The Rebirth of the New Zealand Privacy Act

Aditya Gaur
4 min readJul 12, 2020


Yes, you read it right, it’s rebirth, not birth. So, when did it born?

As of now, the Privacy Act of New Zealand is 27 years old and it has its roots of origin in the year 1993. 27 years is a long period of time i.e. almost three decades, people spend their lives gaining experience of that many years, and so many readers must be younger than this act, at least speaking of me, I’m. The cyberspace we had 27 years ago was very much different and small compared to the one we have now. Plenty of things like policies, technologies, human behavior, etc reformed during the last few decades. Hence with the advancement of technology, it becomes necessary to reform the policies. That’s why New Zealand felt the need to reform its privacy regime. Privacy Act of 1993, rather than covering all the aspects of privacy, focused more on information privacy. And when it comes to legal matters, things are needed to stated very vividly without any prejudice or sense of confusion.

The revised act now called Privacy Act 2020 almost retains all the principles of the Privacy Act 1993, but a lot of changes are done in the way of enforcement and regulation. The scope has been revised, the Privacy Commissioner has been given more power, there are now new rules regarding cross-border data transfers, and a lot more. On the last day of the previous month — 30th June 2020, the Privacy Bill received the royal assent and became Privacy Act 2020. The Act is proposed to be enacted on 1st December 2020. Couldn’t get the meaning of the royal assent? Neither I, hence I looked it on the web and got the following answer.

“The granting of the Royal assent signifies the bill has the approval of the Queen, who is New Zealand’s Head of State. In New Zealand, the Royal assent is given by the Governor-General as the Sovereign’s representative.” [1]

Yes, New Zealand is an independent country but Queen Elizabeth II is still the Head of State. Yeah, that’s additional information for you, thank me later! Now, let’s get back to the Act. The New Act has the following new schema and the reforms.


The scope applies to agencies operating inside or outside New Zealand or anyone involved in collecting or holding PII of the residents of the country.

Here, ‘Agency’ is another legal jargon that collectively refers to any person or group of persons, including the government departments, companies, businesses, social groups irrespective of the fact whether they belong to the private sector or to the public sector.

The Data Controller and Data Processor defined under GDPR too here are referred to as Agencies.

Let’s revise both the terms quickly. The data controller determines the purpose of the PII processing and the Data Processor processes PII on the behalf of the controller.


As stated above, almost all the principles of the Privacy Act 1993 are retained and are defined as ‘Information Privacy Principles. There are total 12 or 13 principles defined separately, namely Purpose of Collection of Personal Information (PI), Source of PI, Collection of information from subject, etc.


The act provides a variety of rights to its data subject like Right to be informed, Right of access, Right to correction, and some more.

Privacy Breach Notification Mandate

If any privacy breach occurs, the agencies are bound to notify the Privacy Commissioner and the affected people considering the sensitivity of PI and other relevant factors required to reduce the risk of harm. There’s a fine of $10,000 if agencies fail to notify.

More power in the hands of Privacy Commissioner

The Privacy Commissioner now has the power to make Compliance Notices which require agencies to comply with the new legislation and failing to which can attract fines up to $10,000. The Privacy Commissioner has also the power to direct agencies to give an individual access to their data. Also, there’s a provision to impose fine on anyone under the scope of this act for not cooperating with the commissioner or any other person exercising his or her powers under this act.

Cross-Border Data Transfers

The new Act has made it very clear under the Information Privacy Principle 12 ‘Disclosure of PI outside New Zealand’ that agencies need to ensure that the organizations outside New Zealand they intend to share the data are protecting their data on the same level.

Thanks for giving it a read, I hope you liked my article. Please comment down your reviews, what you think about it, or anything that you’d like to share.

Stay safe, stay home, and stay secure!



Aditya Gaur

CCSK | AWS & Azure Certified Cloud Practitioner | ISO Certified ISMS & PIMS Auditor