Cooperating with international privacy regulators
After a decade of concerted effort, cooperation is well embedded and supported by inter-governmental organisations and regulatory networks.
IRC option: Enforcement cooperation
Read more about the cooperation options
Policy area/sector: Privacy
International regulatory cooperation for privacy law and enforcement has been prioritised and facilitated by privacy regulators such as the New Zealand Office of the Privacy Commissioner and transnational institutions (OECD, APEC). The institutions have developed and provided structures and leadership for the promotion and coordination of regulatory cooperation.
The main reason for cooperating has been to increase policy and regulatory effectiveness across borders, by ensuring that activities and people are not able to escape the reach of the law. It has centred on establishing arrangements for enforcement cooperation, including agreements to provide mutual assistance for enforcement action.
It has resulted in measures to align New Zealand law with international norms, support enforcement cooperation and attain European recognition. The work is ongoing and evolving. It shows the potential of cooperation to mature from informal to more formal arrangements.
Lessons learnt
Don’t expect instant success
It’s unrealistic to expect instant success in cross-border enforcement. Success has depended on international engagement and developing common regulatory tools.
Engage in regional, global, and specialised forums
Cross-border cooperation remains challenging, requires effort, and the differences between privacy law and variable cross border enforcement provisions are an impediment to further progress. The lack of a single global standard for privacy law means that engagement in multiple regional, global and specialised forums is often necessary to be effective.
Network with overseas peers
Privacy authorities have networked with their peers for many years through global networks (International Conference of Data Protection and Privacy Commissioners now known as the Global Privacy Assembly), regional networks (Asia Pacific Privacy Authorities forum), and, more recently through specialised enforcement networks; Global Privacy Enforcement Network(GPEN) and the APEC Cross-border Privacy Enforcement Arrangement (CPEA).
Connect with stakeholders
Regulators and privacy enforcement bodies engage with stakeholders such as global business, privacy professionals and civil society.
Take a consistent approach to describing law
For example, the Asia-Pacific Economic Cooperation forum gets each economy to describe its privacy laws in a structured, standardised way called an Individual Action Plan or Data Privacy IAP.
Data Privacy Individual Action Plan(external link) — APEC
Trans-national information flows make cooperation essential
The role of the New Zealand Privacy Commissioner was established under the Privacy Act 1993 to regulate how organisations collect, use, disclose, store and give access to personal information. The New Zealand Privacy Commissioner’s Office supports the Privacy Commissioner to develop and promote a culture in which personal information is protected and respected.
The Privacy Act 2020 came into force on 1 December 2020, replacing the Privacy Act 1993. The new Act introduced greater obligations for businesses and organisations and gave the Privacy Commissioner additional compliance and enforcement powers. The new Act also contains a provision enabling the New Zealand Privacy Commissioner to share information with overseas privacy enforcement authorities (section 207).
The Privacy Commissioner is an independent crown entity under the Crown Entities Act 2004, and acts independently in assessing compliance with the Privacy Act, include investigating breaches of privacy, taking enforcement action, issuing codes of practice, providing best practice advice to agencies and individuals, and examining how proposed policies, operational practices and legislation may affect individual privacy.
Privacy authorities exist in a majority of countries (known generically as Data Protection Authorities or Privacy Enforcement Authorities). While their mandates and powers are domestically oriented, they have cooperated for decades to share policy and regulatory experiences and are now increasingly cooperating internationally in enforcement. This trend reflects a response to the international nature of personal information flows (i.e. personal information being collected and stored overseas) and the digital economy, and the corresponding challenges of effective enforcement in this dynamic environment.
OECD and APEC instrumental in recent cooperative efforts
The adoption of the Organisation for Economic Cooperation and Development (OECD) Privacy Guidelines in 1980 was instrumental in the development of privacy policy and law. They emphasised that member countries had a common interest in protecting privacy and individual liberties, without unduly restricting the economic flow of information.
By 2007, the OECD was focusing on enforcement cooperation. That year it formally recommended and issued guidance for a more global and systematic approach to cross-border privacy law enforcement. This included guidance about domestic laws to support international cooperation. This enforcement focus also resulted in privacy authorities setting up the Global Privacy Enforcement Arrangement (GPEN) in 2010. GPEN is a network of privacy enforcement authorities. It works on the practical aspects of cooperation such as developing best practices and agreeing shared enforcement priorities. It has subsequently provided cooperation tools such as a secure platform for sharing enforcement-related information between participating authorities (called ‘GPEN Alert’).
In parallel, Asia-Pacific Economic Cooperation (APEC) adopted its 'Cross-border Privacy Enforcement Arrangement' (CPEA) in 2009. The arrangement provides a framework and network for privacy enforcement cooperation in the APEC region. It aims to facilitate information sharing and provide mechanisms to promote effective cross-border cooperation between privacy and data protection authorities. Any Privacy Enforcement Authority in an APEC country may participate. The Global Privacy Assembly also has the Global Cross Border Enforcement Cooperation Arrangement.
The Commissioner has been involved in these international developments and is a member of the 2 networks mentioned: GPEN, and APEC CPEA.
The OECD updated its Privacy Guidelines in 2013, including guidelines for its members about responding to the evolving regulatory challenges for privacy in the digital economy.
Prior to this, the Privacy (Cross-border Information) Amendment Act 2010 implemented aspects of the OECD’s 2007 formal recommendation. The Act made provision for a complaint to be transferred between jurisdictions supporting a degree of cooperation.
European Union law is influencing our cooperation and settings
The European Union (the EU) is regarded by many countries as a standard setter for privacy policy and law. The New Zealand Privacy Act 1993 was formally recognised by the European Commission in 2012 as meeting European legal standards of data protection thereby facilitating the free flow of personal data from EU countries to New Zealand for processing. This status is rare and provides New Zealand firms a comparative advantage, new digital business opportunities and lower trade barriers.
The EU’s General Data Protection Regulation (GDPR) came into effect on 25 May 2018. It aims to protect all EU citizens from privacy and data breaches. Organisations offering goods and services to EU citizens and undertaking relevant activities in the EU must comply. This means that New Zealand businesses doing business with EU residents or entities or that have a presence in the EU will need to demonstrate compliance. New Zealand maintains its adequacy status under the GDPR, but it will be reviewed in light of the GDPR’s new standards.
New Zealand’s recent privacy law reform efforts support cooperation
International cooperation and developments have influenced New Zealand privacy law reforms. Legislative authority is generally needed in order for regulators to share enforcement-related and investigative information with their counterparts overseas.
The Privacy (Cross-border Information) Amendment Act 2010 implemented aspects of the OECD’s 2007 formal recommendation. The Act made provision for a complaint to be transferred between jurisdictions supporting a degree of cooperation.
A new Privacy Act came into effect on 1 December 2020 and replaced the Privacy Act 1993. The new Act introduced greater obligations for businesses and organisations and gave the Privacy Commissioner additional compliance and enforcement powers The new Act also contains a provision enabling the New Zealand Privacy Commissioner to share information with overseas privacy enforcement authorities (section 207)
The practical tools to promote enforcement cooperation that have been developed through the OECD, APEC and regulator networks in the last decade include:
- Policy guidance for updating existing domestic privacy laws
- Practical guidance for cooperation such as templates for requesting cross-border assistance and information sharing agreement and directories of enforcement contact points.
The Office of the Privacy Commissioner has contributed to the development of the tools, and uses them for its enforcement activities.
References and sources
Global Privacy Enforcement Network(external link)
Privacy Commissioner: Te Mana Mātāpono Matatapu(external link)