Privacy Bill approved in New Zealand

New Zealand’s Parliament has passed a Privacy Bill to replace the Privacy Act of 1993.

Among new features in the act which enters into force on 1 December, are:

  • any organisation carrying out business in New Zealand, and handling New Zealanders’ personal information, is obliged to comply with the country’s law regardless of where they or their servers are based;
  • before disclosing New Zealanders’ personal information overseas, the country’s organisations have to ensure overseas entities have similar levels of privacy protection to those in New Zealand;
  • mandatory notification of a privacy breach which poses a risk of serious harm;
  • introduction of compliance orders, with a fine of up to NZ$10,000 for failure to follow one; and
  • it becomes an offence to mislead an organisation or business in a way which affects someone’s personal information, or to destroy personal information if a request has been made for it. The maximum fine is NZ$10,000.

Privacy Commissioner John Edwards said: “The new Privacy Act provides a modernised framework to better protect New Zealanders’ privacy rights in today’s environment … It is an endorsement of the significance of privacy as a universal human right that the Bill was passed with the multi-party support.”

On the mandatory notification regulation, he said the change brings New Zealand in line with international best practice.

Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.