Lock and Key 700 x 300

2 December 2020

New Privacy Act 2020


The new Privacy Act 2020 (New Act) came into force on 1 December 2020.  There are some key changes in the New Act which help to bring New Zealand’s privacy law into the 21st century. 


The New Act gives the Privacy Commissioner powers to enforce Privacy Obligations and provides for penalties if Privacy Obligations are breached.


These are:



  • Notifiable Privacy Breaches – if a business or organisation has a privacy breach that has caused (or is likely to cause) serious harm to an individual, it needs to notify the Privacy Commissioner as soon as possible;
  • Compliance Notices – the Privacy Commissioner can require a business or organisation to either do something or to stop doing something if it is breaching the Privacy Act; and
  • Access Directions – the Privacy Commissioner may now give an access direction to a business or organisation if that entity has refused or failed to provide access to personal information without a proper basis.


Failure to notify the Privacy Commissioner of a Notifiable Privacy Breach or failure to comply with either a Compliance Notice or an Access Direction can result in a penalty of up to $10,000.


Another key change is the introduction of a new Information Privacy Principle 12 which sets out obligations around sending personal information outside of New Zealand (known as “cross-border disclosure”).  Businesses or organisations may only send personal information overseas if the information will be covered by the same protections afforded by New Zealand Privacy law, either because the receiving business/organisation:


  • Is subject to the Privacy Act because they do business in New Zealand; or
  • has safeguards comparable to New Zealand law or they have contractually agreed to protect personal information in the same way; or
  • is covered by a binding scheme/otherwise subject to the privacy laws of a country prescribed by the New Zealand Government.

Note that the storage of information in a Cloud that is hosted overseas does not count as cross-border disclosure. 


If a business/organisation is unable to ensure that an individual’s personal information sent overseas will have the same protections as under New Zealand privacy law, then they must obtain the permission of the person concerned. That person must be expressly told that their information may not have the same protection as under New Zealand law. An exception to this is “urgent disclosure”, where it is necessary to disclose personal information in order to maintain public health or safety, to prevent a serious threat to someone’s life or health, or for the maintenance of the law. 


The New Act also creates criminal offences that are punishable by penalties up to $10,000. Section 212 of the New Act provides it will be an offence to:


  • Impersonate an individual or falsely pretend to act under that individual’s authority in order to: 
    • Access that individual’s personal information; or
    • Have that individual’s personal information used, altered or destroyed; or
  • Destroy any document containing personal information if a request has been made pertaining to that information.


For more information on the New Act visit the Office of the Privacy Commissioner website:



It is important that businesses and organisations ensure they have up-to-date Privacy Policies (both internal and external). Privacy Policies help to ensure businesses and organisations are complying with their Privacy obligations, such as advising individuals that:


  • Their personal information is being collected;
  • The purpose for which personal information is being collected;
  • The method of collection;
  • How the information is securely stored and for how long; and
  • How the individual can contact the business/organisation to access or correct their personal information.


If you would like some advice around your privacy obligations or if you would like assistance to draft a Privacy Policy please contact Virginia Nichols or Deborah Hendry.