Applicability of Data Protection Law in New Zealand to Organizations Doing Business in the Jurisdiction

The factor of "doing business in the jurisdiction" is used to determine the scope of applicability of the Privacy Act 2020 within New Zealand. This factor ensures that the law applies to organizations that have a commercial presence or engage in economic activities within New Zealand, regardless of where the data processing occurs.

Text of Relevant Provisions

Privacy Act 2020 Art.4(1)(b):

"(1)  This Act (except section 212) applies to—

• (b) an overseas agency (B), in relation to any action taken by B in the course of carrying on business in New Zealand in respect of personal information collected or held by B:"*

Analysis of Provisions

The provision in Privacy Act 2020 Art.4(1)(b) establishes that the Act applies to any overseas agency that carries on business in New Zealand in relation to personal information collected or held by it. This extends the applicability of the Privacy Act to foreign entities with business activities in New Zealand.

• Scope of Application: The Privacy Act applies to both domestic and foreign entities that process personal data in the context of their business operations within New Zealand. This includes organizations that have an economic presence or regularly engage in commercial activities in New Zealand.
• Carrying on Business: The term "carrying on business" implies engaging in consistent and ongoing economic activities. This provision ensures that entities engaging in such activities in New Zealand are subject to the same data protection obligations as local businesses.

The rationale for including this factor in the law is to ensure comprehensive data protection for individuals in New Zealand by holding foreign businesses accountable for their data processing activities within the jurisdiction. This approach prevents regulatory gaps and ensures that personal data is protected regardless of the origin of the business.

Implications

For Businesses and Data Processors:

• Extended Compliance: Foreign businesses that carry on business in New Zealand must comply with the Privacy Act 2020. This includes adhering to principles related to the collection, storage, and processing of personal data as outlined in the Act.
• Regulatory Oversight: The New Zealand Privacy Commissioner has the authority to enforce compliance with the Privacy Act for these foreign entities, ensuring that data protection standards are upheld.
• Case Examples:
  • A multinational company with a subsidiary or branch office in New Zealand conducting regular business operations must comply with the Privacy Act 2020.
  • An international e-commerce platform that targets New Zealand consumers and processes their personal data must adhere to the Privacy Act, even if its main operations are outside New Zealand.
• Compliance Challenges: Foreign entities must understand and implement New Zealand's data protection laws, which may differ from those in their home countries. This may require legal adjustments and operational changes to align with the Privacy Act requirements.

By extending the Privacy Act's applicability to businesses that engage in regular practices in New Zealand, the law ensures that data protection standards are consistently applied, fostering trust and protecting the personal data of individuals within New Zealand.