The Privacy Act 2020 will come into force on 1 December 2020. The reforms in this legislation aim to strengthen privacy protections and encourage businesses and organisations to identify risks and prevent incidents relating to personal data that may cause harm.

What is Changing?

In summary, the Privacy Act 2020 will:

  • introduce a privacy breach notification regime. It will be mandatory to report a privacy breach that results in, or is likely to result in, serious harm to an individual. The Act makes clear that liability for this rests with the organisation rather than the individual(s) involved;
  • confirm that organisations must not collect identifying information unless necessary;
  • ensure that the collection of information from children and young people is fair and reasonable;
  • regulate how personal information can be sent overseas;
  • have extra-territorial effect. An overseas organisation carrying on business in New Zealand will be subject to the Privacy Act’s obligations, even without a physical presence in New Zealand;
  • introduce new and increased fines for certain failures and two new criminal offences;
  • give the Privacy Commissioner new powers, including the ability to direct businesses to provide an individual with their personal information, and to issue notices ordering businesses to comply with the Act.

How will this affect Insurers?

Insurers are included in the definition of “agency” and as such will need to comply with the Privacy Act provisions. This will include taking particular care to protect the vast amount of personal information collected, processed and retained (including outside New Zealand) by insurers on a daily basis.

The most important change to the Privacy legislation is the requirement to report privacy breaches that cause or are likely to cause serious harm. Failure to notify will constitute an offence under the Act and can attract a fine of up to $10,000. The Privacy Commissioner will also have the power to publish the identity of the offending organisation if it is in the public interest to do so.

New Zealand agencies, including insurers, will also need to take reasonable steps to ensure that personal information sent overseas is protected by comparable overseas privacy standards.


It seems that Parliament has chosen not to align the new Privacy Act provisions with international precedents in terms of broader subject rights and fines for non-compliance. For example, although the Act increases fines from $2,000 to $10,000, this is minimal compared to the EU’s General Data Protection Regulation (GDPR) which attracts significant fines of up to €20 million or 4% of the firm’s worldwide annual revenue, whichever is higher.

There is also the issue of whether the amendments will be sufficient to maintain New Zealand’s adequacy status with the EU. New Zealand holds this status along with 11 other countries, giving it an economic advantage over countries such as Australia. However, we do not know yet how the EU will perceive the lack of alignment between the Privacy Act 2020 and the GDPR. If adequacy status is lost, this may have implications for New Zealand businesses exchanging information with overseas agencies and for New Zealand’s trade agreements generally.

Notwithstanding this, the changes to the Privacy Act regime are positive and will help move us toward ensuring better data protection and cybersecurity for New Zealanders in line with international trends.

This publication is intended as a general overview and discussion of the content dealt with. It should not be used in any specific situation, in which case you should seek specific legal advice.