New Zealand Data Privacy Laws: Privacy Act 2020 Complete Guide (2026)

New Zealand's Privacy Act 2020 (No 31) governs how agencies collect, store, use, and disclose personal information through 13 Information Privacy Principles. The Privacy Amendment Act 2025 added IPP 3A, an indirect-collection notification rule in force from May 1, 2026, closing a gap that existed for third-party data collection.

Information last verified on 2026-05-19. This article has not been reviewed by a licensed New Zealand lawyer.

Jurisdiction scope: This article addresses New Zealand's data protection framework under the Privacy Act 2020 (No 31), the Privacy Amendment Act 2025, the Biometric Processing Privacy Code 2025, and the regulatory practice of the Office of the Privacy Commissioner (Te Mana Matapono Matatapu). It does not address the Crimes Act 1961 recording offences or the Harmful Digital Communications Act 2015. For recording law specifically, see New Zealand Recording Laws.

Quick Answer: What Does New Zealand's Privacy Law Require?

New Zealand's primary data protection statute is the Privacy Act 2020, which came into force on December 1, 2020. The Act imposes 13 Information Privacy Principles (IPPs) on every "agency" that handles personal information about New Zealand individuals, whether that agency is located in New Zealand or overseas. Core obligations include: collecting information only for a lawful purpose connected to the agency's functions; notifying individuals at the point of collection; keeping information secure; allowing individuals to access and correct their data; limiting secondary use and disclosure; restricting cross-border transfers to countries with comparable protections; and reporting serious privacy breaches to both the Privacy Commissioner and affected individuals. The Privacy Amendment Act 2025 added a fourteenth obligation in substance by inserting IPP 3A, which requires notification when information is collected indirectly (from a third-party source rather than from the individual). IPP 3A came into force on May 1, 2026. The Office of the Privacy Commissioner supervises compliance, issues compliance notices, and refers unresolved matters to the Human Rights Review Tribunal, which can award damages up to NZD 350,000.

The Privacy Act 2020 and the Office of the Privacy Commissioner

The Privacy Act 2020 is New Zealand's comprehensive data protection statute. Parliament enacted it to replace the Privacy Act 1993, which had governed the country's privacy framework for nearly three decades but was considered inadequate for the digital economy. The new Act broadened the definition of "carrying on business" in New Zealand to capture overseas agencies that process New Zealanders' data without a physical presence in the country, introduced mandatory breach notification for the first time, strengthened compliance powers, and modernised the cross-border transfer provisions.

The Office of the Privacy Commissioner (OPC), known in te reo Maori as Te Mana Matapono Matatapu, is the independent regulator that administers the Act. The current Privacy Commissioner is Michael Webster, appointed in 2020. The OPC investigates complaints, monitors compliance, issues guidance and codes of practice, represents New Zealand in international privacy forums, and maintains the NotifyUs portal for breach notifications.

The Act applies to every "agency" that handles personal information. The definition of agency under section 7 is deliberately broad: any person or organisation in the public or private sector, including government departments, companies, charities, schools, sports clubs, and sole traders. Section 11 extends the Act to overseas businesses that carry on business in New Zealand, even without a local office, on the basis that they offer services to or collect data about New Zealand residents.

Personal information under section 7 means information about an identifiable individual. The definition covers names, addresses, email accounts, phone numbers, financial records, health data, employment history, photographs, IP addresses, and any other data that can identify a living person. Information about deceased persons falls outside the scope of the Act.

The 13 Information Privacy Principles

The 13 Information Privacy Principles in Part 3 of the Act are the operational core of New Zealand's data protection regime. Each principle governs a distinct phase of the information lifecycle, from collection through to correction. Every agency subject to the Act must comply with all 13 principles. Breach of a principle is an "interference with privacy" under section 69, which the Commissioner can investigate and the Tribunal can remedy.

