New Zealand

Overview

New Zealand presents a distinctive case in the global privacy landscape: a country that has undertaken efforts to modernize its data protection framework while simultaneously operating one of the most deeply integrated intelligence-sharing partnerships in the world. The Privacy Act 2020, which replaced the Privacy Act 1993 on December 1, 2020, introduced mandatory breach notification, compliance notices, extraterritorial application, and cross-border transfer safeguards, bringing New Zealand’s civilian privacy regime closer to international standards such as the EU’s GDPR.^[1]

At the same time, New Zealand is a founding member of the Five Eyes intelligence alliance under the UKUSA Agreement, contributing signals intelligence from the Pacific region through the Government Communications Security Bureau (GCSB) and domestic security intelligence through the New Zealand Security Intelligence Service (NZSIS).^[2] The country’s intelligence legislation was comprehensively overhauled in 2017 with the passage of the Intelligence and Security Act, which consolidated the legal frameworks for both agencies and established a dual-authorization warrant system for the surveillance of New Zealand citizens and residents.

The tension between these two dimensions, robust civilian privacy protections on one hand and deep integration into a global surveillance alliance on the other, defines New Zealand’s position in privacy law. The country’s Privacy Commissioner has publicly acknowledged the weakness of the enforcement model, calling for civil fines, a right of erasure, and AI safeguards that the current law does not provide.^[3] With record complaint volumes, an expanding biometric privacy code, and a 2025 amendment designed to preserve EU adequacy status, New Zealand’s privacy framework is undergoing changes, though gaps remain.

Data Protection Authority: Office of the Privacy Commissioner

The Office of the Privacy Commissioner (OPC) is New Zealand’s independent data protection authority, established under the Privacy Act 1993 and continued under the Privacy Act 2020. The current Privacy Commissioner is Michael Webster, who took office in July 2022.^[4] The Commissioner is appointed by the Governor-General on the recommendation of the Minister of Justice and operates independently of the government.

Powers and Functions

Under the Privacy Act 2020, the Commissioner has authority to:

• Investigate complaints from individuals who believe their privacy has been breached
• Conduct own-motion investigations (inquiries) into matters of public interest
• Issue compliance notices, a new power introduced by the 2020 Act that allows the Commissioner to issue binding directives requiring agencies to take specific actions to comply with the law^[1]
• Make determinations on complaints and refer unresolved matters to the Human Rights Review Tribunal (HRRT) for enforceable remedies
• Issue privacy codes of practice that modify or supplement the Information Privacy Principles for specific sectors or types of information
• Exercise a naming power to publicly identify agencies that have breached the Privacy Act

Enforcement Weakness

Despite these powers, New Zealand’s privacy enforcement model has a critical structural weakness: the Privacy Act does not provide for civil penalties or administrative fines. The maximum criminal penalty is NZD $10,000 for failure to notify the Commissioner of a notifiable privacy breach, a sum that is negligible for large organizations.^[5] While the Human Rights Review Tribunal can award damages in individual cases, there is no equivalent of the GDPR’s turnover-based fines or the multi-million-dollar penalties available to regulators in Australia, the United Kingdom, or Canada.

Commissioner Webster has been vocal about the need for reform. In marking the Privacy Act’s fifth anniversary in December 2025, he called for multimillion-dollar civil fines, a right of erasure (analogous to the GDPR’s right to be forgotten), and robust safeguards for automated decision-making and AI. He characterized these as necessary to ensure the law keeps pace with the scale and sophistication of modern privacy threats.^[3]

Complaints and Investigations

Complaint volumes have risen sharply. In the 2024–2025 reporting period, the OPC received 1,598 complaints, a 21% increase year over year, alongside increased breach notifications.^[3] Notable enforcement actions include:

• PAK’nSAVE stores were publicly named for breaching the Privacy Act in connection with the collection and use of customer information
• In January 2026, the Commissioner announced a formal inquiry into the Manage My Health cyber incident, after the health platform notified the Commissioner of a security breach affecting patient data^[6]

Key Legislation: Privacy Act 2020

The Privacy Act 2020 (No. 31) was enacted on June 30, 2020, and came into force on December 1, 2020, replacing the Privacy Act 1993 which had governed New Zealand’s data protection landscape for nearly three decades.^[7] While the 2020 Act preserves the core structure of the 1993 law, including the 13 Information Privacy Principles (IPPs), it introduces several significant new provisions that bring New Zealand closer to international standards.

