Clym Logo
NZ flag

NZ

Privacy Act 2020 New Zealand

Overview

The New Zealand Privacy Act 2020 establishes a framework for the protection of personal information, and modernizes data protection laws in New Zealand, replacing the 1993 Act. It strengthens privacy rights, enhances business accountability, and introduces new compliance obligations, particularly regarding cross-border data transfers. The law applies to all businesses and organizations handling personal information in New Zealand, as well as overseas entities conducting business in the country.

Regulation Summary

  • June 30, 2020 – Privacy Act 2020 receives royal assent.
  • December 1, 2020 – The law takes full effect.
  • 2021–Present – Ongoing guidance and enforcement actions by the Office of the Privacy Commissioner.

  • All organizations operating in New Zealand, regardless of size or sector.
  • Overseas businesses handling New Zealanders' personal data in the course of their business activities.

  • Personal or household use of data.
  • News media engaged in journalistic activities.
  • Parliamentary, judicial, and governmental functions, including the Sovereign, the Governor-General, and the House of Representatives.
  • Law enforcement in certain cases.
  • Members of Parliament in their official capacity.
  • Ombudsmen and inquiries or boards of inquiry appointed under any Act.

  • Adopt 13 Information Privacy Principles (IPPs) for data collection, use, and disclosure.
  • Ensure lawful collection of personal data and use it only for stated purposes.
  • Implement security safeguards to protect personal information.
  • Allow individuals to access and correct their data.
  • Notify the Privacy Commissioner and affected individuals in case of serious privacy breaches.
  • Ensure proper safeguards for overseas data transfers.

  • Provide clear privacy policies regarding data collection and use.
  • Enable user rights to access and correct data.
  • Ensure secure handling of online personal data.
  • Implement cookie consent mechanisms where applicable.

  • Restrictions on cross-border data transfers, requiring similar privacy protections overseas.
  • Mandatory breach notification within a reasonable timeframe.
  • Enhanced enforcement powers for the Privacy Commissioner.

  • Access: Right to request and receive personal data held by an entity.
  • Correction: Right to request corrections of inaccurate or incomplete data.
  • Objection: Right to object to the use of personal data in certain situations.
  • Deletion: Right to request removal of personal data in some circumstances.

  • Regulatory Authority: Office of the Privacy Commissioner (OPC).
  • Penalties: The Privacy Commissioner can issue compliance notices and refer cases for prosecution.
  • Fines: Offences under the Privacy Act 2020 can result in fines of up to NZD 10,000.