The EU Data Protection Directive (1995/46/EC) (“Directive”), which applies to all of the 30 EEA countries (i.e. the 27 EU Member States together with Iceland, Liechtenstein and Norway), imposes extensive obligations on those who collect personal data (“data controllers”) as well as conferring broad rights on individuals about whom data is collected (“data subjects”). In particular, Article 25(1) of the Directive provides that personal data may only be transferred by data controllers to a country outside the EEA if such country provides an adequate level of protection.
The Commission has the power to determine whether a non-EEA third country ensures an adequate level of data protection, with the list of formally approved third countries being known as the ‘White List’. The recent decision to add New Zealand to the White List therefore constitutes formal recognition that New Zealand’s Privacy Act 1993 meets the standards required by the Directive and ensures the adequate protection of EU citizens’ personal data when processed in New Zealand.
EU White List
The White List of approved countries now comprises the following 11 countries: Andorra; Argentina; Canada; Faeroe Islands (with certain limitations); Guernsey; Isle of Man; Israel (with certain limitations); Jersey; New Zealand; Switzerland; Uruguay. In addition, although no general finding of adequacy has been made in relation to the United States, personal data can be transferred to organisations in the US which have signed up to the US Department of Commerce’s Safe Harbour scheme.