New reforms set to modernise Privacy Act

Thursday 22 March 2018

Authors: Laura Littlewood and Elizabeth Vincent

​​​​​​​​​​​​A new Privacy Bill has been introduced to Parliament which will impact all New Zealand businesses that collect, use or hold information about individuals.

The Privacy Bill represents a long-awaited update to New Zealand's privacy laws, following recommendations from the Law Commission in 2011. It follows a global trend towards more robust regulation of personal information, including Australia's recent amendment to its Privacy Act, and the upcoming implementation of the European Union's General Data Protection Regulation (GDPR) in May this year. ​

You can read the new Privacy Bill here​. ​​

Key changes

Key changes under the Privacy Bill are consistent with those signalled by the Law Commission and the Privacy Commissioner, although not all of the Privacy Commissioner's recommendations have been included (see our previous article here). 

Key changes include:


Key change​​​​​​



​Mandatory reporting of priv​ac​y brea​​​ches

​​The Privacy Commissioner must be notified where there is a risk of harm as a result of unauthorised or accidental disclosure of personal information.


​Compliance notices​​​​

​The Privacy Commissioner will be able to issue notices to require​ agencies or take (or prevent) particular action(s). These notices will be enforced by the Human Rights Tribunal​.


​Stronger cross-border data​ flow protection

​Reasonable steps must be taken by New Zealand agencies to ensure that any personal information disclosed in other jurisdictions is subject to adequate privacy standards. Further, the Bill aims to clarify the law applicable to overseas service providers engaged by New Zealand agencies.


​New criminal offences

​The introduction of a fine not exceeding $10,000 to penalise anyone who misleads an agency in a manner which affects another person’s personal information or where a person destroys documents containing personal information following a request for access.


​Powers of the Commissioner

​The Commissioner will be able to make binding decisions on access requests. Additionally, the Commissioner will have increased investigatory powers, including increasing penalties for non-compliance.


The Privacy Bill states that the new requirements will come into force on 1 July 2019. However, this reflects a proposed transitional period of 6 months. The effective date will ultimately depend on the speed of the Privacy Bill's progress through the parliamentary process - after the long lead-up to the release of the Bill. ​

Next steps

We will be closely monitoring the proposed reform and will keep you updated when further information is announced.​

If you need any further information on matters covered in this update, please contact your usual Bell Gully adviser.   


This publication is necessarily brief and general in nature. You should seek professional advice before taking any action in relation to the matters dealt with in this publication.

For more information
  • Laura Littlewood

    Partner Auckland
  • Tim Clarke

    Partner Auckland
  • Rachael Brown

    Partner Wellington
  • Tania Goatley

    Partner Auckland
Related areas of expertise
  • Privacy and data protection
  • Employment and workplace safety
  • Consumer law
  • Information, communications and technology
  • FinTech