IPP 1: Purpose of Collection

IPP 1 requires that personal information be collected only for a lawful purpose connected with a function or activity of the agency, and only when collection is necessary for that purpose. An agency cannot collect data "just in case" or for an undefined future use. The necessity requirement means the agency must be able to articulate why each category of information it collects is required to carry out the specific activity.

IPP 2: Source of Information

IPP 2 provides that personal information should be collected directly from the individual concerned wherever possible. Collecting from a third-party source is permissible where the individual authorises it, where direct collection would prejudice the purpose of collection, where the information is publicly available, or where other statutory exceptions apply. IPP 2 sets the default; IPP 3A now addresses the notification obligation when collection is indirect.

IPP 3: Collection From the Individual (Direct Collection)

IPP 3 requires agencies to take reasonable steps, at or before the time of collection, to ensure the individual is aware of:

• the fact of collection and the purpose for which the information is being collected;
• the intended recipients of the information;
• the name and address of the collecting agency;
• whether collection is authorised or required by law, and if so, the particular law;
• the consequences (if any) of not providing the information; and
• the individual's rights of access and correction under IPPs 6 and 7.

This notification obligation under IPP 3 applies when the agency collects information directly from the individual, for example through a web form, a phone call, or an in-person interview.

IPP 3A: Indirect-Collection Notification (In Force May 1, 2026)

The Privacy Amendment Act 2025 (No 53), which received Royal Assent on September 23, 2025, inserted IPP 3A into the Privacy Act 2020. IPP 3A came into force on May 1, 2026 and does not apply retrospectively to personal information collected before that date.

IPP 3A is an indirect-collection notification obligation. When an agency collects personal information from a source other than the individual concerned, for example from a third-party data broker, a credit bureau, a public register, a social media platform, or another organisation, the agency must take reasonable steps to ensure the individual is aware of the same matters specified in IPP 3. The Office of the Privacy Commissioner's IPP 3A guidance describes this as closing the gap between what New Zealand required on direct collection and what comparable regimes in Australia and the EU already required for indirect collection.

What IPP 3A is NOT: IPP 3A does not regulate automated decision-making. It does not impose specific rules on biometric processing. Those topics are addressed separately: automated-decision controls are the subject of the Commissioner's 2025 reform proposals, and biometrics are governed by the Biometric Processing Privacy Code 2025 (see below). Describing IPP 3A as an automated-decision or biometric rule is incorrect.

Exemptions to the IPP 3A notification obligation include situations where:

• the individual has already been informed of the matters listed in IPP 3;
• the information is publicly available (for example, from a public register, newspaper, or public website);
• notification would prejudice the maintenance of the law, the conduct of proceedings before a court or tribunal, or the collection of public revenue;
• notification would undermine the purpose of the collection;
• notification would cause a serious threat to public health, public safety, or the life or health of an individual;
• the information will only be used in a form that does not identify any individual;
• notification is not reasonably practicable in the circumstances.

The Ministry of Justice led the policy process behind IPP 3A, which was driven in part by the need to maintain New Zealand's EU adequacy status and align domestic law with international notification standards.

IPP 4: Manner of Collection

IPP 4 prohibits agencies from collecting personal information by unlawful means or by means that are unfair or unreasonably intrusive having regard to the circumstances.

IPPs 5 to 9: Storage, Security, Access, Accuracy, and Retention

IPP 5 (Storage and Security) requires agencies to protect personal information against loss, unauthorised access, use, modification, or disclosure by means that are reasonable in the circumstances, having regard to the sensitivity of the information and the harm that could result from a breach.

IPP 6 (Access) gives individuals the right to access their own personal information held by an agency. The agency must respond as soon as is reasonably practicable, and in any case within 20 working days of receiving a request. The agency may refuse access on limited grounds, such as protecting national security, trade secrets, or the privacy of another individual.

IPP 7 (Correction) gives individuals the right to request correction of inaccurate, incomplete, or misleading personal information. If the agency refuses to correct the information, it must attach a statement of the desired correction to the record. The 20-working-day response period also applies to correction requests.