13 Information Privacy Principles

The IPPs form the backbone of the Privacy Act and govern the entire lifecycle of personal information:^[8]

• IPP 1 – Purpose of Collection: Personal information may only be collected for a lawful purpose connected to the agency’s function, and only when the collection is necessary for that purpose
• IPP 2 – Source of Information: Personal information should be collected directly from the individual concerned, where possible
• IPP 3 – Collection from Subject: When collecting information directly, the agency must inform the individual of the purpose, intended recipients, and consequences of non-provision
• IPP 3A – Indirect Collection Notification: Added by the Privacy Amendment Act 2025, this new principle requires agencies to take reasonable steps to notify individuals when their personal information is collected from a source other than the individual. Takes effect May 1, 2026^[9]
• IPP 4 – Manner of Collection: Information must not be collected by unlawful, unfair, or unreasonably intrusive means
• IPP 5 – Storage and Security: Agencies must protect personal information against loss, unauthorized access, use, modification, or disclosure
• IPP 6 – Access: Individuals have the right to access their personal information held by an agency
• IPP 7 – Correction: Individuals have the right to request correction of their personal information
• IPP 8 – Accuracy: Agencies must take reasonable steps to ensure personal information is accurate, complete, and not misleading before use
• IPP 9 – Retention: Personal information must not be kept for longer than is required for the purposes for which it may lawfully be used
• IPP 10 – Use Limits: Personal information collected for one purpose must not be used for a different purpose unless an exception applies
• IPP 11 – Disclosure Limits: Agencies must not disclose personal information unless an exception applies
• IPP 12 – Cross-Border Disclosure: New in the 2020 Act, this principle requires that personal information disclosed to a foreign person or entity is subject to adequate privacy protections^[10]
• IPP 13 – Unique Identifiers: Agencies may only assign unique identifiers where necessary for their functions, and must not use another agency’s identifier

Key New Provisions in the 2020 Act

Mandatory Breach Notification: Agencies must notify the Privacy Commissioner and affected individuals of privacy breaches that are likely to cause “serious harm,” doing so “as soon as practicable” after becoming aware of the breach. Failure to comply is a criminal offence carrying a maximum fine of NZD $10,000.^[5]

Extraterritorial Application: The Privacy Act now explicitly applies to overseas agencies that carry on business in New Zealand, regardless of where the personal information is collected or stored. This was a significant expansion from the 1993 Act, which had limited extraterritorial reach.^[10]

Scope and Exemptions: The Act applies to “agencies” broadly defined as any person or body that collects, holds, or uses personal information. However, exemptions exist for courts (in their judicial capacity), Parliament, intelligence agencies (GCSB and NZSIS), and news media (in relation to their news activities).^[7]

Privacy Codes of Practice

The Privacy Commissioner may issue codes of practice that modify, supplement, or replace the IPPs for specific sectors. Two significant codes are currently in force:

The Health Information Privacy Code 2020 applies to all health agencies and replaces the 13 IPPs with 13 sector-specific rules governing the collection, use, storage, and disclosure of health information. The rules address health-specific concerns such as information sharing between providers, patient access rights, and the disclosure of health information to family members.^[11]

The Biometric Processing Privacy Code 2025 came into force on November 3, 2025, and establishes specific rules for the automated collection and processing of biometric information such as facial features, fingerprints, and voiceprints. The Code requires a necessity and proportionality test for biometric collection, mandates privacy impact assessments, restricts high-risk uses such as real-time facial recognition in public spaces, and prohibits secondary uses such as emotion or demographic analysis. Agencies already processing biometric data have until August 3, 2026 to comply.^[12]

Surveillance and Intelligence

Intelligence and Security Act 2017

The Intelligence and Security Act 2017 (ISA 2017) is New Zealand’s principal intelligence legislation. It modernized and consolidated the legal frameworks previously contained in the GCSB Act 2003 and the NZSIS Act 1969, creating a unified statutory basis for both agencies’ operations.^[13]

The Act establishes a dual-authorization warrant system that distinguishes between the surveillance of New Zealanders and non-New Zealanders:

