Data Protection & Privacy 2026 Comparisons

Privacy Act 2020 and Information Privacy Principles

New Zealand’s principal data protection law is the Privacy Act 2020 (the “Privacy Act”), which applies across both public and private sectors. It regulates the collection, use, storage, access and disclosure of “personal information” through 13 Information Privacy Principles (IPPs) and provides an oversight and complaints framework administered by the Office of the Privacy Commissioner.

Codes of Practice

The Privacy Act is supplemented by codes of practice issued by the Privacy Commissioner. These codes have the force of law and modify the IPPs for particular sectors or data types. They include the following:

• Health Information Privacy Code 2020;
• Credit Reporting Privacy Code 2020;
• Telecommunications Information Privacy Code 2020; and
• Biometric Processing Privacy Code 2025.

See 5.3 Data Localisation Requirements for cross-border transfer requirements under these codes.

Right to Privacy

There is no single constitutional “right to privacy” in New Zealand, but privacy interests are protected through multiple instruments. Section 21 of the New Zealand Bill of Rights Act 1990 protects against unreasonable search or seizure, including in relation to correspondence and electronic intrusions. In the public sector, privacy interacts closely with access-to-information regimes governed primarily by the Official Information Act 1982: requests for official information may be refused where withholding is necessary to protect personal privacy.

Extraterritorial Reach

The Privacy Act has material extraterritorial reach. It applies to an overseas agency carrying on business in New Zealand, regardless of where the personal information was collected or held, or where the individual is located. Cross-border data flows are addressed through IPP 12 (see 5. International Considerations).

Interplay With Other Laws

Where data is truly anonymised, it generally falls outside the Privacy Act, though re-identification risk must be carefully managed. Privacy also intersects with cybercrime offences and online harm legislation. Under Part 9A of the Crimes Act 1961, it is a criminal offence to intercept a private communication or to disclose a communication known to have been unlawfully intercepted. The Crimes Act 1961 also creates offences relating to intimate visual recordings made or distributed without consent. Computer-crime offences (including unauthorised access and dishonest use of a computer system) intersect with privacy wherever personal data is involved. New offences targeting software designed for unauthorised access were inserted by the Budapest Convention and Related Matters Legislation Amendment Act 2025 with effect from 31 July 2025. The Harmful Digital Communications Act 2015 provides civil and criminal remedies for harmful online communications and intersects directly with privacy through communication principles prohibiting disclosure of sensitive personal facts or communications made in breach of confidence. New Zealand organisations operating internationally may also need to consider foreign privacy laws with extraterritorial effect (notably the EU GDPR), although New Zealand maintains EU “adequacy” status.

Information Privacy Principles

Under the Privacy Act, organisations must process personal information in accordance with the IPPs. In practical terms, the IPPs require:

• collecting only what is needed for a lawful purpose;
• collecting fairly and generally from the individual;
• providing clear notice at collection;
• maintaining appropriate storage and security safeguards;
• ensuring accuracy before use or disclosure;
• not retaining information longer than necessary;
• limiting use and disclosure to the purpose of collection (subject to exceptions);
• giving individuals access to and the ability to correct their information; and
• applying special controls for unique identifiers and cross-border disclosures.

Data Subject Rights

Individuals have rights to access and request correction of their personal information, and to complain to the Privacy Commissioner regarding an “interference with privacy”. The mandatory breach notification regime requires agencies to notify the Privacy Commissioner and affected individuals where a breach has caused, or is likely to cause, serious harm (see 1.6 Data Breach Requirement).

Main Compliance Requirements

Organisations must:

• appoint a privacy officer and maintain a privacy management framework;
• map what personal information they hold, where it sits, and why it is needed;
• use compliant collection notices specifying purpose, recipients, consequences of non-provision, and access/correction processes;
• implement proportionate security safeguards (access control, encryption, logging) and put privacy obligations into vendor agreements;
• validate that secondary uses and disclosures are authorised, particularly for marketing;
• implement processes for access and correction requests (identity verification, timeframes, exemptions); and
• maintain and test a breach response plan covering serious harm assessment, containment, communications and regulator notification.

New Zealand privacy law does not use the GDPR-style concept of “special category data” with a single heightened processing test. Instead, protection is delivered through the broad definition of personal information, the core IPPs, and sector-specific codes that impose additional controls for inherently sensitive information. The Privacy Commissioner has also issued guidance emphasising that agencies handling sensitive data (broadly, information of real significance to the individual, which is revealing of them or they would generally wish to keep private) must take extra care and are held to a higher standard of accountability.

Health Information

Health data is regulated by the Health Information Privacy Code 2020, which replaces the IPPs for health agencies and sets more tailored rules for collection, use, disclosure, access and security in clinical and related contexts. This extends beyond traditional healthcare providers to various health-sector bodies and certain entities connected with health services.

Credit, Telecommunications and Biometric Information

Credit information handled by credit reporters is regulated by the Credit Reporting Privacy Code 2020. Telecommunications agencies are subject to the Telecommunications Information Privacy Code 2020, reflecting the sensitivity of communications-related information. The Biometric Processing Privacy Code 2025 regulates organisations using biometrics in automated systems (eg, facial recognition) and phases in compliance for existing uses.

Minors

There is no single “age of consent” threshold in the Privacy Act. However, organisations should treat children’s information as higher risk and ensure collection methods and notices are fair and appropriate. The Health Information Privacy Code expressly highlights fairness considerations where information is collected from children or young persons.