IPP 8 (Accuracy) requires agencies to take reasonable steps to ensure that personal information is accurate, up to date, complete, relevant, and not misleading before using it. This obligation is ongoing; it is not satisfied by a one-time accuracy check at the point of collection.

IPP 9 (Retention) states that agencies must not keep personal information for longer than is necessary for the purposes for which it may lawfully be used. Retention schedules should be documented and enforced.

IPPs 10 and 11: Secondary Use and Disclosure

IPP 10 (Limits on Use) restricts how agencies use personal information. Information collected for one purpose generally may not be used for a materially different purpose unless the individual authorises the secondary use, the information is publicly available, the use is directly related to the original purpose, or one of the statutory exceptions applies (such as preventing a serious threat to life or safety).

IPP 11 (Limits on Disclosure) restricts disclosure of personal information to third parties. Permitted grounds for disclosure include: the disclosure is one of the purposes of collection; the individual authorises it; the information is publicly available; disclosure is necessary to prevent or lessen a serious threat to public health or safety; or disclosure is necessary to facilitate the sale or other disposition of a business where reasonable steps are taken to ensure the recipient treats the information consistently with the Act.

IPP 12: Cross-Border Disclosure

IPP 12 is New Zealand's cross-border transfer restriction. It provides that an agency must not disclose personal information to a foreign person or entity unless at least one of the following conditions is met:

1. The individual authorises the disclosure after being expressly informed that the overseas recipient may not be required to protect the information in a way comparable to the Act.
2. The agency believes on reasonable grounds that the recipient is subject to the Privacy Act (for example, because it carries on business in New Zealand).
3. The agency believes on reasonable grounds that the recipient is subject to privacy laws of another country that provide comparable safeguards to the Act.
4. The agency believes on reasonable grounds that the recipient is a participant in a prescribed binding scheme.
5. The agency believes on reasonable grounds that the recipient is bound by privacy provisions in a contract that provide comparable safeguards.

The OPC provides an IPP 12 Decision Tree and model contract clauses to assist agencies with cross-border transfer compliance. Agencies that store data with overseas cloud providers generally remain the responsible agency under section 11 of the Act and must ensure their cloud contracts include appropriate privacy protections.

New Zealand holds EU adequacy status under Article 45 of the GDPR. The European Commission conducted a review of 11 adequacy decisions and confirmed on January 15, 2024 that New Zealand continues to provide an adequate level of data protection. This means personal data may flow freely from the EEA to New Zealand without the need for standard contractual clauses, binding corporate rules, or other transfer mechanisms.

IPP 13: Unique Identifiers

IPP 13 restricts how agencies assign and use unique identifiers such as customer numbers, membership numbers, or other codes. An agency must not assign a unique identifier to an individual unless it is necessary for the agency's functions. Agencies must not require individuals to disclose a unique identifier assigned by another agency unless there is a lawful basis for doing so. This principle is intended to prevent the construction of comprehensive profiles by cross-referencing identifiers across organisations.

The Biometric Processing Privacy Code 2025

The Biometric Processing Privacy Code 2025 (BPPC) is a code of practice issued by the Privacy Commissioner under section 202 of the Privacy Act 2020. It is a separate instrument from the IPPs; it does not amend the Act but modifies how the IPPs apply to biometric processing activities. The OPC issued the BPPC on July 21, 2025, and it came into force on November 3, 2025. Agencies already using biometric systems when the Code came into force have a nine-month grace period to achieve compliance; that transition period ends on August 3, 2026.

Scope: The BPPC applies to all agencies that collect, store, use, handle, process, or disclose biometric information through biometric processing. Biometric information means information relating to an individual's physical or behavioural features, including facial geometry, fingerprints, iris patterns, voice patterns, and keystroke or gait patterns. Biometric processing means the use of technologies such as facial recognition, fingerprint scanning, or voice identification to collect and process that information to identify individuals or learn more about them. The BPPC does not apply to health information processed by a health agency under the Health Information Privacy Code.

