Data plays a crucial role in the operations of all businesses. Organisations that store and collect data – especially personal data – are subject to legal obligations to ensure the privacy of the individuals from whom that data is collected. Increasingly, those organisations are beginning to appreciate that compliance with those legal obligations is not enough: consumers are demanding more and more transparency in terms of where their data is held, and who might (legally or otherwise) have access to it.
This increased scrutiny has led to many New Zealand-based organisations taking steps to put an end to the traditional ‘OE’ for the personal data they process. Rather than waving goodbye to personal data as it departs on a journey to servers across the world, more and more organisations are looking to on-shore their data processing activities – all in the name of ‘data sovereignty’.
‘Data sovereignty’ is the notion that data is subject to the laws of the country within which it is stored.
Many businesses use cloud-based servers that physically exist outside of New Zealand. While historically off-shore data centres have been the only option for those seeking the right level of scale and connectivity, sending the data to another jurisdiction exposes that data to the laws of (and reach of) another state – with potentially significant risks for an organisation, and its customers or employees whose information has been transferred.
Where the state in which the data is to be held has data protection, privacy, and human rights laws that broadly align with the laws of the jurisdiction in which the data was collected, individuals can more or less trust that their data will be treated with the same respect as it would receive at home.
However, where the laws of the state diverge significantly from those of the home jurisdiction – especially where those laws grant the state itself generous search and surveillance powers – individuals might inadvertently find themselves and their data subject to a legal regime that is far removed from that which otherwise applies to their interaction with the organisation which originally collected their data.
Data protection and privacy laws the world over look to regulate the manner in which data – in particular, personal data – can be disclosed and/or transferred across borders.
The most well-known regime exists under the EU’s General Data Protection Regulation (known as the ‘GDPR’). Under the GDPR, all cross-border transfers of personal data collected from EU-based data subjects are subject to strict controls.
These controls include:
In New Zealand, the Privacy Act 2020 takes a ‘lighter touch’ approach.
When the Act came into force in December 2020, it introduced a new information principle, or ‘IPP’: regulating the cross-border ‘disclosure’ of personal information: IPP 12. While, ostensibly, IPP 12 broadly mirrors the equivalent GDPR regime, there is one crucial difference: it only applies to a ‘disclosure’ of personal information offshore. A simple ‘transfer’ of personal information to a service provider who will only process it as ‘agent’ for a New Zealand-based agency is not captured.
New Zealand-based organisations might think that simply complying with the Privacy Act is the end of the story.
However, those with the ability to do so are increasingly demanding that data is processed locally where feasible: more and more users of cloud-based services are stipulating the onshoring of data in their contracts with service providers, in order to minimise risks associated with the storage of data overseas. As is the case with service providers exposed to the complexities of the GDPR and tensions with transfers to the US, savvy service providers are giving their customers the option to hold their data locally (or – if not locally, in a jurisdiction where a full assessment of the risks of storing data has been undertaken).
This is particularly prevalent in the health space and in respect of health information, where requirements to hold and process data within New Zealand are becoming commonplace, in part due to the ethical factors that need to be taken into account when considering the appropriateness of sending data offshore. Other Aotearoa-specific considerations are also at play – in particular, the concept of Māori data sovereignty, which expressly recognises the rights and interests that Māori have in relation to their data which is considered taonga.
And given the reputational risk of foreign governments being seen to ‘snoop’ around consumers’ personal data, organisations that collect information directly from the public need to carefully consider the impact of consumer trust if they themselves rely on service providers who will process their consumers’ personal data off-shore.
Such market trends have seen New Zealand become a hotbed of investment in data centre infrastructure in recent years. Microsoft announced in 2020 its plans to establish its first data centre region in New Zealand, as did Amazon Web Services (AWS) late last year.
Although data sovereignty and customer demands are seen as the key drivers for this, New Zealand also offers a stable regulatory environment and comparatively green electricity to feed energy-intensive data centres.
While this is seen as a win for the local economy, data held within New Zealand data centres of overseas tech companies may still be subject to the ‘long arm’ of overseas laws.
For instance, United States-based tech companies are subject to the Clarifying Lawful Overseas Use of Data Act (known as the ‘CLOUD Act’), meaning US authorities can access data physically held by them in New Zealand for a number of reasons, including for the prevention of terrorism and cybercrime. In theory, this sharing of data would be subject to appropriate safeguards: whether that is the case in practice remains to be seen.
How this tension between data residency and data sovereignty plays out in the future will be key to watch.
Every cloud has a silver lining. New Zealand-based and owned cloud provider Catalyst Cloud was this month appointed to the All-of-Government Cloud Framework Agreement, signalling a willingness of key industry players like the New Zealand Government to move towards engaging local service providers. The confidence shown in local providers is likely to see more investment still in the establishment of domestic data centre infrastructure.
Given the increasing focus on data sovereignty, New Zealand organisations would do well to consider whether it is now the time to ‘Buy New Zealand Made’ when it comes to their data hosting requirements – and time to put out the ‘Welcome Home’ mats for Kiwi personal data held off-shore.
This article was written with the assistance of Megan Jury, a law graduate in the technology practice of Dentons Kensington Swan’s Wellington office.
See more »
DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.
© Dentons | Attorney Advertising
Refine your interests »
This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.
Back to Top
Explore 2022 Readers’ Choice Awards
Copyright © JD Supra, LLC