Privacy Act 2020

Parliament passed the Privacy Act 2020 (the Act) with unanimous support on 30 June 2020. The Act will repeal the Privacy Act 1993 and come into force on 1 December 2020.

The Act draws upon the Law Commission’s 2011 recommendations and follows the global trend towards strengthening the protection of personal information. The Privacy Commissioner (the Commissioner) has been accorded expanded powers under the Act. Commissioner John Edwards commented ’[t]he new Privacy Act provides a modernised framework to better protect New Zealanders’ privacy rights in today’s environment.’

The Act is important in light of the significant penalties the Federal Trade Commission levied against social media conglomerate corporation Facebook over its handling of user data in 2019. It replaces an Act which came into force in 1993, just two years after the internet was made available to the public.

Key changes

The key changes the Act introduces include:

  • Mandatory reporting of privacy breaches;
  • Compliance notices;
  • Enforceable access directions;
  • Disclosing information overseas;
  • New criminal offences; and
  • Application to overseas agencies.


Mandatory reporting of privacy breaches

Privacy breaches are unauthorised or accidental access to or disclosure of personal information which pose a risk of harm to individuals.

The Act introduces a privacy breach notification system where a business or organisation is required to notify the Commissioner and affected individuals when a privacy breach occurs that causes, or is likely to cause ‘serious harm.’ It is an offence under the Act to fail to inform the Commissioner when there has been a notifiable privacy breach. This responsibility sits with the business or organisation, not individual employees.

The threshold of ‘serious harm’ is assessed by taking into consideration factors such as the sensitivity of the information lost, actions taken to reduce the risk of harm, and the nature of the harm that could arise.

The Office of the Privacy Commissioner will launch an online privacy breach notification tool and provide updated guidance to assist businesses and organisations with this new obligation.

Compliance notices

The Act empowers the Commissioner to issue compliance notices to businesses or organisations who have failed to adequately respond and remedy a privacy breach. Compliance notices will set out the steps required to remedy non-compliance with the Act and specify a timeframe for making the necessary changes.

The Commissioner may issue a compliance notice concurrently while dealing with the breach under other provisions of the Act. Failure to follow a compliance notice could result in a fine of up to $10,000.

Enforceable access directions

The Commissioner will now be able to direct businesses or organisations to provide individuals access to their personal information, allowing for a faster resolution of complaints relating to information access under Information Privacy Principle 6. These access directions will be enforceable in the Human Rights Review Tribunal.

Disclosing information overseas

A new Information Privacy Principle 12 has been added to regulate the way personal information can be sent overseas. Under the new principle, an organisation or business may only disclose personal information to an agency outside of New Zealand if the receiving agency is subject to similar safeguards as those in the Act.

In the event the overseas jurisdiction does not offer similar protections to New Zealand, the individual concerned must be fully informed that their information may not be adequately protected and they must expressly authorise the disclosure.

Note that this provision applies where agencies are using cloud service providers or sending information abroad for storage and/or processing.

New criminal offences

The Act creates new criminal offences. From 1 December it will be an offence to mislead an agency to access someone else’s personal information (e.g. impersonating someone to obtain access to personal information that you are not entitled to), or for a business or organisation to destroy personal information knowing that a request has been made to access it.

The maximum penalty for these offences is a fine of $10,000 (compared to $2,000 available under the current legislation).

Application to overseas agencies

Any international digital platform carrying on business in New Zealand will be subject to the Act, irrespective of where the personal information is collected and held, or where the person to whom the personal information relates is physically located.

The Office of the Privacy Commissioner will release further guidance on all key changes before the Act comes into force on 1 December 2020.