Reading time: 5 minutes

As the internet makes it easier to connect with others overseas, your business may engage with more international partners. This increased connectivity means sharing more information and conducting more business abroad. This is especially true if you engage in eCommerce and partner with global suppliers. Nonetheless, you still need to meet your obligations under New Zealand law. In particular, it is important to protect the privacy of New Zealand citizens. Certainly, this applies when you share your customers’ or employees’ personal information with overseas partners. The Privacy Act thus provides rules for when you can and cannot send such information overseas. This article will outline your legal obligations when sending personal information overseas.

Your New Zealand Privacy Law Obligations

If you deal with any personal information, you are an agency under New Zealand privacy law. For one thing, personal information includes identifying names or email addresses. Indeed, this means you need to handle this data with due care, according to the law’s standard. Evidently, these obligations apply to information across its life cycle at your business, as outlined below.

Collection

You can only collect information for a legitimate business purpose, from its direct source, in a legal and unintrusive way. You must inform the individual about what information you collect and why.

Storage

You must hold information only for as long as is necessary. If it is not meeting a purpose, you must dispose of it. Your customers and employees have the right to access and correct the personal information that you hold.

Security

You must implement reasonable security measures for the personal information you hold.

Usage

You can only use personal information for the purpose you disclosed at collection. The information must be accurate and up to date.

Disposal

You must dispose of information you do not need safely and securely.

Disclosure

You generally cannot disclose personal information unless you have permission, or that was why you collected it.

You must also follow the rules around unique identifiers in New Zealand. When you send personal information overseas, it is your responsibility to uphold these privacy obligations when you do so.

Who Can I Send Information To?

Additionally, you generally cannot send your customer or employees’ personal information to foreign businesses or organisations, unless:

  • you are sending personal information to their New Zealand branch, and they comply with New Zealand privacy law;
  • the overseas party meets the requirements for overseas disclosure; or
  • the overseas party stores or processes personal information as your agent, such as a cloud storage provider.

Although, if the information must be sent for law enforcement, or to prevent a serious threat to health and safety, an exception applies.

When Can I Send Information Overseas?

When sending personal information to an overseas entity, you must ensure you satisfy the Privacy Act’s requirements. It is legal when the other party:

  • does business in New Zealand, so our laws apply to them;
  • is in a country with privacy laws as strong as New Zealand’s;
  • contractually agrees to protect the personal information in line with New Zealand law; or
  • follows a binding privacy scheme that the New Zealand government approves.

Otherwise, you must have special permission from the individual who the information regards. You should inform them their information may not be protected as it would in New Zealand.

However, some countries have similar protections to New Zealand. For example, both Australia and the EU have privacy laws comparable to our own. Hence, you would be able to send personal information to both of these areas. 

Contractual Safeguards

Contractual safeguards enable you to ensure information is adequately handled when the overseas party does not have strong laws.

To do this, the Privacy Commission provides resources that can help you develop contract clauses. These clauses require that the other party meets the necessary standard of privacy protection. This way, you can be confident that you comply with your own obligations under New Zealand law as well.

To illustrate, these clauses would cover:

  • when the agreement starts;
  • who the parties are;
  • any other applicable contracts;
  • details of the information transfer;
  • permitted usage;
  • permitted disclosure;
  • security;
  • when the other party can delete information;
  • how they would handle a notifiable privacy breach;
  • local data laws;
  • termination clauses;
  • contact details; and
  • any special terms.

Key Takeaways

If your business deals with personal information, you should take reasonable steps to ensure its protection. Accordingly, when you send personal information overseas, it must meet the same privacy standard as in New Zealand. For more information or help sending personal information overseas, contact LegalVision’s data, privacy, and IT lawyers on 0800 005 570 or fill out the form on this page.

What qualifies as personal information?

Personal information is any information you can use to identify a living individual, including names, email addresses, and IP addresses. Even photos without any text or other identifiers qualify as personal information, as someone may recognise an individual in the photo.

Can I send personal information overseas? 

You can only send personal information overseas if you comply with the Privacy Act when doing so. This means making sure that the recipient will abide by rules as strict as New Zealand’s privacy laws.

What is cross border disclosure?

Cross border disclosure refers to sending personal information overseas. You can only do so if you meet the necessary legal requirements or have the individual’s informed consent the information applies to.

About LegalVision: LegalVision is a tech-driven, full-service commercial law firm that uses technology to deliver a faster, better quality and more cost-effective client experience.

The majority of our clients are LVConnect members. By becoming a member, you can stay ahead of legal issues while staying on top of costs. From just $119 per week, get all your contracts sorted, trade marks registered and questions answered by experienced business lawyers.

Learn more about LVConnect

Need Legal Help? Get a Free Fixed-Fee Quote

If you would like to receive a free fixed-fee quote or get in touch with our team, fill out the form below.

Our Awards
  • 2019 Top 25 Startups - LinkedIn 2019 Top 25 Startups - LinkedIn
  • 2020 Excellence in Technology & Innovation – Finalist – Australasian Law Awards 2020 Excellence in Technology & Innovation Finalist – Australasian Law Awards
  • 2020 Employer of Choice – Winner – Australasian Lawyer 2020 Employer of Choice Winner – Australasian Lawyer
  • 2021 Fastest Growing Law Firm - Financial Times APAC 500 2021 Fastest Growing Law Firm - Financial Times APAC 500
  • 2021 Law Firm of the Year - Australasian Law Awards 2021 Law Firm of the Year - Australasian Law Awards
  • 2020 Law Firm of the Year Finalist - Australasian Law Awards 2020 Law Firm of the Year Finalist - Australasian Law Awards