Criminal Convictions

Information about criminal convictions is personal information and subject to the Privacy Act. Additionally, the Criminal Records (Clean Slate) Act 2004 can restrict when conviction history must be disclosed by providing for automatic concealment where eligibility criteria are met (with important exceptions).

Whether patient data may be anonymised for product development or scientific research turns on a threshold question: is the data still “personal information” (ie, about an identifiable individual)? If data is truly anonymised, it generally falls outside the Privacy Act and Health Information Privacy Code. However, this requires robust controls, as “anonymisation” can fail where datasets can be linked or re-identified.

Legal Gateways for Research

Where information remains identifiable (including pseudonymised data), the relevant privacy rules continue to apply. For companies supplying products or services used by healthcare providers, the key legal gateway is usually the health agency’s authority to disclose information to the supplier and the contractual terms governing that disclosure.

Under the Health Information Privacy Code 2020, health agencies must generally have patient authorisation or rely on a permitted exception. The Code contains a specific pathway allowing disclosure where it is not desirable or practicable to obtain authorisation and the information is to be used:

• in a form in which the individual is not identified;
• for statistical purposes, not published in an identifying form; or
• for research purposes (with ethics committee approval if required), not published in an identifying form.

The Privacy Act IPPs also contain a research and statistics allowance for disclosure where information will not be published in an identifying form, though cross-border disclosures must still satisfy IPP 12 (see 5. International Considerations).

European Health Data Space

The EU Health Data Space Regulation does not apply as New Zealand statute but may affect New Zealand life sciences and digital health companies operating in the EU, supplying health software into EU markets, or seeking to access EU health datasets for research and development.

Privacy Requirements for AI Systems

In New Zealand, the use of personal data in artificial intelligence systems is regulated through existing privacy law rather than AI-specific legislation. The Privacy Act applies fully to AI-driven processing, meaning organisations must comply with the information privacy principles regardless of whether decisions are made by humans or automated systems. Core obligations include:

• collecting data for a lawful and necessary purpose;
• ensuring accuracy;
• maintaining security safeguards; and
• being transparent about how personal data is used.

Guidance on Automated Decision-Making

While there are no binding AI-specific rules, the Office of the Privacy Commissioner has issued guidance on the use of algorithms and automated decision-making. This guidance focuses on fairness, explainability and accountability. Organisations are expected to understand how AI systems reach decisions, assess risks of bias or error, and ensure individuals can meaningfully challenge or seek review of automated outcomes.

Risk-Based Regulation and International Influence

New Zealand does not operate a formal risk-based AI regime. However, international developments – particularly the EU AI Act – are influencing best practice. Overseas models classify AI systems by risk, prohibit certain uses such as social scoring, and impose heightened obligations on high-risk systems, including strong data governance, transparency and human oversight.

Impact on Data Protection

AI regulation reinforces, rather than replaces, data protection principles. Transparency, responsible data governance and human oversight are increasingly central expectations, especially where AI systems materially affect individuals’ rights or interests.

Under the Privacy Act, a privacy breach includes unauthorised or accidental access, disclosure, alteration, loss, or destruction of personal information, or any action preventing access to it.

A “notifiable” privacy breach means a privacy breach that it is reasonable to believe has caused serious harm to an affected individual or individuals or is likely to do so. The assessment is an objective one, determined from the viewpoint of a reasonable person in the organisation’s position who is properly informed based on the information available.

Organisations must notify the Privacy Commissioner and individuals affected by the breach, if the breach is likely to cause serious harm. Organisations should immediately contain (where possible) and mitigate breaches, secure systems and document decisions. A serious harm assessment must be undertaken promptly.

In assessing serious harm, organisations must consider factors such as:

• the nature and sensitivity of the personal information;
• security measures;
• the nature of the potential harm (ranging from physical to financial harm);
• the nature and number of recipients;
• mitigation steps taken to reduce the risk of harm following the breach; and
• other relevant matters.

Notification must occur as soon as practicable after becoming aware a breach has occurred. Notification must cover the prescribed list of details specified in the Act. This includes:

• details of the breach;
• mitigation steps; and
• contact information.

Failure to notify the Privacy Commissioner of a notifiable breach is an offence with a fine of up to NZD10,000.

The Privacy Commissioner has investigative and enforcement powers, including issuing compliance notices. Individuals may bring claims before the Human Rights Review Tribunal, which can award damages. Large breaches may lead to representative actions but are uncommon to date.

Office of the Privacy Commissioner (OPC)

The OPC is an Independent Crown Entity that regulates the Privacy Act. It supervises compliance with the information privacy principles (IPPs), receives mandatory breach notifications, and may issue binding codes of practice, access directions and compliance notices. Complaints are typically raised by individuals after first raising concerns with the relevant organisation, or via notifiable breach reports. The OPC emphasises early resolution but may formally investigate and issue compliance notices where required. Codes of practice and statutory notices are binding; general guidance is influential but not legally binding. See 1.8 Enforcement Proceedings and Fines for investigation procedure, sanctions and appeal rights.

Human Rights Review Tribunal (HRRT)

The HRRT adjudicates privacy claims, generally after the OPC process, and reviews certain OPC and Health and Disability Commissioner decisions. It may make declarations, restraining orders, performance orders and damages awards. See 1.8 Enforcement Proceedings and Fines for remedies and penalty bands.

Director of Human Rights Proceedings

The Director of Human Rights Proceedings receives referrals from the OPC where complaints remain unresolved and decides whether to commence proceedings in the HRRT, providing publicly funded representation in appropriate cases.

