top of page
  • Writer's pictureMarco Lam

New Zealand - The Privacy Act 2020

New Zealand - The Privacy Act 2020

New Data Protection Law in New Zealand

In recent years, the concerns on data protection and privacy have been rising significantly, many regions and countries have introduced different laws and rules to regulate data breaches. The GDPR was launched by the EU in May 2018 and the LGPD was launched by Brazil in August 2020. Apart from the GDPR and the LGPD, The Privacy Act 2020 was came into force on 1 December 2020 by New Zealand to replace the Privacy Act 1993.

The Privacy Act 2020

The purpose of this Act is to promote and protect individual privacy. This Act requires the organization to report the serious data breaches instantly if there is any risk of harm. The risk of harm refers to any data that has been leaked outside of an organization or to the public. All organizations based in New Zealand, overseas organizations that do business within New Zealand, and organizations that conduct data from New Zealand citizens must follow and carry out the Act. In other words, this Act is related and affected the whole world. Under the Act, organizations need to appoint a privacy officer to supervise the internal compliance and compliance process as well as handle all related issues. If there is any breach of personal data incident happened, the privacy officer also needs to be responsible for it by conducting a report.


Under the Act, if the organization violated it, it could be fined up to NZ$10,000 for non-compliance. On top of that, the Privacy Commissioner could further make an official complaint to the Human Rights Tribunal, which could be fined up to NZ$230,000. Besides, the Privacy Commissioner has the power to investigate the organization’s data protection practices.

The similarities and differences between the Privacy Act 2020, the GDPR and the LGPD

The nature regarding territorial, personal and material scopes among these 3 laws similar, the Privacy Act 2020, the GDPR, and the LGPD are granting certain data privacy to individuals and requiring organizations to meet data protection obligations in the data processing. These laws are applied to the organizations located within the countries or not.

Though the Privacy Act 2020 is renewed and enhanced, there is no clear statement for the Privacy Act 2020 for offshore data. Offshore transfer of information to a third party for storage or processing is excepted, offshore information would not be classified as a use or disclosure. So that, some organizations such as cloud service providers may not necessarily adopt and implement the Privacy Act 2020.

Furthermore, all organizations need to notify to the related authorities and the affected parties in the incident. Under the GDPR's notification mechanism, organizations need to report the data leakage incident to the authorities within 72 hours, whereas there is no written reporting time under the LGPD and the Privacy Act 2020. Moreover, under these laws, all organizations must appoint a specific person to handle issues related to data protection. A Data Protection Officer (DPO) is required under the GDPR and the LGPD, while a Privacy officer is required under the Privacy Act 2020. By comparison, the penalty for the violator is relatively gentle under the Privacy Act 2020. The LGDP is relatively moderate and the GDPR is relatively harsh which could be fined up to 50 million reals (approximately €11 million) and €20 million correspondingly.


The Privacy Act 2020 is a milestone for New Zealand's regulation on privacy laws. All organizations especially those located in New Zealand should pay attention to the Privacy Act 2020. In fact, due to the widespread use of data transformation and data transmission, data protection is a rising topic worldwide. Even though not all countries have published and implemented data protection laws, all organizations should place their collected information in a safe room and minimize the risk of data leakage.

3 views0 comments


bottom of page