• Type 1 Intelligence Warrants (targeting New Zealand citizens or residents) require authorization from both the responsible Minister and a Commissioner of Intelligence Warrants, a retired High Court judge. This dual-authorization requirement provides a judicial check on executive power^[14]
• Type 2 Intelligence Warrants (targeting non-New Zealand persons) require authorization from the Minister alone, with no judicial approval required

Authorized activities under intelligence warrants include covert surveillance, interception of communications, search and seizure, computer exploitation (hacking), tracking devices, and human intelligence operations (the use of agents and sources). Agencies may also request foreign governments or other entities to carry out activities on their behalf.^[15]

GCSB Act 2003 (as amended 2013)

The Government Communications Security Bureau Act 2003 originally established the GCSB’s functions in signals intelligence and information assurance. In 2013, the Act was amended amid public debate to expand the GCSB’s powers to surveil New Zealand citizens and residents, a direct response to revelations that the GCSB had illegally spied on Kim Dotcom, a New Zealand resident, during an FBI-led investigation. The illegal surveillance led to a government inquiry and prompted the legislative changes.^[16] While the ISA 2017 now serves as the primary legislation, the GCSB Act remains in force for certain operational matters.

Telecommunications (Interception Capability and Security) Act 2013 (TICSA)

The TICSA imposes obligations on New Zealand telecommunications network operators in two areas: interception capability (ensuring networks can be lawfully intercepted by intelligence agencies) and network security. Under Part 3 of the Act, the GCSB’s National Cyber Security Centre (NCSC) works with network operators to identify and mitigate risks to the security of public telecommunications networks.^[17]

The TICSA gained international attention in 2018 when the GCSB, acting under the Act’s network security provisions, declined Spark’s proposal to use Huawei 5G equipment in its network on the grounds that the proposed use posed a “significant network security risk.” The Act applies a country- and vendor-agnostic framework, assessing each proposal on a case-by-case basis, but the practical effect was to give the GCSB veto power over the deployment of telecommunications equipment from vendors deemed to pose security risks.^[18]

Search and Surveillance Act 2012

The Search and Surveillance Act 2012 consolidated New Zealand’s previously fragmented search, seizure, and surveillance powers into a single statute. It governs the powers of law enforcement agencies (primarily the New Zealand Police) and provides for production orders (compelling the production of documents or data), warrantless searches in urgent circumstances, and a residual warrant regime for novel surveillance techniques.^[19] This Act is the primary mechanism through which law enforcement accesses telecommunications data in the absence of a mandatory data retention law.

Intelligence Agencies

Government Communications Security Bureau (GCSB)

The GCSB is New Zealand’s signals intelligence (SIGINT) and information assurance agency. Its functions include collecting and analyzing foreign intelligence from electronic communications, providing cybersecurity services to organizations of national significance, and conducting information assurance for the New Zealand government.^[16]

Historically, the GCSB operated the Waihopai Station near Blenheim in the South Island, a satellite communications interception facility that was part of the ECHELON network, the global signals intelligence system operated by the Five Eyes alliance. The station’s radome-enclosed satellite dishes intercepted communications from Intelsat satellites over the Pacific, with intercepted messages tagged with the FLINTLOCK codename identifying their Waihopai origin before distribution across the ECHELON network.^[20] The station also operated in conjunction with a facility at Tangimoana on the North Island. The Waihopai radomes were decommissioned in 2022 due to technological obsolescence, though the facility continues intelligence operations using updated capabilities.

The GCSB also operates the CORTEX cyber defense program, launched in 2014, which provides advanced cyber threat detection and disruption services to New Zealand organizations of national significance across the public and private sectors. In the 2023–2024 reporting period, CORTEX prevented an estimated NZD $38.8 million in harm and detected between 15 and 20 cyber intrusions per month affecting New Zealand organizations.^[21]

New Zealand Security Intelligence Service (NZSIS)

The NZSIS is New Zealand’s domestic security intelligence agency, responsible for counter-espionage, counter-terrorism, security vetting of personnel for sensitive government positions, and the collection of intelligence relevant to New Zealand’s national security. Unlike the GCSB, which focuses on electronic signals, the NZSIS primarily conducts human intelligence (HUMINT) operations and security investigations within New Zealand.

