Privacy Act 2020 New Zealand

    Overview

    The New Zealand Privacy Act 2020 establishes a framework for the protection of personal information, and modernizes data protection laws in New Zealand, replacing the 1993 Act. It strengthens privacy rights, enhances business accountability, and introduces new compliance obligations, particularly regarding cross-border data transfers. The law applies to all businesses and organizations handling personal information in New Zealand, as well as overseas entities conducting business in the country.

     

    Regulation Summary

    Timeline
    • June 30, 2020 – Privacy Act 2020 receives royal assent.
    • December 1, 2020 – The law takes full effect.
    • 2021–Present – Ongoing guidance and enforcement actions by the Office of the Privacy Commissioner.
    What Businesses Are Affected
    • All organizations operating in New Zealand, regardless of size or sector.
    • Overseas businesses handling New Zealanders' personal data in the course of their business activities.
    Exemptions
    • Personal or household use of data.
    • News media engaged in journalistic activities.
    • Parliamentary, judicial, and governmental functions, including the Sovereign, the Governor-General, and the House of Representatives.
    • Law enforcement in certain cases.
    • Members of Parliament in their official capacity.
    • Ombudsmen and inquiries or boards of inquiry appointed under any Act.
    Responsibilities for Businesses
    • Adopt 13 Information Privacy Principles (IPPs) for data collection, use, and disclosure.
    • Ensure lawful collection of personal data and use it only for stated purposes.
    • Implement security safeguards to protect personal information.
    • Allow individuals to access and correct their data.
    • Notify the Privacy Commissioner and affected individuals in case of serious privacy breaches.
    • Ensure proper safeguards for overseas data transfers.
    Specific Responsibilities for Website Owners
    • Provide clear privacy policies regarding data collection and use.
    • Enable user rights to access and correct data.
    • Ensure secure handling of online personal data.
    • Implement cookie consent mechanisms where applicable.
    Additional Requirements
    • Restrictions on cross-border data transfers, requiring similar privacy protections overseas.
    • Mandatory breach notification within a reasonable timeframe.
    • Enhanced enforcement powers for the Privacy Commissioner.
    Data Subject Rights
    • Access: Right to request and receive personal data held by an entity.
    • Correction: Right to request corrections of inaccurate or incomplete data.
    • Objection: Right to object to the use of personal data in certain situations.
    • Deletion: Right to request removal of personal data in some circumstances.
    Enforcement
    • Regulatory Authority: Office of the Privacy Commissioner (OPC).
    • Penalties: The Privacy Commissioner can issue compliance notices and refer cases for prosecution.
    • Fines: Offences under the Privacy Act 2020 can result in fines of up to NZD 10,000.
    illustration of contact means

    Questions?

    If you would like to learn more, our compliance experts are happy to support you.

    Leave us a Message
    support@clym.io
    +1 980 446 8535 +1 866 275 2596