Health and Disability Commissioner (HDC)

The HDC investigates complaints under the Code of Rights, including confidentiality and health information issues. Matters may be resolved informally or formally investigated; decisions may be reviewed by the HRRT.

Broadcasting Standards Authority (BSA)

The BSA determines broadcast privacy complaints, usually after referral to the relevant broadcaster. It may issue binding determinations, orders and costs awards; appeals lie to the High Court.

Statistics NZ/Government Chief Data Steward

This regulator oversees statistical confidentiality and mandated data standards, which are binding across government. The Data and Statistics Act 2022 includes inspection, compliance notice and criminal offence provisions.

Domestic and Cross-Border Co-Ordination

New Zealand Cabinet Manual guidance requires public sector agencies to consult the OPC on proposals with significant privacy implications. Cross-border, the Privacy Act’s complaints framework allows referral of a complaint to an overseas privacy enforcement authority – defined as an overseas body responsible for enforcing personal information protection legislation with investigation and enforcement powers. The Act also contains specific rules governing overseas disclosures under IPP 12 (see 5. International Considerations).

An investigation into a privacy breach is initiated when an individual or organisation lodges a complaint with the OPC. The OPC determines whether an investigation is required. If one proceeds, the OPC’s primary focus is resolving the matter through settlement or conciliation, a dispute resolution process similar to mediation. The Privacy Commissioner may also act on their own initiative or following a mandatory breach notification. Outcomes include binding access directions and compliance notices, which specify breaches, required steps and timeframes. Compliance notices and access directions are reviewable by the Human Rights Review Tribunal (HRRT). Unresolved matters may also be referred to the Director of Human Rights Proceedings for litigation in the HRRT.

The Tribunal may grant the following:

• declarations;
• restraining orders;
• performance orders; and
• damages for pecuniary loss and humiliation.

Damages awarded can range from NZD3,000 to NZD120,000 and typically fall into three indicative bands:

• up to NZD10,000 for less serious breaches;
• NZD10,000–NZD50,000 for more serious cases; and
• over NZD50,000 for the most serious cases.

These bands are indicative only, as the HRRT ultimately assesses seriousness based on the impact of the breach and any ongoing consequences. Decisions of the HRRT are binding and appealable to the High Court on questions of law.

Criminal offences under the Privacy Act include:

• failure to notify a notifiable breach;
• non-compliance with a compliance notice;
• obstruction; and
• misleading the Commissioner.

Fines are generally up to NZD10,000. Penalties consider seriousness, harm, respondent conduct, mitigation, and general sentencing principles.

Regarding other regulators: the Broadcasting Standards Authority determines broadcast privacy complaints (usually after referral to the broadcaster) and may order apologies, statements, compensation, costs, or fines up to NZD5,000; appeals lie to the High Court. The Health and Disability Commissioner investigates sectoral complaints and may recommend remedies, require action, or refer matters to the Director of Proceedings for proceedings before the HRRT or Health Practitioners Disciplinary Tribunal. Under the Data and Statistics Act 2022, enforcement includes inspections, compliance notices, and criminal offences for unlawful disclosure of statistical information.

The Privacy Commissioner has reported a significant increase in notifiable privacy breach notifications to its office, with over half of such notifications falling within the classification as involving serious harm. This represents a 47% rise (from previous years) of this type of activity.

Although privacy complaints have increased, this likely reflects both the growing impact of cybersecurity incidents and the greater public awareness of an individual’s privacy rights. Private sector notifications to the OPC have more than tripled, indicating that organisations are engaging more actively with their reporting obligations.

While the 2025/26 Annual Report is yet to be released, recent trends show that New Zealanders are increasingly informed about their privacy rights and organisations are responding with greater transparency. The key message for organisations is that expectations around privacy are rising both from the Privacy Commissioner and New Zealanders, and, with cyber threats becoming more sophisticated, strong privacy practices and robust security measures are essential.

Main trends in privacy and data-related disputes specifically before courts can be observed from the High Court decisions of Neighbourly Ltd v Unknown Defendants [2026] NZHC 1, Manage My Health Ltd v Unknown Defendants [2026] NZHC 2 and Langley Twigg Partnership v Unknown Defendants [2026] NZHC 104. In each case, the affected organisations commenced proceedings to urgently contain the consequences of the breach. The key causes of action have been a breach of confidence and breach of privacy, both of which support urgent equitable relief where confidential or sensitive information is at risk.

In each case, the Court was asked to grant injunctions preventing access, use or disclosure of stolen information, reflecting a strong judicial focus on preventing further harm rather than making a determination on liability or compensation. These cases demonstrate that High Court cyber-attack litigation is primarily preventative and protective, rather than compensatory. As a result, non-material damages are not awarded in this particular context, and the courts instead concentrate on securing, controlling and ultimately removing compromised data from being circulated and disclosed.

As described in 2.1 Privacy Litigation Overview, the three 2026 High Court decisions of Neighbourly Ltd v Unknown Defendants [2026] NZHC 1, Manage My Health Ltd v Unknown Defendants [2026] NZHC 2, and Langley Twigg Partnership v Unknown Defendants [2026] NZHC 104 collectively establish a consistent judicial framework for cyber-attack litigation in New Zealand: confidential and sensitive information remains legally protected even after unlawful access, and courts will act swiftly to grant broad injunctive relief to prevent disclosure or further use of stolen data, disrupting cyber-extortion attempts. Together, these decisions confirm that organisations and their clients retain their confidentiality and privacy rights despite a breach and that the courts provide a reliable mechanism for urgent protective relief.

The recent decisions of the Human Rights Review Tribunal, on the other hand, demonstrate a pattern of organisations mishandling personal information in the following ways:

• inadequate information management practices, as in Jones v Accident Compensation Corporation [2025] NZHRRT 25;
• failure to respond to information privacy requests, as in Greensmith v Auckland Council [2025] NZHRRT 24; and
• disclosing personal information to unauthorised persons, as in Cummings v KAM Transport Ltd [2025] NZHRRT 8.

In these cases, the Tribunal has awarded compensatory damages generally between NZD3,500 and NZD30,000, reflective of the harm suffered by the individuals.

While privacy and data security issues are likely to form part of the landscape for collective redress, development of collective redress procedure in New Zealand has been in the hands of the courts, with no significant legislative initiatives.

New Zealand does not have a single overarching statutory framework for the protection and processing of non-personal data. Instead, New Zealand has taken the approach of regulating non-personal data on a sector-specific basis under the Customer and Product Data Act 2025 (CPDA). A key aspect of the CPDA is the establishment of the Consumer Data Right (CDR) framework, which enables consumers to have greater control over the data they generate.

Outside the CPDA, the protection and processing of non-personal data are generally governed by contracts and laws relating to the protection of intellectual property rights.

How Does It Work?

The CPDA is designation-based. Unless there is a designation regulation enacted under the CPDA for a particular sector, the CPDA would not apply. Currently, under the Customer and Product Data (Banking and Other Deposit-Taking) Regulations 2025 (the “Banking Regulations”), the banking sector is the only industry subject to CDR. The electricity industry is expected to be the next sector to be designated under the CPDA.

The CPDA separates data into two categories:

• “customer data” is data about an identifiable customer held by or on behalf of the data holder, and includes personal information; and
• “product data” relates to the data holder’s product(s) and does not include customer data.

Key actors within the scope of the CPDA include the following:

• data holder – a person specified in a designation regulation who holds designated customer or product data. For example, the Banking Regulations will initially apply to New Zealand’s major banks (ANZ, ASB, BNZ and Westpac), making them the first data holders under the CPDA;
• customer – a person who has acquired, acquires or seeks to acquire goods or services from a data holder; and
• accredited requestor – a third party accredited under the CPDA, allowing them to receive designated data.

The CPDA allows customers or their authorised accredited requestor to request data from a data holder. Customers may then use this data for their own benefit, such as enabling third-party budgeting apps to access the customer’s banking transaction history.

How Does It Compare to the EU Data Act?

The CPDA is materially different in scope and application to the EU Data Act. The CPDA focuses primarily on enabling customer access to, and portability of, data held by designated entities, with regulated accreditation of third-party recipients. In comparison, the EU Data Act goes further by creating mandatory business-to-business (B2B) and business-to-government (B2G) data-sharing rights in certain circumstances. The EU regime also contains detailed provisions on switching between cloud and data processing services and on interoperability, which are not central features of the CPDA.

At the date of publication of this guide (10 March 2026), there is no indication that the New Zealand government intends to enact a law similar to the EU Data Act. It is considered unlikely given the relative size of the New Zealand market compared to that of its major trading partners.

CPDA and the Privacy Act

The CPDA operates alongside the Privacy Act. Where customer data includes personal information, the data holder must continue to comply with the Privacy Act’s Information Privacy Principles (for example, in relation to purpose limitation, security and correction rights), while also meeting any additional data-sharing, portability and accreditation obligations imposed under the CPDA.

The CPDA provides a specific statutory avenue for customers who wish to request access to their designated customer data. However, if the data holder contravenes its obligations to provide the customer with access to their data in accordance with the CPDA, the contravention will be treated as an interference with the privacy of the customer under the Privacy Act.

Further, data holders risk breaching the storage and security of personal information requirements under the Privacy Act if they breach the data storage and security requirements under the CPDA.

CPDA and IP Protection

The CPDA does not displace the operation of existing laws that protect intellectual property rights. During the legislative process, the banking industry emphasised the need to avoid the disclosure of product data that contains commercially sensitive information or information that constitutes a bank’s intellectual property.

The CPDA requires the Ministry of Business, Innovation and Employment (MBIE), the government agency responsible for administering the CPDA, to have regard to any intellectual property rights that may exist in relation to customer or product data when designating new classes of customer or product data under any new designated regulations.

The CPDA (as described in 3.1 Objectives and Scope of Data Regulation) creates a statutory framework for access to and portability of customer data and product data. Under Sections 14 and 15, a customer may request that a data holder provide their designated customer data to them directly, or to an accredited requestor acting on the customer’s behalf with the customer’s authorisation. The customer may then use that data for their own benefit – for example, authorising a third-party budgeting application to access their banking transaction history held by a participating bank. As noted in 3.1 Objectives and Scope of Data Regulation, the CPDA does not include the switching, interoperability or FRAND provisions found in comparable overseas frameworks such as the EU Data Act; those matters fall outside the current scope of New Zealand’s statutory data-sharing framework.

Where a data holder’s designated customer data constitutes personal information, the CPDA operates alongside the Privacy Act. A data holder’s obligations under Sections 14 and 15 to provide data are separate from, but complementary to, an individual’s access rights under IPP 6 of the Privacy Act; requests under the CPDA are expressly not treated as requests under IPP 6 (Section 51(2) of the CPDA). If a data holder contravenes its obligations to provide data under Section 14, 15 or 16(2) of the CPDA, that contravention is deemed to be an interference with the privacy of the individual customer for the purposes of Parts 5 and 6 of the Privacy Act (Section 51(3)), engaging the Privacy Commissioner’s complaint and enforcement jurisdiction.

Action Items for Organisations

Organisations designated as data holders (currently ANZ, ASB, BNZ and Westpac under the Banking Regulations, with the electricity sector expected to follow) should review their obligations under the applicable designation regulations made under Section 104 of the CPDA. The designation framework under Sections 104–107 is sector-expandable: any organisation specified in a future designation regulation will immediately become a data holder. Organisations in sectors likely to be designated should monitor the MBIE’s consultation process under Section 106 (which requires consultation with substantially affected persons and the Privacy Commissioner before designation regulations are made) and begin assessing their readiness.

All current and prospective data holders should:

• establish the electronic system required by Section 27 to receive and respond to data requests;
• ensure that system complies with the technical and performance requirements under Section 28;
• implement identity verification processes required by Section 45;
• maintain records under Section 46; and
• audit existing data-sharing practices against both CPDA obligations and the IPPs under the Privacy Act.

Organisations seeking accreditation as accredited requestors should assess their eligibility, the applicable accreditation class, and their obligations under the Privacy Act in respect of any personal information they receive.

Authorities and Enforcement Mechanisms for the Protection and Processing of Non-Personal Data

The CPDA focuses on “product data”, defined in Section 9 as data about or relating to one or more of the data holder’s products, but excluding “customer data”. Enforcement primarily concerns the conduct of the “data holder” (defined in Section 6). Section 27 requires a data holder to operate an electronic system capable of receiving requests for regulated data services and providing those services in response. Section 28 prescribes the applicable technical and performance standards that the system must meet.

Non-compliance with Section 28 standards is a civil liability matter under subpart 5 of Part 4 of the CPDA, not a criminal offence. The chief executive may apply to the High Court for a pecuniary penalty order where a data holder has contravened a civil liability provision; maximum Tier 2 penalties are NZD500,000 for an individual or NZD2.5 million in any other case. A separate criminal offence arises under Section 30 only where a data holder fails to comply with a written notice from the chief executive requiring it to test its electronic system under Section 29 (or gives a false or misleading test report), carrying fines of up to NZD100,000 for an individual or NZD300,000 in any other case.

Additional enforcement mechanisms are set out in Part 4. Section 53 empowers the chief executive (being the chief executive of the MBIE) to require any person, by written notice, to supply information or produce documents. The exercise of that power is subject to Section 56, which requires destruction of information obtained through any exercise of Section 53 powers that is subsequently declared unlawful by a court. Failure to comply with a Section 53 notice, or supplying false or misleading information in purported compliance, is a criminal offence under Section 57, carrying fines of up to NZD100,000 for an individual or NZD300,000 in any other case.

Under Section 44, it is a criminal offence for a person to knowingly request a regulated data service that relates to a customer when not permitted to do so; an individual is liable to imprisonment for up to five years or a fine of up to NZD1 million (or both), and a body corporate to a fine of up to NZD5 million.

Subpart 2 of Part 4 addresses remedial obligations. Section 58 requires a data holder or accredited requestor to take the steps prescribed by the regulations to avoid, mitigate or remedy loss or damage suffered by a customer or another data holder or accredited requestor as a result of a contravention. Section 59 provides that an amount required to be paid under those regulations may be recovered as a debt in any court of competent jurisdiction.

Co-Ordination With the Privacy Commissioner

The CPDA contains two express bridges to the Privacy Act’s enforcement regime. Under Section 51(3), if a data holder contravenes Section 14, 15 or 16(2) – failing to provide designated customer data as required – that contravention is treated as an interference with the privacy of the individual customer for the purposes of Parts 5 and 6 of the Privacy Act, giving the Privacy Commissioner jurisdiction to receive and investigate complaints and the Human Rights Review Tribunal jurisdiction to award remedies. Under Section 52, if a data holder contravenes a CPD storage and security requirement in relation to personal information, it is treated as breaching IPP 5 of the Privacy Act, again engaging the Privacy Commissioner’s enforcement role. The Minister must also consult the Privacy Commissioner before recommending designation regulations under Section 106. These mechanisms mean that enforcement of the CPDA will, in practice, engage both the chief executive’s civil enforcement powers and the Privacy Commissioner’s jurisdiction in parallel.

Given the recent enactment of the CPDA, no enforcement actions have yet been taken and no trends have emerged. As the Banking Regulations take effect and the first data requests are processed, enforcement patterns – and the practical interaction between the chief executive’s powers and the Privacy Commissioner’s jurisdiction – are expected to become clearer in the next 12 to 24 months.

New Zealand does not have specific legislation governing cookies, software development kits or other online tracking technologies comparable to the EU’s ePrivacy Directive or the UK’s Privacy and Electronic Communications Regulations, and there is no statutory opt-in consent or opt-out model for tracking technologies. However, the Privacy Act applies directly where tracking technologies collect or generate information about an identifiable individual.