Core obligations under the BPPC include:

1. Necessity, effectiveness, and proportionality test: An agency may collect and process biometric information only where it can demonstrate the processing is necessary for a lawful purpose connected to its functions, the processing is an effective means of achieving that purpose, and the privacy risks are proportionate to the benefits. The proportionality assessment must explicitly consider cultural impacts and effects on Maori.
2. Mandatory Privacy Impact Assessment (PIA): A documented PIA is required before deploying any biometric processing activity. The PIA must identify risks and the mitigations adopted.
3. Transparency and notice: Agencies must inform individuals before or at the time of collection about the collection, its purpose, intended recipients, legal authority (if any), and the individual's rights. The Code requires clear and conspicuous signage and communications.
4. Safeguards: Agencies must adopt technical and organisational safeguards proportionate to the sensitivity and privacy risks of the biometric data.
5. Accuracy and bias assessment: Agencies must take steps to ensure the biometric system performs accurately across different demographic groups. The Commissioner's June 2025 inquiry into Foodstuffs North Island's supermarket facial recognition trial found that accuracy concerns for Maori, Pacific peoples, and other ethnic groups must be addressed before deployment.

The BPPC's mandatory PIA requirement and proportionality test are more demanding than the general security obligations under IPP 5. Organisations deploying facial recognition, fingerprint access systems, or voice authentication must ensure they have completed and documented the PIA before going live.

Mandatory Breach Notification

Part 6 of the Privacy Act 2020 introduced mandatory privacy breach notification to New Zealand law for the first time. Under the 1993 Act, reporting was voluntary. The 2020 Act made it compulsory.

What counts as a notifiable breach: A privacy breach is notifiable under section 113 if it has caused, or is likely to cause, serious harm to one or more affected individuals. In assessing the likelihood of serious harm, agencies must consider the nature and sensitivity of the personal information; what has happened to the information (theft, accidental disclosure, corruption, etc.); the likely recipients; whether security measures such as encryption were in place; and the types of harm that could follow. Serious harm includes identity theft, financial loss, physical danger, psychological harm, employment-related harm, and threats to safety. The Commissioner's guidance places heightened weight on breaches involving health records, financial data, information about children, or data concerning family violence victims.

Notification obligations: When a breach meets the serious harm threshold, the agency must:

1. Notify the Privacy Commissioner as soon as practicable after becoming aware of the breach. The OPC's operational expectation is notification within 72 hours. Notifications must be submitted through the NotifyUs portal and must describe the nature of the breach, the categories of personal information affected, the likely consequences, and the steps the agency is taking. Section 117 permits incremental notification where the full picture is not yet available.

2. Notify affected individuals as soon as practicable. The notice must describe the breach, the information involved, the steps the individual can take to protect themselves, and the agency's response measures. Section 116 provides limited exceptions, such as where notification would endanger the safety of any person or prejudice a law enforcement investigation.

Penalty for failure to notify: Section 118 of the Act makes it a criminal offence for an agency to fail to notify the Commissioner of a notifiable breach without reasonable excuse. The penalty is a fine of up to NZD 10,000.

The OPC reported a 21 percent rise in privacy complaints in 2024 to 2025, reaching 1,598 cases, up from 1,003 the previous year. Many involved unauthorised disclosures by retailers, health data handling failures, and decisions affecting lending.

Individual Rights Under the Privacy Act 2020

The Act gives individuals several enforceable rights in relation to their personal information held by agencies:

Right of access (IPP 6): Any individual may request access to personal information an agency holds about them. The agency must respond within 20 working days. Charges may only be imposed for the reasonable cost of giving access and must not be so large as to be a deterrent.

Right of correction (IPP 7): Any individual may request that inaccurate, incomplete, or misleading information be corrected. The agency must respond within 20 working days. If it declines, it must attach a note of the requested correction to the record.

