Global Privacy Law Reform

18 June 2018

European Privacy Changes

The European Union (EU) has adopted a new General Data Protection Regulation (GPDR) which came into effect on 25 May 2018. GDPR is principally concerned with establishing a consistent set of requirements to protect EU citizens from privacy and data breaches. GDPR applies globally. Any entity that collects, uses or discloses (Processes) personal information of EU citizens (EU Information) is required to comply with GDPR. Failure to comply could result in fines of up to the greater of 4 percent of global annual turnover or €20M.

Impact on NZ businesses

A New Zealand based entity that offers goods and services to EU citizens is required to comply with GDPR. For example a NZ company with a sales based website that is designed to market and sell to EU citizens, is likely to Process EU Information. It does not matter if there is no physical EU office, EU based staff or other EU presence (other than the sales website). A globally accessible website is not sufficient to trigger GDPR provided that the website is not marketing to EU citizens, no EU orders can be transacted and no behavioural monitoring of EU citizens takes place.

GDPR Principles

Reduced to its simplest principles, GDPR only allows EU Information to be processed if:

  • the principles of lawfulness, fairness and transparency are complied with;

  • there are specific, explicit and legitimate purposes;

  • such information is relevant to the specific purpose, is in an identifiable format, is able to be kept securely, and is kept for no longer than necessary;

  • only the minimum amount of EU Information is Processed; and

  • such information is kept up to date, and any inaccurate personal data should be corrected or deleted.


In addition, processing of EU Information may only be undertaken if permitted by the GDPR, for example, where consent is given by the EU citizen (freely given, specific, informed and unambiguous), is required by contract, is required by law, is required to protect the EU citizen’s vital interests (i.e. medical emergency), is required by a public function or is permitted by the ‘legitimate interest’ of the entity or third party.

Specific GDPR Requirements

There are a number of specific GDPR requirements, as follows:

  • consent of the EU citizen must be able to be withdrawn as easily as given;

  • sensitive data is subject to higher levels of protection;

  • systems must be engineered using ‘privacy by design/default’ principles;

  • a privacy representative must be appointed in the EU;

  • mandatory breach notification to the relevant privacy authority is required where feasible within 72 hours of becoming aware of it, and in some instances the affected individual will also need to be notified;

  • transfer of personal information outside the EU is subject to specific requirements.

  • there are a number of rights granted to individuals such as access to information, rectification, deletion (right to be forgotten), restrict processing, transfer, object to data processing, opt out of automated decision making (i.e. profiling); and

  • record keeping to ensure compliance can be demonstrated.

Relationship with NZ Privacy Act

The Privacy Act 1993 (NZPA) controls how New Zealand based agencies collect, use, store and disclose 'personal information'. The NZPA implements a principles based system, which is administered and enforced by the NZ Privacy Commissioner.

A New Zealand based entity could therefore be subject to both the NZPA and GDPR. There is a significant amount of overlap between the GDPR and NZPA, however the GDPR generally has a higher standard of compliance as well as more specific requirements. As such, continuing with your NZPA compliance regime in relation to EU Information is not likely to satisfy the GDPR requirements.

How can you comply?

If your entity processes EU Information we recommend that you undertake a privacy review/impact assessment to ensure that your operations, policies and processes are compliant with the GDPR. There is a significant amount of information and other tools available on the Privacy Commissioners website ( Even if GDPR does not apply to your entity, this is a good opportunity to review your entity’s current operations, policies and processes comply with the NZPA regime.

If you have any questions about privacy, NZPA or GDPR, or want to be sure that you are complying with your privacy obligations, please feel free to contact us.


Chris Steenstra is a Senior Associate in the Commercial Corporate Team at Norris Ward McKinnon. You can contact Chris at [email protected]

Norris Ward McKinnon - Home Header - Chris Steenstra


Jess Collett is a Solicitor in the Commercial Corporate Team at Norris Ward McKinnon. You can contact Jess at [email protected]