New Report on Limits of “Consent” in New Zealand’s Data Protection Law
Authors: Elizabeth Santhosh and Dominic Paulger
Elizabeth Santhosh is a current law student at Singapore Management University and an FPF Global Privacy intern.
Today, the Future of Privacy Forum (FPF) and Asian Business Law Institute (ABLI), as part of their ongoing joint research project: “From Consent-Centric Data Protection Frameworks to Responsible Data Practices and Privacy Accountability in Asia Pacific,” are publishing the fourth in a series of detailed jurisdiction reports on the status of “consent” and alternatives to consent as lawful bases for processing personal data in Asia Pacific (APAC).
This report provides a detailed overview of relevant laws and regulations in New Zealand, including:
- notice and consent requirements for processing personal data in New Zealand’s data protection law;
- the status of alternative legal bases for processing personal data which permit processing of personal data without consent if the data controller undertakes a risk impact assessment (e.g., legitimate interests); and
- statutory bases for processing personal data without consent and exceptions or derogations from consent requirements in-laws and regulations.
The findings of this report and others in the series will inform a forthcoming comparative review paper which will make detailed recommendations for legal convergence in APAC.
New Zealand’s Data Protection Landscape
New Zealand is one of the few jurisdictions in APAC which, together with Hong Kong and Australia, passed comprehensive data protection legislation before the turn of the millennium.
The Privacy Act, which was initially passed in 1993 and repealed then enacted in substantially updated form in 2020, provides the default rules for the processing of personal information under New Zealand law. These are articulated through the 13 Information Privacy Principles (IPPs) which provide, broadly, for collection, use, and disclosure of personal information, as well as storage and security, access, correction, and retention of personal information and use of unique identifiers.
This kind of “principles-based” data protection law is also seen in the data protection laws of Australia and Hong Kong, which all draw on principles from the Organisation for Economic Co-operation and Development (OECD)’s 1980 Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, including collection, limitation, data quality, purpose specification, use limitation, security, openness, and individual participation.
Beyond the IPPs, the Privacy Act also contains detailed provisions which establish the Office of the Privacy Commissioner to administer and enforce the Act. The Act also empowers the Commissioner to, firstly, investigate complaints regarding entities’ privacy practices, resolve disputes, and issue binding compliance notices, and secondly, issue binding codes of practice in relation to specific sectors or classes of personal information.
In 2012, New Zealand also became one of the few jurisdictions in APAC that has received an “adequacy decision” from the European Commission. This decision recognizes that New Zealand’s data protection laws provide an adequate level of data protection compared with that provided by European law for purposes of cross-border data transfers.
Role and status of consent in New Zealand
Consent – which the Privacy Act calls “authorisation” – plays a number of roles in the Privacy Act but unlike in other major data protection laws internationally, is not a standalone legal basis for collecting, using, or disclosing personal information.
The default position under the IPPs is that collection of personal information must be: (1) by lawful, fair, and non-intrusive means; (2) from the individual data subject, rather than a third party; and (3) necessary for a purpose which is connected with the organization’s functions or activities.
Subject to exceptions, organizations must also notify individuals when their personal data is collected by providing certain information, including the purpose for collecting the personal information.
Once organizations have collected personal information, they may use and disclose the information for the purpose of collection, or another purpose that is related to it, without having to obtain consent.
Authorization functions as one of several exceptions to the default rules in the Privacy Act.
Firstly, an organization may collect personal information from a third party or use or disclose personal information for a purpose that is unrelated to the purpose of collection, if the organization reasonably believes that the individual concerned has “authorized” the collection, use, or disclosure.
Authorization functions as one of several legal bases under the IPPs for cross-border transfer of personal information under IPP 12.
Read more about the role of consent in New Zealand’s Data Protection Law in the full report.
Read the previous reports in the series: