Data privacy law: What’s behind the New Zealand Privacy Act 2020?

04-11-2024 | 6 | Business to Government compliance, GDPR Compliance

Continuing with our series of articles on international data privacy laws, we turn our attention to New Zealand. The New Zealand Privacy Act 2020 came into effect on December 1, 2020. With its prominence in building an integrated “privacy by design” approach into affected systems and organisations’ processes, New Zealand’s new regulations have triggered significant changes to the country’s data privacy landscape. In this blog, we shed the spotlight on some of the most interesting aspects of the legislation that you must know of.

Global Reach

Common to many other data protection laws, the New Zealand Privacy Act 2020 has an extraterritorial scope. This legislation applies to any organisation doing business in New Zealand, regardless of their physical location. What this means in practice is that international companies handling the personal data of New Zealand residents must comply with the act, even if they don’t have a physical presence in the country. This is similar to other international data privacy laws we have written about, including Japan’s, which also has an extraterritorial scope.

Privacy breach reporting mandate

As with other major privacy regulations, the New Zealand government is taking a tough line on data privacy breaches. The act includes a requirement for all organisations that are impacted by this law to report any privacy breaches that occur proactively and that could result in serious harm to individuals. This new reporting obligation ensures maximum transparency, and it also means that in the event of a data breach, remedial steps can be taken as quickly as possible to protect the privacy of affected consumers. In this way, the New Zealand Privacy Act 2020 is closely aligned with other international standards, including GDPR.

Enhanced rights for individuals

For a long time, irrespective of location, consumers were not easily able to gain access to or control the information that external organisations were holding.  Across the world, data privacy laws have sought to rectify this issue, and the New Zealand Privacy Act 2020 continues with this important consumer protection. According to the country’s regulations, individuals should have comprehensive and clear rights over their personal information. They have full control over how any data held on them is utilised. In fact, this includes how the data can be accessed, the right to request changes or corrections to the data, and the right to object to its use or disclosure.

Proactive approach to safeguarding consumer privacy

The New Zealand Data Privacy Act 2020 includes a very significant requirement, known as Privacy Principle 12, that further protects the privacy rights of consumers. This relates to the potential transfer of personal data beyond the regional jurisdiction covered by New Zealand’s laws to other third-party countries. It is known as the Third Countries Restrictions; it requires that any organisation bound by the data protection law of New Zealand must check that the country to which the data is being transferred also adheres to equally stringent privacy protections. This promotes a more proactive approach to data security and privacy protection.

According to Privacy Principle 12, organisations also need to account for the following:

  • The original purpose of collecting data
  • The primary source of personal information
  • Manner of data collection
  • Storage and security in place to protect personal information
  • Access control to personal information
  • Correction of personal information
  • Accuracy of personal information
  • Retention of personal information
  • Use and disclosure of personal information by third parties.

Greater Privacy Commissioner powers for New Zealand

The Privacy Commissioner has been awarded greater enforcement authority to ensure that organisations are fully compliant with the New Zealand Privacy Act 2020. In fact, these new powers are wide-reaching and include the following:

  • a right to issue compliance notices
  • the right to make legally binding decisions on requests from consumers for access to their data.
  • and the authority to impose penalties and/or fines for non-compliance.

Restricted use of unique identifiers

One controversial aspect of the consumer data mining practices that some companies have adopted relates to the use of unique identifiers. Typically, international data privacy laws require that individual consumers must not be personally identifiable by their data, which protects them against potential data breaches. Conveniently, the New Zealand Privacy Act 2020 also restricts the way organisations can potentially use unique identifiers. In fact, the inclusion of this clause within the regulations acknowledges the potential privacy risks associated with such practices. Additionally, it demonstrates a clear understanding of modern data privacy challenges faced by the authorities of New Zealand.

How does the New Zealand Privacy Act compare with GDPR?

As already highlighted in this article, there are some obvious similarities between the New Zealand Privacy Act 2020 and the EU’s General Data Protection Regulation law (GDPR).  Two clear similarities are the –

  • right for an individual to request access to personal data held on them
  • right to gain control over data that is held

However, there are also some differences between the two data privacy laws. One of the most obvious is the level of financial penalty imposed by regulators for non-compliance. For instance, fines imposed for GDPR non-compliance can exceed the higher figure of either millions of Euros or 4% of annual global turnover for the most serious offences.

Contrast this with fines imposed for breaching New Zealand Privacy Law 2020 requirements, which can reach up to NZD 10,000 for individual cases and NZD 50,000 for organisations that commit specific offences under the act. New Zealand’s Privacy Act can, therefore, be regarded as a sound’ middle ground’ policy. Thereby, providing greater protections for consumers than the previous regulations, but being much less stringent (in terms of financial penalties) than GDPR.

Key takeaways

TJC Group believes the New Zealand Privacy Act 2020 provides a significant update and enhancement to the country’s existing data protection frameworks. It aligns New Zealand’s consumer privacy laws with other international standards and will help to ensure that the country’s citizens are well-safeguarded in our modern, data-driven economy.

Overall, protecting consumer data is even more critical during migrations to new systems, like with the mandatory move to S/4HANA or similar ERPs. Therefore, data management plays a crucial role here. With data privacy laws and regulations imposed, organisations have to be extra careful with how their consumer data is being managed. After all, achieving data compliance is not a cup of tea, especially when you have to adhere to legal and fiscal requirements. In such cases, you need to collaborate with the right partner who can help sail the process smoothly.

For your data management needs, TJC Group is here for you. From data archiving to legacy system decommissioning, we help in the comprehensive management of data while adhering to the regulatory requirements of the data protection laws. With our proven processes and due diligence, organisations can show regulators evidence of a clear project scope and proven methodology that is fully automated.

Connect with us today for your data management needs and ensure compliance with data privacy laws.


Data privacy series

In our continuous efforts to educate our readers about data privacy, its importance, and the various laws across the world, our content team has created several blogs and aims to keep creating more. Till then, you can take a look at our data privacy series as mentioned below –