Updated Privacy Laws coming to NZ

Overshadowed by overseas privacy law changes like GDPR, our own NZ Privacy legislation has flown a little under the radar. But rest assured, changes are coming here as well.

The last change in NZ Law was 1993, and it was world-leading at the time. Then in 2011, the Law Commission suggested an update, and that’s where we are now. The expectation is that the bill will become law mid-2019, with the key aim to ensure we can be confident that our personal information – online or elsewhere – is safe and treated well.

Notifiable Breaches


The key change, like the Australian Notifiable Breaches legislation, is to require a notification in the event of a data breach. There is a trigger for this – the breach must pass a certain threshold, and if it does, the agency holding the data must let the impacted individual know, and notify the Privacy Commission . There are a couple of exceptions to this, but nothing significant.

You must notify if the breach may cause (or the potential risk) of:

  • loss, detriment, damage, or injury to the individual;
  • adversely affect the rights, benefits, privileges, obligations, or interests of the individual; or
  • result in significant humiliation, loss of dignity, or injury to the feelings of the individual

That of course raises the question as to what ‘potential risk’ is and how on earth you can decide that. But with a $10,000 potential fine, this will be significant for any business, especially a small business.

Mandatory Demands


There are legal scenarios, presumably a warrant or similar, that require you to hand over information to law enforcement authorities that may include information about individuals that would fall under the act. If you find yourself in this position, you must only hand over exactly what is required and nothing extra, otherwise this too would be a breach.

The bill is currently at it’s second reading – so some of the points above are subject to the select committee and may yet change. One example is the limit of the fines for non-compliance with the Privacy Commissioner reported to be trying to increase these to a maximum of $100,000. You can learn more on the parliamentary website.