The key applicable principles are as follows. IPP 1 requires that personal information be collected only for a lawful purpose connected to the agency’s functions, and only to the extent necessary; meaning speculative data harvesting or collection without a clear purpose is unlikely to be compliant. IPP 3 requires that, where personal information is collected from an individual, the agency takes reasonable steps to ensure the individual is aware of the fact of collection, the purpose, the intended recipients, and the identity of the collecting agency; this effectively requires websites and applications using tracking technologies to maintain an accurate and accessible privacy or cookie notice. IPP 4 requires collection by fair and lawful means without unreasonable intrusion on personal affairs, which applies directly to covert or opaque tracking. IPP 10 prohibits use of personal information collected for one purpose (such as analytics) for a materially different purpose (such as targeted advertising or sale to data brokers) without a lawful basis, which, in practice, generally requires individual consent.

There is no “cookie consent” requirement equivalent to the General Data Protection Regulation or ePrivacy Directive framework. However, the Privacy Commissioner has indicated that organisations relying on tracking technologies for purposes beyond what individuals would reasonably expect should review their compliance with IPPs 1, 3 and 10, and ensure their privacy notices are accurate and accessible. Where electronic messages are sent using data gathered through tracking, the Unsolicited Electronic Messages Act 2007 applies. The Fair Trading Act 1986 applies to the extent that tracking-based advertising involves misleading or deceptive conduct.

Personalised or targeted advertising is regulated in New Zealand primarily by the following:

• Privacy Act 2020 and associated privacy codes;
• Unsolicited Electronic Messages Act 2007 (UEMA); and
• Fair Trading Act 1986 (FTA).

Advertising codes of conduct may also apply. Certain content within personalised or targeted advertising may be subject to specific legislation (eg, where content constitutes financial advice, the Financial Markets Conduct Act 2013 will apply).

Privacy Act 2020

The Privacy Act applies to the collection and use of personal information for personalised advertising on the same basis as described in 4.1 Use of Cookies. In particular, IPP 10 restricts use of data collected for one purpose (such as website analytics or account management) for an unrelated purpose such as targeted advertising and use for the latter purpose will generally require the individual’s consent. Organisations must also ensure that their data collection practices for advertising purposes comply with the transparency requirements of IPP 3 and the purpose-limitation requirement of IPP 1, as described in 4.1 Use of Cookies.

The Unsolicited Electronic Messages Act 2007 (UEMA)

The UEMA governs “commercial electronic messages” and applies to, among other things, marketing and promotional material sent through an electronic message (including SMS or email) for the promotion of goods or services.

The UEMA provides that a person must not send, or cause to be sent, “an unsolicited commercial electronic message that has a New Zealand link” without consent (as discussed further below). Consent is therefore required to send personalised or targeted commercial electronic messages.

In addition to the requirement for consent, commercial electronic messages must identify the sender and have an unsubscribe facility. 

Fair Trading Act 1986 (FTA)

The FTA provides broad protection to consumers from, among other things, misleading, deceptive and unfair conduct. While the FTA does not specifically regulate personalised or targeted advertising, the conduct of advertisers must comply with the FTA. A personalised advertisement may breach the FTA if, for example, it contains claims suggesting a product suits a consumer’s specific individual requirements which cannot be substantiated.

Industry Codes

Industry codes including the ASA Advertising Standards Code and Children’s Advertising Code set standards for advertising in New Zealand. While compliance with these codes is not a legal requirement, in practice there is a high level of compliance in New Zealand due to contractual requirements of many media outlets, and non-compliance with these standards indicates possible non-compliance with the requirements of the FTA. 

Profiling

There is no specific regulation of profiling for the purpose of personalising or targeting advertising in New Zealand. However, in the course of profiling, the advertiser would need to comply with the Privacy Act requirement that collection of personal information must be for a lawful purpose and that, in the circumstances (particularly in relation to children and young persons), the collection is fair and does not intrude unreasonably upon the personal affairs of the individual.

For any profile created that contains personal information, the Privacy Act requires that the profiling agency takes reasonable steps to ensure the information is accurate, up to date, complete, relevant and not misleading. 

Sensitive Data

The Privacy Act does not have an express “sensitive information” category. However, certain types of personal information are treated as “sensitive” under the Privacy Act. For example, the Health Information Privacy Code 2020 (issued under the Privacy Act) places additional privacy safeguards on the collection, use and disclosure of health information.

Information collected from children and young people is also regulated under the Privacy Act. While the Privacy Act does not have specific provisions relating to the privacy rights of children and young persons, the Act highlights that particular considerations must be given to ensure that the manner of collection must be fair and not unreasonably intrude on the personal affairs of the child or young persons.

In addition to the ASA Advertising Standards Code, discussed above, a separate code, the Children’s Advertising Code, applies to advertising targeted to children. 

Consent Requirements

Consent to use personal information for personalised or targeted advertising is not required under the Privacy Act, provided the information is collected for a lawful purpose and collection is necessary for that purpose, the individual has been informed of the collection and the purpose of collection, and certain other conditions are satisfied.

Children may lack capacity to provide adequate consent for collection and use of their personal information, and consent from a parent or guardian will generally be required. As discussed above, the UEMA requires consent to commercial electronic messages and is also applicable to targeted and personalised commercial electronic messages sent to children.

Consent to commercial electronic messages may be express, inferred or deemed from circumstances. The person claiming that a recipient has consented to receiving a message has the onus of proving that consent was provided. There is no prescribed form for obtaining consent.

Targeted online advertising that appears on social media platforms is not subject to the UEMA, unless it involves the sending of an electronic message to the viewer.

In New Zealand, employment privacy is primarily governed by the Privacy Act, alongside the Employment Relations Act 2000 (good faith obligations), the Human Rights Act 1993 (non-discrimination), and, where relevant, the Health and Safety at Work Act 2015.