Right to complain: Individuals who believe an agency has interfered with their privacy may complain to the Office of the Privacy Commissioner free of charge. Before lodging a complaint with the OPC, the individual should first raise the matter directly with the agency. The Commissioner investigates and attempts mediated settlement. If settlement fails, the individual may take the matter to the Human Rights Review Tribunal, either through the Director of Human Rights Proceedings or directly (within six months of the Commissioner's closure notice under section 98).

The Act does not provide a GDPR-style "right to be forgotten" or right to erasure. Commissioner Webster has publicly called for a right to erasure to be introduced in a future reform, but as of May 2026 the Act does not contain one.

Enforcement Powers and Penalties

The Privacy Commissioner's enforcement toolkit under the Privacy Act 2020 includes the following powers:

Compliance notices: Under sections 121 to 126 of the Act, the Commissioner may issue a compliance notice requiring an agency to take, or stop, specific actions where the Commissioner believes the agency is breaching, or is likely to breach, the Act. Failure to comply with a compliance notice without reasonable excuse is a criminal offence carrying a fine of up to NZD 10,000 under section 127. Compliance notice proceedings are brought before the Human Rights Review Tribunal.

Name and shame: The Commissioner has a publicly stated policy of naming agencies found to have breached the Act in cases where it is in the public interest to do so, for example where an agency has shown an unwillingness to comply or where public awareness could reduce harm.

Referral to the Director of Human Rights Proceedings: Where mediation fails, the Commissioner may refer the matter to the Director of Human Rights Proceedings, who can bring proceedings before the Human Rights Review Tribunal on behalf of the complainant.

Human Rights Review Tribunal: The Tribunal is an independent judicial body that can award:

• A declaration that the agency has interfered with the individual's privacy.
• An order restraining the agency from continuing the interference.
• Compensatory damages up to NZD 350,000, including damages for humiliation, loss of dignity, and injury to feelings.
• An order requiring corrective action or restitution.
• Costs.

The absence of large financial penalties: Unlike the GDPR, which provides for fines of up to 4 percent of global annual turnover, the Privacy Act 2020 does not authorise large fines. The NZD 350,000 Tribunal damages cap and the NZD 10,000 criminal offence fines are the primary financial consequences. Commissioner Webster's October 2025 statement explicitly called for "multimillion-dollar fines" to bring New Zealand into line with international norms. The Justice Minister indicated in early 2026 that the government is reviewing further enhancements following the IPP 3A reform, potentially including a major penalty regime in a 2027 legislative cycle.

Recent Developments (2024 to 2026)

January 2024: EU adequacy reaffirmed: The European Commission completed a review of 11 adequacy decisions and confirmed on January 15, 2024 that New Zealand continues to provide an adequate level of protection. The Commission noted that the Privacy Act 2020, the enhanced IPP 12 cross-border transfer rules, and the broadened powers of the OPC all contributed to New Zealand's continued alignment with the EU framework.

September 2025: Privacy Amendment Act 2025 enacted: Parliament passed the Privacy Amendment Act 2025 on September 23, 2025 (Royal Assent the same day). The Act inserted IPP 3A, the indirect-collection notification obligation, into the Privacy Act 2020. IPP 3A came into force on May 1, 2026 and applies prospectively to personal information collected on or after that date.

November 2025: Biometric Processing Privacy Code 2025 in force: The BPPC, issued by the Privacy Commissioner on July 21, 2025, came into force on November 3, 2025. Agencies already operating biometric systems have until August 3, 2026 to comply. The Code introduces the mandatory PIA, proportionality test, bias assessment, and transparency requirements described in the preceding section.

June 2025: Foodstuffs facial recognition inquiry: The Privacy Commissioner released findings on June 4, 2025 into Foodstuffs North Island's (FSNI) trial of facial recognition technology across 25 supermarkets in the North Island between February and September 2024. The OPC's inquiry found that the trial complied with the Privacy Act, given the safeguards FSNI deployed, but raised concerns about bias risk for Maori and Pacific peoples, the adequacy of customer transparency, and the accuracy of overseas-trained systems applied to New Zealand's population. The Commissioner recommended independent evaluation of any future deployment.

