Source: New Zealand Privacy Commissioner – Blog
Privacy Commissioner John Edwards recently spoke to the Association of Southeast Asian (ASEAN) Working Group on Digital Data Governance. The group had been discussing the use of the European Commission’s Standard Contractual Clauses for data transfers between EU and non-EU countries.
As part of the discussion, Mr Edwards was asked to also speak about New Zealand’s model contract clauses with respect to our new information privacy principle 12 (IPP 12). Like many New Zealand businesses and organisations, people have been curious about the model cross-border contract and how it works.
IPP 12 is a new principle in the Privacy Act 2020 which sets certain rules around sending personal information to organisations or people outside New Zealand. In short, if you want to disclose personal information to a foreign person or entity, you must believe on reasonable grounds that the personal information will be subject to comparable safeguards to those in the New Zealand Privacy Act.
One way for you to ensure that you are meeting your obligations under IPP 12 is for you and the foreign person or entity to enter into an agreement which sets out those safeguards. We commissioned the law firm Chapman Tripp to develop a set of plain English model contract clauses which are tailored to the requirements of the New Zealand Privacy Act. We also developed an online model contract builder which you can use to generate an agreement which incorporates those clauses. You can view those here.
We’ve answered some of your frequently asked questions about the contract so that you’re not left in the dark about your obligations when disclosing information overseas. Check out the FAQs.
We also encourage you to keep asking us questions about the model contract clauses and IPP 12 generally. We intend to update the FAQs on an ongoing basis. You can contact us here.
Nothing on our website constitutes legal advice. Please speak to your professional advisors for matters specific to you and your organisation, or find a professional advisor on our directory of privacy professionals.
If you’re a privacy professional with specific expertise in dealing with cross border disclosures, including model contract clauses, please contact us at directory@privacy.org.nz and we can specify on our directory that you deal with IPP 12 and cross border disclosure issues.
Model contract FAQs
These FAQs should be treated as general guidance and do not constitute legal advice. Please speak to your professional advisors for matters specific to you and your organisation, or find a professional advisor on our directory of privacy professionals.
What is the model contract? Who is it for?
IPP 12 relates to a New Zealand agency (a Discloser) disclosing personal information to a foreign person or entity (a Recipient).
Under IPP 12, a Discloser may only disclose personal information to a Recipient if the Discloser believes, on reasonable grounds, that the Discloser will (or is required to) protect the information in a way that provides comparable safeguards to those in the New Zealand Privacy Act.
One way in which the Discloser can be reasonably confident of this is by entering into an agreement with the Recipient that contains the necessary privacy safeguards. Our office has commissioned the law firm Chapman Tripp to develop an ‘off the shelf’ set of clauses that ensure that the Recipient puts in place privacy safeguards for the personal information shared between you and the overseas parties which are comparable to those provided in New Zealand.
The Discloser is already required to have these safeguards in place due to its obligations under the Privacy Act, so the model contract ensures that the Recipient must do the same – even if they are based overseas and don’t carry on business in New Zealand.
Our model contract tools are especially designed to make this task easier for small to medium enterprises in New Zealand. You can adopt the clauses wholesale, or you can pick and choose specific clauses as required. If you make changes to the clauses, you might need expert advice to make sure you are still complying with IPP 12.
Do we need to enter into this agreement?
Not necessarily. IPP 12 does not apply to all circumstances. You can find the circumstances in which personal information can be disclosed in IPP 11(1). Therefore, IPP 12 may not even apply to you!
If IPP 12 does apply, you still might not need to enter into an agreement with the Recipient – an agreement is just one of many ways for an agency to comply with IPP 12. Check out our decision tree for more information – your level of confidence will help confirm that the information you are disclosing will be protected in a comparable way to the New Zealand Privacy Act.
The advantage of using the agreement is that you can be confident that the personal information you’re disclosing overseas will be subject to a set of privacy safeguards for individuals.
We store personal information using a cloud service provider whose servers are held outside New Zealand. Do we need to enter into an agreement with the cloud service provider which incorporates the model clauses?
