New Zealand’s Privacy Act governs the collection, use and disclosure of individuals’ personal information. It exists to ensure trust in the companies and governmental services in our society. The Privacy Act covers all sectors of the economy and is technology-neutral. However, over the years, it has become increasingly clear that New Zealand’s privacy regulations are lagging behind those of like-minded countries, such as the EU and Australia. In today’s global, data-driven digital economy, the current privacy framework is no longer fit for purpose.
The Privacy Act 2020 (“the Act”), although nominally dated 2020, was actually drafted in 2013. It fails to account for the rapid advancements in technology, such as generative AI and biometrics, and does not anticipate the large-scale collection, use and transfer of personal information that we see today. As technological development continues to outpace regulation, New Zealand’s privacy framework risks becoming further outdated without significant reform.
Growing compliance issues
The Privacy Commissioner has linked business’ low compliance rates with the Act’s outdated nature. In particular, businesses are not taking the necessary steps to secure personal information, resulting in a surge of privacy complaints and serious privacy breaches between 2021 and 2023 [1].
Out of step internationally
Globally, privacy regulation has evolved significantly. The European Union General Data Protection Regulation (GDPR), which came into effect in 2018, dramatically changed the privacy landscape with what was and remains the gold standard of privacy regulation, due to the introduction rights such as the right to erasure and strict penalties for non-compliance Since then, case law, including the various Schrems decisions have further developed the GDPR to make it even more robust, by further defining the requirements around international data transfers. Since the adoption of the GDPR, other counties, such as Australia and the UK, have followed suit by implementing or updating their own comprehensive privacy regimes.
Just last month Australia, which currently has a privacy regime similar to New Zealand, albeit with much greater penalties, introduced to parliament both the Privacy and Other Legislation Amendment Bill 2024 and the Cyber Security Bill 2024. The Privacy Bill proposes a raft of changes including a new tort for serious invasion of privacy, making doxing (being the intentional malicious exposure of an individual’s personal data online) a criminal offence, an increase in the security measures that APP entities are required to put in place to protect personal information, increased transparency around automated decision making, and the introduction of civil penalties among others. The Cyber Bill creates concrete cyber security obligations and introduces a mandatory reporting requirement to organisations carrying on business in Australia While some critics argue these changes are modest, in light of the substantial overhaul that was initially proposed, they still reflect a substantial shift in privacy and cyber security law.
New Zealand’s Privacy Act, by comparison, remains a relic of the early 2010s and is increasingly out of step with global standards.
Being out of step internationally is problematic for New Zealand businesses, many of which are forced to comply with international privacy frameworks, like the GDPR, to maintain trade relationships. International companies now often incorporate robust privacy clauses into their contracts, leaving New Zealand businesses in the position of needing to comply, but also being unprepared to do so.
Although New Zealand has been granted “adequacy” status by the European Commission under the GDPR. In practice, this means that businesses do not need to put in place additional privacy safeguards (such as standard contractual clauses) when undertaking trade with the EU, therefore reducing compliance costs. This status was originally granted in 2012 and was renewed at the beginning of 2024 to the surprise of many privacy experts. While being appointed “adequate” is a highly political appointment, this status may not last if regulations continue to lag.
Key shortcomings of New Zealand’s Privacy Act
- Insufficient Penalties
The Privacy Commissioner reports it has noticed a growing number of New Zealand businesses, particularly small-to-medium organisations, do not understand even the basic requirements of the Privacy Act, for example a failure to appoint a privacy officer [2]. The lack of compliance is attributed to insufficient accountability and consequences for mishandling personal information under the Act. This creates little incentive for businesses to prioritise privacy in the same way that they might for other compliance obligations, such as health and safety.
Unlike other jurisdictions, penalties under New Zealand’s Privacy Act are minimal. The Act provides for a maximum penalty of $10,000 and this is available only when an agency commits one of the few specific criminal offences. There are no civil penalties available at all. This is a stark contrast to the multi-million-dollar fines under the GDPR or Australian law. This lack of significant financial penalties reduces the incentive for businesses to comply with privacy requirements.
- Lack of adaptability to new technologies
Since its drafting, the Privacy Act has not kept pace with the emergence of technologies including biometrics, social media, artificial intelligence and the Internet of Things. These new technologies present many opportunities, but the potential harms and benefits need to be considered.
While the Act is technology-neutral, it lacks key provisions, rights, and obligations that other jurisdictions have adopted to address the privacy challenges posed by these new technologies. The Privacy Act will also be key to responding to the newest technological challenge, being artificial intelligence.
Given the New Zealand government’s currant stance against enacting widespread AI regulation, the Privacy Act must be updates to provide a more robust framework for managing the personal data associated with AI and other emerging technologies.
- No distinction for sensitive information
Unlike other jurisdictions such as the EU and Australia, the Privacy Act does not create a separate category for ‘sensitive personal information’, which requires stricter protections. This omission is increasingly concerning as biometric data, such as facial or fingerprint recognition technology, becomes more widely used. While some effort is being made to remedy this gap through the Biometrics Code of Conduct, it is only a temporary solution to a broader legislative gap.
- Lack of protections for children’s privacy
New Zealand’s privacy law lacks specific provisions to safeguard children and young people, who may be more vulnerable to the long-term consequences of consenting to share their personal information, particularly in an online context.
While the Privacy Act requires that agencies consider the “fairness and intrusiveness” of how they collect personal information, other jurisdictions, like the UK and California, have introduced specific regulations aimed at protecting children and young people. New Zealand is only beginning to explore this area, and legislative action will likely be needed.
Current actions are not significant enough – so where to from here?
Despite the pressing need for reform, the current initiatives, including the Privacy Amendment Bill 2023 and the Biometrics Code of Conduct, offer only minor improvements. They fall short of addressing the fundamental issues with the existing privacy framework. To keep pace with international standards and protect personal information in an increasingly digital world, New Zealand requires a comprehensive overhaul of its privacy legislation.
New Zealand’s privacy regulations are no longer sufficient in a global landscape dominated by rapid technological change. Without significant reform, New Zealand risks falling further behind, with real consequences for businesses and individuals alike.
If you’re looking to understand your privacy requirements, reach out to our team. We’re here to help you navigate New Zealand’s privacy landscape and keep your business prepared and compliant.
[1] Briefing of the Incoming Minister of Justice, Office of the Privacy Commissioner, paper published 4 December 2023.
[2] Briefing of the Incoming Minister of Justice, Office of the Privacy Commissioner, paper published 4 December 2023, page 5.