What the Privacy Act 2020 means for you in New Zealand
New Zealand’s Privacy Act 2020 is the primary law governing how organisations collect, store, use, and share your personal information. It replaced the 1993 Act, introduced stronger enforcement powers, and created a mandatory data breach notification regime that directly affects every Kiwi who shops online, uses a government service, or signs up to anything that holds their data. Understanding it matters whether you are an individual asserting your rights or a business trying to stay compliant.
How the Privacy Act 2020 actually works
The Act is built around thirteen Information Privacy Principles (IPPs). These are not vague aspirations — they are legally enforceable standards that any agency (a term covering businesses, government departments, NGOs, and even individuals who hold personal information in a professional capacity) must follow. The Office of the Privacy Commissioner (OPC) oversees compliance and can investigate complaints, issue compliance notices, and refer serious cases to the Human Rights Review Tribunal, which can award damages.
The thirteen IPPs cover the full lifecycle of personal data:
- Collection (IPPs 1–4): Agencies may only collect information for a lawful purpose directly connected to their function. They must collect it directly from you where practicable, and tell you why they are collecting it and who will receive it.
- Storage and security (IPP 5): Agencies must take reasonable steps to protect information from loss, misuse, or unauthorised access. “Reasonable steps” is context-dependent — a hospital holding medical records is held to a higher standard than a local sports club holding a membership list.
- Access and correction (IPPs 6–7): You have the right to request access to personal information an agency holds about you, and to request correction if it is wrong. Agencies must respond within twenty working days.
- Use and disclosure (IPPs 10–11): Information collected for one purpose generally cannot be used or disclosed for an unrelated purpose without your consent.
- Unique identifiers (IPP 12): Agencies cannot assign you an identifier (like a customer number) that could be used to cross-match your information across multiple databases without authorisation.
- Transborder data flows (IPP 12 / section 212): This is where it gets relevant for VPN and cloud tool users — personal information may only be sent overseas if the destination country has comparable privacy protections, or if you have authorised it.
The 2020 Act also introduced mandatory breach notification. If an agency suffers a privacy breach that is likely to cause serious harm, it must notify both the Privacy Commissioner and the affected individuals as soon as practicable. Failure to notify is itself an offence.
Your rights as an individual under the Act
Most New Zealanders do not realise how many actionable rights the Privacy Act gives them. These are not soft suggestions — they are enforceable entitlements.
Right of access (IPP 6): You can submit a privacy request (sometimes called a Subject Access Request, borrowing GDPR terminology) to any agency asking what personal information they hold about you. The agency has twenty working days to respond. They can withhold information in limited circumstances — for example, if disclosure would prejudice an ongoing investigation — but they must tell you they are withholding it and why.
Right of correction (IPP 7): If information is incorrect, you can ask for it to be corrected. If the agency refuses, you can require them to attach a statement of your correction request to the record.
Right to complain: If you believe an agency has breached an IPP, you can complain to the Privacy Commissioner at no cost. The OPC will attempt mediation first. If that fails, the matter can go to the Human Rights Review Tribunal, which can award damages of up to NZ$350,000 in serious cases.
Sensitive categories: The Act gives heightened protection to information about health, finances, ethnicity, religion, and sexual orientation. Agencies handling this data face stricter obligations around collection justification and disclosure.
Key takeaway: Your right to access and correct personal information is free to exercise and enforceable by law. If an agency ignores your request within twenty working days, that non-response is itself a potential breach you can complain about.
NZ-specific considerations: ISPs, Five Eyes, and data sovereignty
New Zealand sits inside the Five Eyes intelligence alliance alongside Australia, the United States, the United Kingdom, and Canada. This matters for privacy because Five Eyes members share signals intelligence and, under certain frameworks, can request data held by each other’s agencies. The Privacy Act 2020 does not override intelligence-gathering legislation — the Government Communications Security Bureau Act and the Intelligence and Security Act 2017 sit alongside it and create lawful exceptions.
Your internet service provider — whether that is Chorus-based fibre delivered through Spark, One NZ, 2degrees, or a smaller reseller — is an agency under the Privacy Act. They hold metadata about your connection: timestamps, volumes, and in some cases DNS query logs. The Telecommunications (Interception Capability and Security) Act 2013 (TICSA) requires ISPs to maintain interception capability for lawful government access. This is separate from the Privacy Act but shapes the practical privacy landscape for NZ internet users.
For those on Hyperfibre connections (Chorus’s 2Gbps and 4Gbps tiers, available through retail providers), the speed is largely irrelevant to your legal privacy posture — but it is very relevant to the performance of privacy tools like VPNs, which we cover below. On a 900/500 Mbps fibre line, you would typically see VPN throughput of 400–700 Mbps to an Australian server, depending on protocol and provider, with latency around 28–35ms to Sydney. Transatlantic or US connections introduce a physics-imposed floor of roughly 138ms round-trip to the US West Coast.
