Privacy Act 2020

The Privacy Act 2020 replaced 1993 legislation to address digital-age challenges. It introduces mandatory breach notification, strengthens compliance notices and enforcement, adds cross-border disclosure requirements, and creates offenses for misleading agencies about individual requests.

New Zealand’s Privacy Act 2020 modernizes the 1993 framework for contemporary data practices. Key changes include: mandatory notification of privacy breaches likely to cause serious harm (within 72 hours to the Privacy Commissioner plus affected individuals); stronger enforcement through compliance notices that are legally binding; new criminal offenses for deliberately misleading agencies about individual information requests; and enhanced cross-border disclosure rules requiring reasonable belief that recipients will protect information to comparable standards. The thirteen Information Privacy Principles remain the core framework, covering collection, storage, access, correction, retention, and disclosure. The Privacy Commissioner can issue binding compliance notices, order agencies to pay damages, and refer matters for prosecution. New Zealand maintains EU adequacy, facilitating data flows. The law applies to agencies ‘carrying on business’ in New Zealand even if based elsewhere.