October 2025: Commissioner calls for major reform: Commissioner Webster issued a public statement calling for urgent legislative reform including multimillion-dollar fines for serious breaches, a right to erasure, robust controls on automated decision-making, and enhanced protections for children's data. The Commissioner cited record complaint volumes and the inadequacy of the NZD 10,000 offence fines as evidence that the 2020 Act's enforcement mechanisms need strengthening.

2026: Proposed Codes of Practice consultation: The OPC published a notice of consultation on proposed amendments to codes of practice under the Privacy Act 2020, including proposed modifications to the Health Information Privacy Code and the Justice Sector Privacy Code. Details were published in the New Zealand Gazette.

Business Compliance

Organisations operating in New Zealand, or processing the personal information of New Zealand residents from overseas, should structure their privacy compliance programmes around the following core elements:

Map your data flows. Document every category of personal information you collect, the source of that collection (direct from individual or indirect from third parties), the purpose, the intended recipients, and any cross-border transfers. This foundation is needed to assess compliance with IPPs 1 to 4, including the new IPP 3A indirect-collection notification obligation.

Implement IPP 3A notification procedures. For personal information collected on or after May 1, 2026 from a source other than the individual, establish a process to notify the individual of the matters listed in IPP 3. The OPC's IPP 3A guidance describes acceptable notification methods, including written notices, email, or web portal notifications, delivered within a reasonable time after collection. Review third-party data-sharing agreements to determine whether existing supplier notifications satisfy the obligation.

Assess biometric systems against the BPPC. If your organisation uses facial recognition, fingerprint scanning, voice authentication, or any other biometric processing technology, ensure you have completed a documented Privacy Impact Assessment before the grace period ends on August 3, 2026. The PIA must demonstrate necessity, proportionality, effectiveness, and bias mitigation, particularly for Maori and Pacific communities.

Establish breach response procedures. Designate a privacy officer responsible for identifying and assessing privacy breaches. Ensure the organisation can triage a suspected breach, assess the serious harm threshold, notify the OPC via NotifyUs within 72 hours where the threshold is met, and notify affected individuals promptly.

Review cross-border transfer arrangements. For data transfers to countries outside New Zealand, assess whether IPP 12 is satisfied. Transfers to countries without comparable protections require either individual consent (with express disclosure of the risks) or contractual protections. Transfers to EEA countries benefit from New Zealand's adequacy status, though the converse also applies: EEA businesses sending data to NZ may do so without supplementary measures.

Respond to access and correction requests. Ensure the organisation has a process for receiving and responding to individual access and correction requests within the 20-working-day statutory timeframe.

Watch out: The IPP 3A obligation applies to personal information collected from third-party sources on or after May 1, 2026. Agencies that purchase customer lists, receive data from analytics providers, use credit bureau data, or aggregate information from public registers now have an active notification obligation to the individuals whose data they acquire. Overlooking this obligation is the most likely new compliance gap for data brokers, credit agencies, and marketing-focused businesses in 2026.

Frequently Asked Questions

Does the Privacy Act 2020 apply to overseas companies?

Yes. Section 11 of the Privacy Act 2020 extends the Act to overseas businesses that carry on business in New Zealand, even without a physical office in the country. Any organisation that provides services to New Zealand residents or systematically collects their personal information is subject to the same obligations as a New Zealand-based agency. Complaints against overseas agencies can be brought to the Privacy Commissioner.

What is the difference between IPP 3 and IPP 3A?

IPP 3 applies when an agency collects personal information directly from the individual, for example through a form, interview, or phone call. IPP 3A, which came into force on May 1, 2026, applies when an agency collects personal information from a third-party source rather than from the individual. Both principles impose the same notification obligation: the individual must be made aware of the collecting agency, the purpose, intended recipients, lawful basis (if any), and their access and correction rights. IPP 3A closes the notification gap that previously existed for indirect collection.

Is IPP 3A about automated decision-making or biometrics?