In most circumstances, no – you aren’t required by law to enter into such an agreement. This is because, for the purposes of the Privacy Act, you will (in most circumstances) remain responsible for the personal information that you put in the cloud servers.
Under section 11 of the Privacy Act, if an agency (Agency A) holds personal information as an agent for another agency (Agency B) (for example, the information is held by Agency A on behalf of Agency B for safe custody or processing), that personal information will be treated as being held by Agency B – not Agency A.
However, the personal information will be treated as being held by Agency A and Agency B if Agency A uses or discloses the information for its own purposes.
This means that, in most circumstances, you’ll be responsible for the personal information that you put in the cloud – not the cloud service provider.
Would a Recipient be willing to give the assurances in the agreement?
The question as to how willing a Recipient would be to give any assurance under the model contract (or any similar agreement) will depend on your commercial relationship and the circumstances specific to the parties.
What we can say is that, due to IPP 12, the onus is on you as the Discloser to ensure that the personal information is safeguarded.
Remember that, as the Discloser, the requisite test under IPP 12 is whether you believe on reasonable grounds that the Recipient is required to protect the information in a way that, overall, provides comparable safeguards to those in the Privacy Act.
The model contract is just that – a set of ‘model’ clauses. Parties are free to negotiate and modify the clauses as they see fit, so long as you (as the Discloser of the personal information) are satisfied on reasonable grounds that the Recipient will provide comparable safeguards to that personal information.
If you can’t get the Recipient to agree to the safeguards, you might need to review what personal information you disclose and see if you have other options.
How do we enforce the agreement if the Recipient is overseas?
The practical issue of enforcing contracts is very real, and this issue becomes even more difficult if the other party isn’t in New Zealand. This will depend on a myriad of factors (so please consult your legal advisers), but the most important consideration will be your commercial relationship with the Recipient. At the very least, a serious breach of contract by a provider will likely prompt a decision to move to a different provider – a loss of trust is a loss of business.
The key point for you as the Discloser is having a basis for believing the disclosure that complies with IPP 12. The model agreement would provide that basis and provide individuals with the option of enforcing their rights against the Recipient under New Zealand law.
If the Recipient is obliged to collect and use information in accordance with clause 1.1, what is the purpose of clause 1.2 (limits on use and disclosure)?
Clause 1.2 specifies the lawful purposes for which personal information may be collected and used which are specific to the relationship between (and agreed by) the Discloser and the Recipient.
Have a look at our example agreements for an idea of what a lawful purpose might be. One example is for travel, where one of the permitted lawful purposes is specified to be facilitating bookings with accommodation and tourism providers.
What is the purpose of clause 1.4 (accuracy)? Can the Recipient not rely on the Discloser (who has those same obligations under the Privacy Act 2020) to provide it with appropriately accurate information?
Not necessarily. Information can become out of date before it is used by the Recipient, or that information can be used more than once.
If personal information has been disclosed to the Recipient and is therefore now also being held by the Recipient, the Discloser won’t necessarily be in a good position to ensure that the personal information held by the Recipient remains accurate and up to date when the Receiver uses the information – especially if there is a time lag between disclosure and use.
How does clause 6 (rights of individuals if there is a breach of the agreement) relate to the obligations under IPP 12?
Clause 6.1 is designed to ensure that, if the Recipient breaches its obligations under the model contract and that breach is an ‘Interference with Privacy of an Individual’ (as that term is defined in the model contract), the individual in question has the same right to seek a remedy against the Recipient as they would against the Discloser in the same manner set out in Part 5 of the Privacy Act. The individuals concerned may also ask the Discloser to bring a claim against the Recipient on their behalf, though the Discloser isn’t necessarily required to do so (clause 6.3). Clause 6.2 confirms that individuals have this right even though they aren’t a party to the agreement.
Clause 6 of the model contract mirrors section 102 of the Privacy Act (remedies in respect of interference with privacy), so it looks to satisfy IPP 12 in this regard.
Last updated June 2021
Image credit: Cloud computing network via Pixabay
