Significant Changes To New Zealand Privacy Law

January 23rd, 2022 - Barbara Buckett

The Privacy Act 2020 which comes into force on 1 December 2020 introduces significant regulatory changes. The changes recognise increased globalisation and social media, and extends to overseas agencies and individuals.

Who is covered?

The 2020 Act explicitly applies to overseas agencies and individuals not ordinarily resident in New Zealand. Overseas agencies need not be in commercial operation or even have a place of business in New Zealand to be considered to be ‘carrying on business in New Zealand.’

This is particularly significant as the Courts have shown a reluctance to apply Acts extraterritorially unless explicitly provided.


The most significant and important changes are the imposition of mandatory reporting duties.

The mandatory reporting requirement brings New Zealand in line with other countries like Australia, the United States and the European Union. Although the security of personal information has always been a feature of the Privacy Act 1993, the duty to report breaches of this principle has only been voluntary.

Agencies must notify both the Commissioner and affected individuals once they become aware that a notifiable privacy breach has occurred.

A notifiable privacy breach is a breach that will or will likely cause serious harm to affected individuals. The new Act gives agencies factors an agency must consider when assessing the likelihood of serious harm:

  • Whether the agency has taken steps to reduce the harm following the breach

  • Whether the personal information is sensitive in nature

  • The nature of the harm that may be caused

  • The person or body that has obtained (or may obtain) personal information as a result of the breach

  • Whether the personal information is protected by a security measure

  • Any other relevant matters.

The biggest question is whether any particular breach meets the notifiable threshold. The Commissioner has urged agencies to carefully consider whether a privacy breach is notifiable, noting that in some cases notifying an individual of a breach can cause more harm than the privacy breach itself. Over-reporting may also affect an agency’s security reputation.

On the other hand, failure to report a notifiable privacy breach is considered to be interference with the privacy of an individual and can result in a conviction and a $10,000 fine.

This creates a somewhat uneasy tension. In marginal cases an agency may need to choose between damage to its own reputation by reporting a breach on one hand, and running the risk of committing an offence under the Act on the other. Until we have the first precedents there is likely to be uncertainty as to the threshold for a breach to be notifiable.

More power for the commissioner- compliance notices

Under the 1993 Act the Privacy Commissioner has limited ability to make binding decisions. The new Act grants the Commissioner wider power to issue compliance notices.

If an agency does not comply with a compliance notice (or appeal it), the Commissioner can take enforcement proceedings in the Human Rights Review Tribunal.

The Commissioner will have a more proactive role. He will no longer be reliant on privacy complaints to take action.

Cross-Border disclosures

The 2020 Act adds a new principle to the 12 which exist under the 1993 Act, relating to cross-border disclosures. Agencies will need to consider whether information sent overseas is adequately protected, whether it be by the 2020 Act, by equivalent foreign privacy protection laws, or by contract.

The new Act clarifies that if agency A holds information as agent for agency B, the information is being treated as being held by B. It will not be treated as being held by A unless A uses the information for its own purposes. This applies to cross-border disclosures. This means that information stored on cloud services such as Google Drive are not considered to be cross-border disclosures.

Selected Other changes 

  • The new Act strengthens the protections around the fair collection of personal information, and expressly requires agencies to consider the circumstances when collecting personal information of children or young persons.

  • Agents have new grounds for refusing to release personal information to individuals This is concerning as it limits individuals the right to access their personal information, although this is mitigated by the fact that the threshold for the new grounds of refusal is high.

  • The Act increases the maximum penalty for existing criminal offences from $2,000 to $10,000 and introduces new criminal offences, including destroying documents containing personal information in the knowledge that a Privacy Act request has been made.

Note: BuckettLaw takes no responsibility for the consequences of any actions taken on the basis of our articles. Any views expressed or comments made in an article are the writers option only. The content in our articles does not constitute legal advice. If you need legal or expert advice you should obtain specific advice about your case or matter from a professional. For legal advice based on your individual situation please contact us to speak with one of our expert lawyers.

Enjoy a complimentary 15-minute phone call as a first-time offer.

Barbara Buckett

Barbara Buckett is a highly experienced senior employment lawyer with over 35 years of practice in New Zealand. She provides expert advice on all areas of employment law and has a proven track record of delivering excellent results for clients. Barbara has extensive experience in resolving workplace issues and is an experienced litigator. In her free time, she enjoys reading, traveling, working out, and fine wine and dining with friends.

Get new posts delivered to your inbox

Never miss anything!The BuckettLaw team will keep you up to date with employment law news & legal updates.

More Reading...

Free Phone Call With Our Expert Employment Lawyers

Consult our experts about your employment questions. Get a free 15 minute phone discussion.