The Privacy Act 2020 of New Zealand uses the factor of processing in the context of local establishment to determine its applicability, but with a broader scope that extends beyond just local establishments.

Text of Relevant Provisions

Privacy Act 2020 Art.4(1)(a):

"This Act (except section 212) applies to— (a) a New Zealand agency (A), in relation to any action taken by A (whether or not while A is, or was, present in New Zealand) in respect of personal information collected or held by A:"

Analysis of Provisions

The Privacy Act 2020 extends its applicability to New Zealand agencies regardless of their physical presence in the country. The key phrase "whether or not while A is, or was, present in New Zealand" indicates that the Act applies to actions taken by New Zealand agencies even if they are not physically present in New Zealand at the time of processing.

This provision goes beyond the traditional concept of processing in the context of local establishment. Instead of limiting the Act's applicability to processing related to activities of a local establishment, it applies to "any action taken" by a New Zealand agency in relation to personal information it collects or holds.

The broad scope is further emphasized by Art.4(2), which states:

"For the purposes of subsection (1)(a) and (b), it does not matter— (a) where the personal information is, or was, collected by the agency; or (b) where the personal information is held by the agency; or (c) where the individual concerned is, or was, located."

This provision explicitly removes any geographical limitations on the Act's applicability for New Zealand agencies. It doesn't matter where the data is collected, where it is held, or where the data subject is located.

Implications

The implications of this broad applicability are significant for New Zealand agencies:

1. Global reach: New Zealand agencies must comply with the Privacy Act 2020 for all their data processing activities, regardless of where they occur or where the data subjects are located.
2. No establishment loophole: Unlike some jurisdictions where companies might avoid compliance by processing data outside the country, New Zealand agencies cannot escape the Act's requirements by moving their data processing offshore.
3. Consistency in data protection: New Zealand agencies must maintain consistent data protection practices across all their operations, both domestic and international.
4. Extraterritorial effect: The Act effectively has an extraterritorial effect for New Zealand agencies, as they must comply with its provisions even when operating entirely outside of New Zealand.
5. Compliance challenges: New Zealand agencies operating globally may face challenges in reconciling the Act's requirements with potentially conflicting laws in other jurisdictions where they process data.