What changed between the Privacy Act 1993 and the current Privacy Act 2020?

The Privacy Act 2020 came into force on 1 December 2020. Changes to the law will enhance the role of the Privacy Commissioner. The key features are:

• Requirements to report privacy breaches: If organisations have a privacy breach that poses a risk of serious harm, it must notify the Commissioner and the people affected (unless an exception applies).
• Compliance notices: The Commissioner can issue compliance notices to require an organisation to do something, or stop doing something, to comply with the Privacy Act.
• Decisions on access requests: The Commissioner can make binding decisions on complaints about access to information, rather than the Human Rights Review Tribunal. The Commissioner’s decisions can be appealed to the Tribunal.
• Strengthening cross-border protections: New Zealand agencies will have to take reasonable steps to ensure that personal information sent overseas is protected by acceptable privacy standards. 
• New criminal offences: It will be an offence to mislead an organisation in a way that affects someone else’s personal information, and to destroy documents containing personal information if a request has been made for it. The penalty is a fine up to $10,000. It will be an offence to fail to notify the Commissioner of a serious privacy breach, or to fail to comply with an enforceable compliance notice.
• Extraterritoriality: An overseas agency will be treated as “carrying on business in New Zealand” even if it does not have a physical place of business here (for instance, if it charges any monetary payment for goods or services or makes a profit from its business in New Zealand).

See a full comparison of the Acts.

IPP3A: if a third-party organisation collects your information from an organisation that had collected your personal information from you directly, then they will be required to notify you of this collection. 

Find out more about the Privacy Act 2020.

Updated October 2025