision of the Commissioner to vary the notice in accordance with section 114D(1); or

  • “(d) against the refusal of an application under section 114D(2) to vary or cancel the notice.

  “(2) An appeal under subsection (1) must be lodged,—

  • “(a) in the case of an appeal under subsection (1)(a) or (b), within 15 working days from the date on which the transfer prohibition notice was served on the agency concerned:

  • “(b) in the case of an appeal under subsection (1)(c) or (d), within 15 working days from the date on which notice of the decision or refusal was served on the agency concerned.

  “(3) The Tribunal must allow an appeal or substitute any other decision or notice that could have been made or served by the Commissioner if it considers that—

  • “(a) the decision or notice against which the appeal is brought is not in accordance with the law; or

  • “(b) to the extent that the decision or notice involved an exercise of discretion by the Commissioner, he or she ought to have exercised his or her discretion differently.

  “(4) The Tribunal may review any determination of fact on which the decision or notice in question was based.

  “(5) On any appeal under subsection (1)(b), the Tribunal may—

  • “(a) direct—

    • “(i) that the notice in question must have effect as if it did not contain the statement that is mentioned in the notice; or

    • “(ii) that the inclusion of the statement must not have effect in relation to any part of the notice; and

  • “(b) make any modifications required to give effect to that direction.

  “Compare: Data Protection Act 1998 ss 48, 49 (UK)

“114G Application of Human Rights Act 1993

• Section 87 and Part 4 of the Human Rights Act 1993 apply, with all necessary modifications (if any), in relation to proceedings under section 114F as if they were proceedings under that Act.”