Data & Privacy - New Zealand

The Privacy Act 2020 regulates how agencies collect, hold, use, disclose and give access to personal information through 13 Information Privacy Principles (now including IPP 3A). It applies across the public and private sectors and has extraterritorial reach to overseas agencies carrying on business in New Zealand.

The independent Office of the Privacy Commissioner administers the Act. It can investigate complaints or act on its own initiative, issue compliance notices requiring an agency to do or stop doing something, and make access directions; non-compliance is enforced through the Human Rights Review Tribunal.

Since 1 December 2020, agencies must notify the Privacy Commissioner and affected individuals of a 'notifiable privacy breach' — one that has caused, or is likely to cause, serious harm. The Commissioner's guidance expects notification as soon as practicable, ideally within 72 hours of awareness.

The Privacy Amendment Act 2025 inserted IPP 3A, in force from 1 May 2026, requiring agencies that collect personal information from a source other than the individual to take reasonable steps to make that individual aware of specified matters; it does not apply to information collected before that date and is subject to exceptions.

IPP 12 restricts disclosing personal information to a foreign recipient unless the agency reasonably believes the recipient is subject to comparable safeguards (e.g. via prescribed countries, binding contractual model clauses, or the individual's authorisation). The Commissioner publishes model contract clauses to support compliant transfers.

The European Commission recognises New Zealand as providing an adequate level of data protection, allowing personal data to flow freely from the EEA. On 15 January 2024 the Commission confirmed New Zealand retains adequacy following its review of pre-GDPR adequacy decisions.