Business lost waiting for EU privacy compliance

Six months after Parliament passed legislation to comply with European privacy laws, companies are still waiting for the all-clear to do business in Europe.

Privacy Commissioner Marie Shroff says at least one New Zealand business has told her they have lost potential clients through not being branded 'adequate' under European Union privacy standards.

Shroff would not name the company concerned, but says it is a contact centre operation that wishes to offer time-zone advantage in support of European companies. It cannot do this until the adequacy approval comes through.

The EU approval process has been in the works for more than a decade, but for part of that the sticking point was New Zealand's legislative process. The application had to be vetted by a group of data regulators from the 27 member states, known as the Article 29 Working Party, assistant commissioner Blair Stewart explains.

The application couldn't even be referred formally to the working party until the matter of cross-border dataflows was tackled by a bill tabled in the NZ Parliament. After initial referral in 2009, "our application sat in limbo awaiting final enactment of the Privacy (Cross-border Information) Amendment Act 2010 which happened in September 2010," Stewart says.

Further meetings and analyses are now in train. Formal recommendation for acceptance may happen next month, but there are further processes after that. "I have been told that these may take as long as a year though I am hopeful we might clear them in half that time with luck," Stewart says.