Cloud storage and SaaS tools used by NZ businesses — Microsoft 365, Google Workspace, Salesforce — involve transborder data flows. Under IPP 12 and section 212 of the Act, a NZ business using these services must take reasonable steps to ensure the overseas recipient protects the information consistently with the Act. In practice, this means reviewing data processing agreements and, where possible, selecting data residency options that keep data in Australia or New Zealand rather than routing it through US data centres.
For NZ streaming services — TVNZ+, ThreeNow, Neon, Sky Sport Now, Whakaata Māori — the Privacy Act governs how those platforms handle your viewing data and account information. They are NZ agencies subject to the Act. If you want to know what data TVNZ+ holds about you, you can submit a privacy request directly to them.
Recommended setup: protecting your own privacy under the Act’s framework
The Privacy Act protects you from organisations mishandling your data. But it does not protect you from your own exposure — that requires deliberate technical choices. Here is a practical setup for NZ users who want to align their tools with the Act’s intent.
- Audit what you have shared. Start by submitting privacy requests to the five or six organisations that hold the most data about you: your bank, your ISP, your health provider, your main social platform, and any loyalty programme you use. This is free and gives you a real picture of your exposure.
- Use a reputable VPN for network-layer privacy. A VPN encrypts your traffic between your device and the VPN server, preventing your ISP from logging the content of your browsing. It does not make you anonymous, but it does reduce the metadata your ISP can collect. For NZ users, choose a provider with servers in Australia (low latency), a verified no-logs policy, and ideally incorporation outside Five Eyes jurisdiction. See our best VPN guide for current recommendations tested on NZ connections.
- Harden your DNS. Your ISP’s default DNS resolver can log every domain you query. Switch to an encrypted DNS provider (DNS-over-HTTPS or DNS-over-TLS) such as Cloudflare’s 1.1.1.1 or NextDNS. This is free and takes under five minutes on most routers.
- Review app permissions on mobile. Under the Privacy Act, apps that collect your location, contacts, or health data are agencies. Revoke permissions you do not actively use. On iOS and Android, audit this quarterly.
- Use unique email addresses per service. Tools like SimpleLogin or Apple’s Hide My Email let you create aliases. If a service suffers a breach, you know exactly which one leaked your address, and you can disable that alias without affecting your main inbox.
- Encrypt sensitive files before cloud upload. If you store personal documents in Dropbox, OneDrive, or Google Drive, encrypt them locally first using a tool like Cryptomator. This means even if the cloud provider is compelled to disclose data, the content is unreadable.
If you are evaluating free tools, be cautious — many free VPNs and privacy apps monetise through data collection, which is precisely what you are trying to avoid. Our free VPN guide covers which free options are genuinely trustworthy and which to avoid.
Best VPN tools for NZ Privacy Act compliance context
When choosing a VPN in the context of NZ privacy, the key criteria are: jurisdiction (outside Five Eyes preferred), independently audited no-logs policy, performance on NZ fibre, and transparent NZD pricing. The table below summarises the leading options as of 2026.
| Provider | Jurisdiction | No-logs audit | NZ server | AU server | Approx. NZD/month (annual plan) | Protocol options |
|---|---|---|---|---|---|---|
| ExpressVPN | British Virgin Islands | Yes (KPMG, Cure53) | Yes | Yes | ~NZ$12–14 | Lightway, OpenVPN, IKEv2 |
| NordVPN | Panama | Yes (Deloitte) | Yes | Yes | ~NZ$6–9 | NordLynx (WireGuard), OpenVPN |
| Mullvad | Sweden | Yes (Cure53) | No | Yes | ~NZ$9 flat (no annual discount) | WireGuard, OpenVPN |
| Proton VPN | Switzerland | Yes (Securitum) | No | Yes | ~NZ$8–13 | WireGuard, OpenVPN, Stealth |
| Surfshark | Netherlands | Yes (Deloitte) | Yes | Yes | ~NZ$4–6 | WireGuard, OpenVPN, IKEv2 |
Methodology note: Latency and throughput ranges cited in this article are based on the physics of undersea cable routes (Southern Cross, Tasman Global Access) and corroborated by typical results reported on NZ speed-testing forums and provider transparency reports. We do not publish single-session benchmark numbers as representative figures — expect variance of ±15–20% depending on time of day and server load.
For most NZ users, NordVPN or Proton VPN offer the best balance of price, audit credibility, and AU/NZ server availability. Mullvad is the strongest choice if anonymity of payment matters to you — it accepts cash and cryptocurrency and does not require an email address to sign up, which aligns closely with the Privacy Act’s data minimisation principle. Proton VPN’s Swiss jurisdiction puts it outside both EU and Five Eyes legal reach, which is a meaningful distinction for threat models involving government data requests.
Business obligations under the Privacy Act 2020
If you run a business in New Zealand — even a sole trader with a client list — you are an agency under the Act. The practical obligations are more demanding than many small operators realise.
Privacy Officer: Every agency must designate a Privacy Officer. For a small business, this is typically the owner. The Privacy Officer is responsible for handling access requests, managing breach responses, and keeping the organisation’s privacy practices current. Their name and contact details should be accessible to anyone who wants to make a request.
