The Privacy Act 2020 of New Zealand uses the factor of an entity's link or presence in the jurisdiction to determine the applicability of the law, particularly for overseas agencies carrying on business in New Zealand.

Text of Relevant Provisions

Privacy Act 2020 Art.4(3)(b):

*"(3) For the purposes of subsection (1)(b), an agency may be treated as carrying on business in New Zealand without necessarily— * (b) having a place of business in New Zealand; or"

Privacy Act 2020 Art.4(5)(d)(ii):

*"(5) Section 212 applies to— * *(d) a person who is outside New Zealand if— * (ii) any event necessary to the completion of any offence under section 212 occurs in New Zealand."

Analysis of Provisions

The Privacy Act 2020 extends its applicability to overseas agencies based on their connection to New Zealand, even if they don't have a physical presence in the country. This is evident from Article 4(3)(b), which states that an agency may be considered as "carrying on business in New Zealand" without necessarily "having a place of business in New Zealand".

This provision significantly broadens the scope of the Act's applicability. It means that foreign entities can be subject to New Zealand's privacy laws if they are deemed to be carrying on business in the country, regardless of whether they have established offices or other physical infrastructure within New Zealand's borders.

Furthermore, Article 4(3) provides additional clarification on what constitutes "carrying on business in New Zealand". It states that an agency may be treated as carrying on business in New Zealand without necessarily:

(a) being a commercial operation; (b) having a place of business in New Zealand; (c) receiving any monetary payment for the supply of goods or services; or (d) intending to make a profit from its business in New Zealand.

This broad interpretation allows the Act to capture a wide range of entities and activities, potentially including non-profit organizations, volunteer groups, or even individuals providing services to New Zealand residents.

Article 4(5)(d)(ii) further extends the Act's reach to persons outside New Zealand if "any event necessary to the completion of any offence under section 212 occurs in New Zealand". This provision ensures that the Act can be applied to individuals or entities that may be involved in privacy breaches or offenses related to New Zealand, even if they are physically located outside the country.

Implications

The implications of these provisions are significant for businesses and organizations operating in or targeting New Zealand:

1. Global reach: Companies without a physical presence in New Zealand may still be subject to the Privacy Act 2020 if they are deemed to be carrying on business in the country. This could include online businesses, cloud service providers, or any entity that processes personal data of New Zealand residents.
2. Low threshold for applicability: The Act's broad definition of "carrying on business" means that even entities not receiving monetary payment or intending to make a profit could be subject to the law. This could potentially affect non-profit organizations, research institutions, or volunteer groups operating across borders.
3. Extraterritorial application: The Act's provisions regarding offenses committed outside New Zealand (Art. 4(5)(d)(ii)) mean that foreign entities must be cautious about their data handling practices even if they are not physically present in the country.
4. Compliance considerations: Overseas agencies targeting New Zealand consumers or processing New Zealand residents' data should carefully assess their obligations under the Privacy Act 2020, even if they don't have a local office or staff.
5. Potential for enforcement: The broad scope of applicability provides New Zealand authorities with a legal basis to pursue privacy breaches or non-compliance by foreign entities, as long as there is a sufficient connection to New Zealand.