A New Privacy Act Means You Need To Act

By Office of the Privacy Commissioner


On 1 December 2020, New Zealand’s updated Privacy Act comes into force. Here’s what AML businesses need to know to prepare for the changes.


The world in 2020 is almost unrecognisable compared to 1993 when the first Privacy Act was passed. The Privacy Act 2020 significantly modernises New Zealand’s privacy law and recognises the enormous technological advances of the past 27 years.


The new Act, like its predecessor, is based on information privacy principles that set broad standards around how organisations can collect, use, store, and share people’s personal information.


The updated Act gives the Privacy Commissioner additional powers including:

  • The ability to issue compliance notices to compel organisations to do something – or stop doing something.

  • The power to direct organisations to give individuals access to their personal information.


“There are new criminal offences for non-compliance and new fines.

Some behaviour which has been optional will now become mandatory.”

Privacy Commissioner logo

Cross-Border Disclosure


New Zealand companies engaged in international trade need to get up to speed with the changes. The Privacy Act 2020 contains a new information privacy principle (IPP), principle 12, which sets rules around sending personal information to organisations or individuals outside of New Zealand.


Sending personal information overseas is known as “cross-border disclosure”. Businesses and organisations are now responsible for ensuring that any personal information they disclose to organisations outside New Zealand is adequately protected. They must demonstrate that they have undertaken necessary due diligence before making a cross-border disclosure.


Personal information may only be disclosed to an offshore organisation if that organisation is:

  • Subject to the Privacy Act because they do business in New Zealand.

  • Subject to privacy laws that provide comparable safeguards to the Privacy Act – or they agree to protect the information in such a way (for example, by using ‘model contract clauses’).

  • Covered by a binding scheme or is subject to the privacy laws of a country prescribed by the New Zealand Government.

If none of the above criteria apply, a business or organisation may only make a cross-border disclosure with the permission of the person concerned. That person must be informed that their information may not be given the same protection as provided by the New Zealand Privacy Act.


Cloud Storage


A business or organisation may send information to an overseas organisation to hold or process on their behalf as their ‘agent’. This will not be treated as a disclosure under the Privacy Act.


A typical example of this is an overseas company providing cloud-based services for a New Zealand organisation. The latter will be responsible for ensuring that their agent – the overseas company – handles the information in accordance with the New Zealand Privacy Act.


Urgent Disclosures


A business or organisation may need to make a cross-border disclosure in certain urgent circumstances where it would not otherwise be allowed. IPP 12 allows cross-border disclosure when it is necessary to maintain public health or safety, to prevent a serious threat to someone’s life or health, or for the maintenance of the law.