No. IPP 3A is solely about notification when personal information is collected indirectly. It has nothing to do with automated decision-making or biometric processing. Automated-decision controls are the subject of a separate reform proposal by Commissioner Webster. Biometric processing is governed by the Biometric Processing Privacy Code 2025, which is a distinct instrument that came into force on November 3, 2025.

What does the Biometric Processing Privacy Code 2025 require?

The BPPC requires agencies that collect and use biometric information (such as facial recognition or fingerprint data) to: complete a mandatory Privacy Impact Assessment before deployment; satisfy a necessity, proportionality, and effectiveness test; provide clear transparency notices to individuals; implement robust safeguards; and assess the risk of bias for Maori, Pacific peoples, and other ethnic groups. Agencies already using biometric systems before November 3, 2025 have until August 3, 2026 to comply.

What counts as a notifiable privacy breach?

A privacy breach is notifiable under section 113 if it has caused, or is likely to cause, serious harm to an affected individual. Serious harm includes identity theft, financial loss, physical safety risks, psychological harm, and employment consequences. The Commissioner's guidance places heightened concern on breaches involving health data, financial records, children's information, or data related to family violence. The practical test is whether a reasonable person in the same circumstances as the affected individual would consider the breach likely to cause them serious harm.

What is the time limit for notifying the Privacy Commissioner of a breach?

The Act requires notification "as soon as practicable" after the agency becomes aware of the breach. The OPC's operational expectation is notification within 72 hours. Section 117 allows incremental notification if the full picture is not yet available.

What financial penalties can be imposed under the Privacy Act 2020?

There are no GDPR-style turnover-based fines under the current Act. The Human Rights Review Tribunal can award compensatory damages up to NZD 350,000 in civil proceedings. Criminal offence provisions, such as failure to notify a breach and failure to comply with a compliance notice, carry fines of up to NZD 10,000. The Privacy Commissioner has called for multimillion-dollar fines to be introduced in future legislation, and the government indicated in early 2026 it is reviewing such enhancements.

Does New Zealand have GDPR adequacy status?

Yes. New Zealand has held EU adequacy status since the original European Commission decision in 2012. Following a review finalized on January 15, 2024, the Commission confirmed that New Zealand continues to provide an adequate level of data protection for personal data transferred from the EEA, taking into account the Privacy Act 2020, the updated IPP 12 cross-border transfer rules, and the strengthened powers of the OPC.

Is there a right to erasure under New Zealand privacy law?

No. Unlike the GDPR's Article 17 right to erasure, the Privacy Act 2020 does not give individuals the right to demand deletion of their personal information. Individuals have rights of access and correction under IPPs 6 and 7, and the retention principle in IPP 9 requires agencies to delete information they no longer need. Privacy Commissioner Webster has called for a right to erasure to be introduced in a future legislative reform, but it does not exist in the current Act.

How can an individual complain about a privacy breach?

Individuals should first raise the concern directly with the agency involved. If unresolved, they can lodge a free complaint with the Office of the Privacy Commissioner online. The Commissioner investigates and attempts settlement. If settlement fails or the Commissioner closes the complaint, the individual has six months to file a claim before the Human Rights Review Tribunal.

What are the key IPP 3A notification exemptions for businesses?

Under IPP 3A, an agency does not need to notify the individual if: the information was already publicly available; the individual was already informed of the relevant matters; notification would prejudice law enforcement or court proceedings; notification would undermine the purpose of the collection; notification would cause a serious threat to public health or safety; the information will only be used in a non-identifiable form; or notification is not reasonably practicable in the circumstances.

Next Steps and Further Reading

For organisations assessing their compliance position under the Privacy Act 2020 as amended, the Office of the Privacy Commissioner's resources are the primary reference point. The OPC publishes guidance on each IPP, the BPPC, the NotifyUs breach notification portal, decision notes from concluded investigations, and the IPP 12 Decision Tree for cross-border transfers. The Ministry of Justice maintains background material on the IPP 3A reform and the policy intent behind the Privacy Amendment Act 2025.