Employers may collect employee or applicant information only for a lawful and necessary purpose connected with their functions (IPP 1). Under IPP 3, individuals must be informed of the following:

• purpose of collection;
• intended recipients;
• consequences of non-provision; and
• their rights of access and correction.

These principles apply equally to recruitment. Regarding prospective employees, background checks must be necessary, transparent and non-discriminatory.

Employee monitoring is permitted but must be lawful, necessary, transparent and not unreasonably intrusive. Employers should clearly inform staff of monitoring practices. Such practices must also comply with employment law good faith and procedural fairness requirements.

For remote work, IT systems and BYOD, employers remain responsible for ensuring reasonable security safeguards of personal information, including secure access controls and protection against unauthorised disclosure. Where third-party or cloud providers are used, the employer remains accountable, and cross-border disclosures must comply with IPP 12.

Serious employment-related data breaches trigger mandatory notification obligations and potential liability, including damages for humiliation or injury to feelings.

Mergers and acquisitions in New Zealand are likely to engage privacy obligations at every stage, as follows.

Due Diligence

During due diligence, the target is likely to disclose personal information about employees, customers and suppliers to the acquirer. IPP 11(1)(i) provides a specific gateway, permitting disclosure where necessary to facilitate the sale or disposition of a business as a going concern. This exception operates without individual consent but applies only where the transaction genuinely involves disposing of a business as a going concern, not merely asset sales or partial disposals.

Despite this statutory exception, organisations should implement robust controls:

• limiting disclosure to information genuinely necessary;
• restricting access through NDAs and data rooms;
• anonymising data where feasible; and
• delaying transfer of highly sensitive information until completion.

Change of Control and Integration

At completion, personal information transfers to the acquiring entity/agency. This is generally permissible as information continues to be used for purposes directly related to the original collection. However, agencies must update privacy notices to reflect the change in agency, align security measures across the combined entity, and review retention policies.

Cross-Border Considerations

Where an acquirer or merged entity is located offshore, or information will be hosted overseas post-transaction, IPP 12 requires specific safeguards for cross-border disclosures, including obtaining individual authorisation, confirming comparable privacy protections or implementing contractual safeguards.

Notification

There is no general obligation to notify individuals or the Privacy Commissioner purely due to change of control, though good practice involves updating privacy statements promptly.

Disclosure Outside New Zealand

IPP 12 of the Privacy Act governs “disclosure” of personal information outside New Zealand. Disclosure is not defined in the Privacy Act but given its usual meaning will apply to an agency subject to the Act making the personal information available to a third party. This will include transfers of information unless an exception applies under the Act.

Personal information may only be disclosed outside New Zealand where the disclosing agency has first ensured that appropriate safeguards apply.

In practical terms, before disclosing personal information overseas, the agency must take reasonable steps to confirm that the overseas recipient:

• is carrying on business in New Zealand and therefore subject to the Privacy Act; or
• is subject to privacy laws that, overall, provide comparable safeguards to the New Zealand regime; or
• is contractually required (for example, through appropriate data protection clauses) to protect the information in a way that provides comparable safeguards.

If none of these safeguards apply, the information may only be disclosed if the individual expressly authorises the disclosure after being clearly informed that the overseas recipient may not be required to protect their information to the same standard as under the New Zealand Privacy Act.

Onward Transfers

Onward transfers of information, after the initial overseas disclosure, are governed by the contractual arrangement between the NZ agency and the overseas recipient relating to the initial data disclosure. While the Privacy Act does not prescribe any “model clauses” that must be included in a data transfer agreement, the New Zealand Privacy Commissioner provides a set of “off the shelf” clauses that can be voluntarily used to ensure that the data transfer agreement contains the necessary privacy safeguards comparable with the Privacy Act.

Exceptions

The requirements relating to the overseas disclosure of personal information do not apply where the disclosure by an agency is to a service provider and the information will be held by the service provider for storing or processing solely on behalf of that agency, and the service provider will not use the information for its own purposes.

In such circumstance, the Privacy Act does not treat the disclosure of personal information to be an overseas disclosure, and instead treats the information as being held by the agency (even where the information is actually stored outside New Zealand).

Non-Personal Data

There is no general regulation applicable to the transfer or other disclosure of non-personal information outside New Zealand.

New Zealand does not require organisations to register, file or obtain prior approval from any authority before making international transfers of personal information. The applicable framework under IPP 12 of the Privacy Act imposes substantive transfer-restriction obligations on the disclosing agency (see 5.1 Restrictions on International Data Transfers), but compliance with those obligations is self-assessed and does not involve any prior notification to or authorisation by the Privacy Commissioner or any other regulator. No binding scheme regulations or prescribed country regulations have been made under Section 213 or 214 of the Privacy Act as at the date of publication of this guide. New Zealand has no export control regime applying to data transfers as such, and no equivalent of Article 32 of the EU Data Act.

Data Localisation Requirements

New Zealand does not impose general statutory data localisation or residency requirements. There is no blanket prohibition on storing or processing personal information offshore.

Cross-Border Transfer Framework

IPP 12 governs disclosure of personal information outside New Zealand. Before disclosing personal information to foreign persons or entities, agencies must meet specified safeguards, including the following:

• individual authorisation with express notification that offshore protections may differ;
• the recipient being subject to the Privacy Act (by carrying on business in New Zealand);
• the recipient being subject to privacy laws providing comparable safeguards;
• the recipient being a participant in a prescribed binding scheme; or
• the agency otherwise ensuring comparable protections through contractual or other means.