Privacy Impact Assessments (PIAs): Before launching a new product, service, or system that involves collecting personal information, agencies should conduct a PIA. The OPC provides a free PIA tool. This is not legally mandatory in all cases, but it is best practice and provides a defence if a complaint arises later.
Breach response: If you suffer a breach — a hacked database, a misdirected email containing client data, a stolen laptop — you must assess whether it is likely to cause serious harm. If yes, notify the OPC and affected individuals promptly. The OPC’s website has a breach assessment tool. Delays in notification are treated seriously; the Act does not specify a hard deadline but “as soon as practicable” is interpreted strictly.
Third-party processors: If you use a payroll provider, a CRM, a marketing automation platform, or any other third party that processes personal data on your behalf, you remain responsible for that data under the Act. Your contracts with those providers should include privacy obligations, and you should verify they have adequate security practices.
Children’s data: The Act does not set a specific age threshold, but the OPC’s guidance makes clear that collecting data from children requires particular care around consent and purpose. If your service is likely to be used by under-16s, review your collection practices carefully.
FAQ
Does the Privacy Act 2020 apply to overseas companies operating in New Zealand?
Yes, with some nuance. The Act applies to any agency that carries on business in New Zealand and collects personal information from New Zealanders, even if the agency is incorporated overseas. A US-based SaaS company with NZ customers is generally subject to the Act in respect of those customers’ data. Enforcement against overseas entities is harder in practice, but the legal obligation exists. The Privacy Commissioner can work with overseas counterparts through international frameworks.
What is the difference between the Privacy Act 2020 and GDPR?
GDPR is the European Union’s data protection regulation. It is broader in some respects — it includes a right to erasure (“right to be forgotten”) and stricter consent requirements — but the NZ Privacy Act 2020 was deliberately updated to be closer to GDPR in spirit, which is why the EU has recognised New Zealand as having an adequate level of data protection. This means NZ businesses can receive personal data from EU entities without additional transfer mechanisms. The key practical difference is enforcement: GDPR fines can reach 4% of global annual turnover; NZ penalties are lower, capped at NZ$10,000 for certain offences, though the Human Rights Review Tribunal can award higher damages in individual cases.
Can I ask my ISP (Spark, One NZ, 2degrees) what data they hold about me?
Yes. ISPs are agencies under the Privacy Act. You can submit a formal privacy access request asking what personal information they hold, including account data, billing history, and any metadata logs. They have twenty working days to respond. Note that some information may be withheld if it relates to lawful interception under TICSA, but they must tell you that a withholding ground applies.
Does using a VPN make me compliant with the Privacy Act?
A VPN is not a compliance tool — it is a personal privacy tool. If you are a business, using a VPN does not substitute for having a Privacy Officer, a breach response plan, or proper data handling practices. For individuals, a VPN reduces the metadata your ISP can collect and encrypts your traffic in transit, which aligns with the Act’s spirit of data minimisation, but it does not give you any legal rights or protections beyond what the Act already provides.
What counts as a “serious harm” breach requiring notification?
The Act does not define serious harm exhaustively, but the OPC’s guidance identifies relevant factors: the sensitivity of the information (health, financial, identity data ranks higher), the likelihood of the information being misused, the number of people affected, and whether the affected individuals are vulnerable (elderly, children, people in dangerous situations). A database of hashed passwords for a low-risk service is unlikely to meet the threshold. A spreadsheet of clients’ health records emailed to the wrong address almost certainly does.
Is there a cost to making a privacy access request?
No. Agencies cannot charge you to process a standard privacy access request. They can charge for requests that require significant work — for example, retrieving archived records — but only if they have told you in advance and the charge is reasonable. Complaining to the Privacy Commissioner is also free.
How does the Privacy Act interact with the Broadcasting Standards Authority (BSA) and media?
News media have a specific exemption under the Privacy Act for the purpose of news activities, meaning journalists are not subject to the IPPs when collecting and publishing information in the public interest. However, this exemption is not unlimited — it does not cover gratuitous publication of private information with no public interest justification. The BSA handles complaints about broadcast content separately, and its privacy standards overlap with but are distinct from the Privacy Act framework.
Bottom line
The Privacy Act 2020 is a genuinely substantive piece of legislation that gives New Zealanders real, enforceable rights over their personal data — and places real obligations on every organisation that holds it. For individuals, the most important actions are knowing your right to access and correct your data, understanding that your ISP and cloud providers are agencies subject to the Act, and layering in technical tools (encrypted DNS, a reputable VPN, local file encryption) to reduce your exposure beyond what the law alone can protect. For businesses, the Act is not optional compliance theatre: the mandatory breach notification regime, the requirement for a designated Privacy Officer, and the OPC’s growing enforcement activity mean that treating privacy as an afterthought carries genuine legal and reputational risk. New Zealand’s position inside Five Eyes and its reliance on overseas cloud infrastructure make data sovereignty an ongoing practical challenge — one the Act acknowledges but cannot fully resolve on its own.
