New Zealand
Summary
Law: Privacy Act 2020 ('the Act')
Regulator: The Office of the Privacy Commissioner of New Zealand ('OPC')
Summary: The Act repeals and replaces the Privacy Act 1993 and contains 13 Information Privacy Principles ('IPP') that govern the use of personal information in New Zealand. The Act requires agencies to appoint at least one privacy officer, report data breaches that cause, or are likely to cause, serious harm, and provides data subjects with both the right to access and the right to request correction of their personal information. In addition, the new IPP 12 provides that an organisation or business may only disclose personal information to an agency outside of New Zealand if the receiving agency is subject to similar safeguards to those in the Act. Furthermore, the Act introduces new criminal penalties, punishable with fines of up to NZD 10,000 (approx. €5,870) and allows the OPC to issue compliance notices and enforceable access directions. Notably, New Zealand was the first APAC jurisdiction to be recognised as providing an adequate level of personal data protection by the European Commission.