Complementing this, Section 11 of the Customer and Product Data Act 2025 imposes requirements for the standardised handling of customer and product data, applying to New Zealand agencies wherever they operate and to overseas agencies conducting business in New Zealand, regardless of where the data is located.

Remote Access

The Privacy Act does not distinguish between transferring information offshore and granting remote access to information held in New Zealand from an offshore location. Both are regulated under IPP 12.

Sector-Specific Codes

Section 32 of the Privacy Act enables the Privacy Commissioner to issue codes of practice that may modify the application of one or more IPPs. The Health Information Privacy Code 2020, Biometric Processing Privacy Code 2025, Telecommunications Information Privacy Code 2020, and Credit Reporting Privacy Code 2020 each apply IPP 12’s cross-border safeguards to certain sector-specific disclosure grounds and require that offshore recipients provide protections comparable to those in the Privacy Act as modified by the relevant code.

The Civil Defence National Emergencies (Information Sharing) Code 2020 makes IPP 12 compliance subject to reasonable practicability during national emergencies.

None of the codes imposes data localisation or residency requirements.

Practical Implications

While there is flexibility to use offshore infrastructure and service providers, agencies must conduct transfer impact assessments, implement contractual protections with offshore processors, and maintain documentation demonstrating IPP 12 compliance. Sector-specific codes may require additional safeguards depending on the type of information being transferred.

Blocking Statutes

New Zealand has not enacted a broad or comprehensive blocking statute equivalent to those operating in other jurisdictions, such as Council Regulation (EC) No 2271/96 (the “EU Blocking Statute”), which expressly prohibits EU persons from complying with specified extraterritorial US sanctions, or China’s Data Security Law and Personal Information Protection Law, which prohibit provision of data to foreign judicial or law enforcement authorities without prior state approval. Instead, New Zealand’s framework addresses cross-border issues through controls on the transfer of personal information and domestic implementation of international sanctions obligations.

Gathering Evidence for Foreign Proceedings

For foreign civil proceedings, Sections 184–185 of the Evidence Act 2006 provide a mechanism by which the High Court may order the examination of witnesses, production of specified documents, inspection of property, or other evidence-gathering steps if requested by a foreign court. For foreign criminal matters, the Mutual Assistance in Criminal Matters Act 1992 (MACMA) enables foreign governments to request evidence-gathering assistance from New Zealand via the Attorney-General, subject to mandatory and discretionary grounds for refusal. Both regimes preserve standard New Zealand witness privileges and compellability rules, and the MACMA expressly preserves the operation of the Evidence Act 2006.

Sanctions Compliance

The United Nations Act 1946 empowers the Governor-General, by Order in Council, to give effect to UN Security Council measures; sanctions apply in New Zealand only once implementing regulations are made. New Zealand does not restrict entities from voluntarily complying with foreign sanctions regimes, provided such compliance does not contravene domestic law.

Cross-Border Disclosures and Privacy

The Privacy Act operates as New Zealand’s primary constraint on offshore disclosure of personal information through IPP 12 (see 5.1 Restrictions on International Data Transfers). Even without a blocking statute, privacy law can limit compliance with foreign discovery requests where personal information is involved.

Māori Data Sovereignty

Where Māori data is involved, organisations should give practical consideration to Māori Data Sovereignty principles (Te Mana Raraunga) and may face ethical obligations to consult iwi or hapū before releasing information offshore, even where IPP 12 would otherwise permit the transfer.

New Zealand’s Adequacy Status Reaffirmed

In 2024, the European Commission reaffirmed New Zealand’s adequacy status, confirming that New Zealand’s level of personal data protection is comparable to Europe’s standards. This is significant because it allows the transfer of personal data about EU residents, to New Zealand, without additional safeguards under EU law. The reaffirmation of New Zealand’s status signals to the world continued confidence that New Zealand’s privacy framework supports cross-border trade in an increasingly data-driven world.

As part of the process for New Zealand to retain its adequacy status, the New Zealand government introduced, in the recent Privacy Amendment Act 2025, a new principle (IPP 3A) to the Privacy Act. IPP 3A concerns the indirect collection of personal information. It requires that if an agency collects personal information indirectly (eg, a lender obtains credit history information from a credit reporting agency or an employer obtains references about an applicant from a former employer), the agency must inform the individual concerned, unless an exception applies.

Previously, there was no notification requirement for the indirect collection of personal information. This gap in New Zealand’s privacy framework was highlighted during the EU’s assessment of New Zealand’s “adequacy status”.

Overseas Transfer

Principle 12 of the Privacy Act regulates the disclosure of personal information to organisations or people outside New Zealand. Among the different pathways in IPP 12 to permit the disclosure of data overseas, it provides that some disclosures can be simplified if the recipient is subject to:

• a prescribed binding scheme; or
• the laws of a prescribed country.

However, to date, there are no regulations prescribing binding schemes or countries for the purpose of IPP 12.

Furthermore, the amendments to IPP 12(1)(e) by the Statutes Amendment Act 2025 indicate that, even if there were to be a regulation prescribing a country or a binding scheme, the transfer of data may be subject to limitations or qualifications prescribed in regulations in respect of the overseas disclosure to that country.

In the meantime, as set out in 5.1 Restrictions on International Data Transfers, an agency seeking to disclose data outside New Zealand can use the other pathways set out in IPP 12 for the overseas disclosure.