New Zealand; United Kingdom: Memorandum of Understanding on Bilateral Cooperation on Privacy Enforcement Signed

On May 12, 2021, the information commissioner for the United Kingdom (U.K.) and the Office of the Privacy Commissioner for New Zealand (“the participants”) signed a Memorandum of Understanding for Cooperation in the Enforcement of Laws Protecting Personal Data (MOU). The MOU establishes a framework for cooperation between the participants, in effect, allowing both countries to cooperate on data protection issues and jointly investigate cross-border personal data incidents.   

The MOU, which is not binding, sets out “broad principles of collaboration” and a framework for sharing information and intelligence. Notably, the MOU acknowledges that the participants are not required to cooperate in circumstances in which cooperation would result in a breach of the General Data Protection Regulation (GDPR), as incorporated in the U.K.’s Data Protection Act 2018, or New Zealand’s Privacy Act 2020. The U.K. GDPR tailors the European Union GDPR, which relates to the protection and movement of personal data, following the U.K.’s split from the European Union.

New Zealand’s privacy commissioner, John Edwards, stated that the MOU would allow the two countries to work together in protecting the privacy and data rights of their respective citizens, while providing a framework for the sharing of intelligence between the two countries.

In a statement released by the Information Commissioner’s Office (ICO), the ICO noted that the MOU would allow for cooperation between the two countries by setting out how the authorities would share information and intelligence.

The Participants

As set out in the MOU, the privacy commissioner leads the Office of the Privacy Commissioner, which is New Zealand’s independent privacy and data protection regulator. (MOU cl. 3.1.) The privacy commissioner’s role is to monitor and examine the impact of technology on privacy, investigate complaints about breaches of individual privacy, monitor information-matching programs between government departments, and, among other things, assist the relevant government minister with making regulations relating to the disclosure of personal information outside New Zealand. (Cl. 3.2.) The privacy commissioner has the power to issue demand notices for investigations or inquiries, prosecute offenses under the act, and issue compliance notices. (Cl. 3.4.)

In the U.K., the ICO was established as an independent regulator for freedom of information and data protection. The role of the information commissioner, who is appointed by the Queen, is to uphold information rights in the public interest. This includes monitoring and enforcing data protection law and promoting good practice and adherence to data protection laws. The information commissioner has the power to issue warnings, notices, fines, and penalties to individuals and organizations. (Cl. 2.)

Key Aspects of the MOU

The scope of cooperation between the participants is set out in clause 4 of the MOU, which highlights that the participants are to cooperate in joint or parallel investigations on data protection and in the enforcement of their respective laws.

The MOU calls on each participant to share best practices on data protection policies, exchange information in potential or ongoing investigations, conduct joint investigations into “cross border personal data incidents involving organisations in both jurisdictions,” and convene bilateral meetings annually.  

Personal data is protected under the MOU, with the MOU making it clear that the participants will not share personal data. In circumstances in which personal data is to be shared, each party is to comply with its respective data protection laws. (Cl. 5.)

With respect to the sharing of other information, the MOU sets out a series of steps to be taken by the information commissioner and privacy commissioner. (Cls. 6 & 7.) Information can be shared if it is in line with the object and purpose of, and in compliance with, each participant’s laws. In the event of a data breach, the participants agree to notify one another and ensure appropriate security measures are put in place. (Cl. 8.)

Prepared by Nabila Buhary, Law Library intern, under the supervision of Kelly Buchanan, Chief, Foreign, Comparative, and International Law Division II

Join Our Team

Subscribe Now

Get updates by subscribing to our newsletter