For recording law and surveillance-specific questions under New Zealand law, see New Zealand Recording Laws.

Disclaimer

This article presents general legal information about New Zealand's data protection framework under the Privacy Act 2020, the Privacy Amendment Act 2025, and the Biometric Processing Privacy Code 2025. It does not constitute legal advice and does not create a solicitor-client relationship. The law described reflects statutes and regulatory guidance as of May 19, 2026. Organisations and individuals seeking advice about their specific privacy obligations should consult a lawyer licensed in New Zealand. The Office of the Privacy Commissioner's website at privacy.org.nz also provides free guidance and a complaints process.

About the Author

[PLACEHOLDER: author roster pending.]

Authorities Cited

1. Privacy Act 2020 (NZ), No 31. https://www.legislation.govt.nz/act/public/2020/31/en/latest/
2. Privacy Amendment Act 2025 (NZ), No 53. https://www.legislation.govt.nz/act/public/2025/53/en/latest/
3. Office of the Privacy Commissioner, "Information Privacy Principles." https://www.privacy.org.nz/privacy-act-2020/privacy-principles/
4. Office of the Privacy Commissioner, "IPP 3A: Notification Requirements for Indirect Collection of Personal Information." https://www.privacy.org.nz/focus-areas/ipp3a/
5. Ministry of Justice (NZ), "Enhancing the Privacy Act." https://www.justice.govt.nz/justice-sector-policy/key-initiatives/enhancing-the-privacy-act/
6. Office of the Privacy Commissioner, Biometric Processing Privacy Code 2025. https://www.privacy.org.nz/privacy-principles/codes-of-practice/biometric-processing-privacy-code/
7. Office of the Privacy Commissioner, "FRT Inquiry Report: Foodstuffs North Island Facial Recognition Trial" (June 4, 2025). https://www.privacy.org.nz/focus-areas/frt-inquiry-report/
8. Privacy Act 2020, Part 6 (Notifiable Privacy Breaches). https://www.legislation.govt.nz/act/public/2020/0031/latest/LMS23530.html
9. Office of the Privacy Commissioner, "Sorting Out Privacy Breaches." https://www.privacy.org.nz/responsibilities/privacy-breaches/
10. Office of the Privacy Commissioner, "Sending Information Overseas (IPP 12)." https://www.privacy.org.nz/responsibilities/disclosing-personal-information-outside-new-zealand/
11. Office of the Privacy Commissioner, "New Zealand–EU Data Protection Adequacy." https://www.privacy.org.nz/privacy-principles/reports-on-new-zealand-adequacy-to-the-european-commission/
12. European Commission adequacy review finalized January 15, 2024. https://www.insideprivacy.com/cross-border-transfers/european-commission-retains-adequacy-decisions-for-data-transfers-to-eleven-countries/
13. Privacy Act 2020, s 118 (Offence: Failure to Notify Commissioner of Notifiable Breach). https://www.legislation.govt.nz/act/public/2020/0031/latest/LMS23701.html
14. Office of the Privacy Commissioner, "What Are Your Privacy Rights?" https://www.privacy.org.nz/your-rights/your-privacy-rights/
15. Office of the Privacy Commissioner, "New Zealand Needs Privacy Act Modernisation" (October 2025 statement). https://www.privacy.org.nz/tuhono-connect/statements-media-releases/new-zealand-needs-privacy-act-modernisation-and-nbsp/
16. New Zealand Gazette, "Notice of Consultation on Proposed Amendments to Privacy Act 2020 Codes of Practice" (2026). https://gazette.govt.nz/notice/id/2026-au42
17. Ministry of Justice (NZ), "Human Rights Review Tribunal." https://www.justice.govt.nz/tribunals/human-rights/

Related Articles

• New Zealand Recording Laws
• World Data Privacy Laws Hub
• Australia Data Privacy Laws
• GDPR Overview

---

Last updated: 2026-05-19. Statutes cited reflect their in-force versions as of 2026-05-19.