Oversight Bodies

New Zealand’s intelligence agencies are subject to three layers of oversight:

• Inspector-General of Intelligence and Security (IGIS): The principal independent oversight body, currently held by Brendan Horsley (since June 2020). The IGIS has broad powers to investigate the activities of both the GCSB and NZSIS, review compliance procedures, and investigate complaints. The office reported in 2023–2024 on significant oversight matters including the use of class warrants, open source intelligence collection, and the management of human rights risks in intelligence sharing.^[22]
• Intelligence and Security Committee (ISC): A parliamentary committee of 5–7 members that provides political oversight of intelligence agencies. Members hold security clearances and receive classified briefings
• Commissioner of Intelligence Warrants: A retired High Court judge who must jointly authorize Type 1 warrants targeting New Zealand citizens and residents, providing a judicial check on the warrant process

Five Eyes: Full Partner Status

As a “2nd Party” partner in the Five Eyes alliance, New Zealand shares raw signals intelligence (not just finished intelligence reports) with the United States, United Kingdom, Canada, and Australia. The alliance operates on a principle of not targeting each other’s citizens, though the scope and enforcement of this commitment has been the subject of ongoing debate. New Zealand’s geographic position in the South Pacific provides the alliance with unique intelligence coverage of a region of growing strategic importance, including the Pacific Islands, Southeast Asia, and Antarctic communications.^[23]

The depth of Five Eyes integration means that intelligence collected by any member is potentially available to all five. For privacy, this has a significant implication: even if New Zealand’s domestic law prohibits certain types of surveillance of its own citizens, intelligence on those citizens may be collected by partner agencies and shared back through the alliance. The ISA 2017 addresses this in part by requiring intelligence warrants to authorize requests to foreign governments, but the practical boundaries of alliance-based intelligence sharing remain opaque.

Data Retention

New Zealand has made a deliberate policy choice not to enact mandatory data retention legislation. Unlike neighboring Australia, which requires telecommunications providers to retain metadata for two years under the Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015, New Zealand imposes no statutory obligation on telcos or internet service providers to retain communications data for law enforcement or intelligence purposes.^[24]

This does not mean that law enforcement and intelligence agencies lack access to telecommunications data. Instead, they rely on targeted legal processes:

• Production orders under the Search and Surveillance Act 2012, which compel the production of specific documents or data held by service providers^[19]
• Intelligence warrants under the Intelligence and Security Act 2017, which authorize the interception of communications
• Interception capability obligations under TICSA 2013, which require network operators to maintain the technical ability to intercept communications when lawfully required to do so^[17]

The absence of mandatory retention has been described as a “sleeping giant” of New Zealand privacy law, a policy gap that has drawn relatively little public attention but has significant implications for both law enforcement effectiveness and individual privacy.^[25] Telecommunications providers retain data according to their own commercial policies, which vary by provider and data type, creating an inconsistent landscape for lawful access.

Cable Surveillance and Pacific SIGINT Operations

As the smallest Five Eyes member by population, New Zealand operates signals intelligence infrastructure covering a large geographic area. The GCSB operates cable interception facilities and satellite monitoring stations that provide the alliance with coverage of the South Pacific, Southeast Asia, and Antarctic regions, areas where New Zealand’s geographic position offers unique strategic access.

New Zealand’s Role in Five Eyes SIGINT

Under the UKUSA Agreement, the GCSB is responsible for signals intelligence collection in the South Pacific and portions of Southeast Asia. This division of labor among Five Eyes members means that New Zealand intercepts communications passing through its territory and shares the collected intelligence with the NSA, GCHQ, ASD, and CSE.^[23]

New Zealand’s contribution to the alliance is substantial relative to the country’s size. With a population of just over 5 million, New Zealand operates sophisticated signals intelligence infrastructure that monitors a vast geographic area encompassing island nations across the Pacific, communications between Australia and the Americas, and satellite traffic covering the Southern Hemisphere.

Southern Cross Cable and Trans-Pacific Interception

The Southern Cross Cable Network is the primary submarine cable system connecting New Zealand to Australia and the United States, carrying the majority of New Zealand’s international internet traffic. The cable system has landing points in Auckland (New Zealand), Sydney (Australia), and multiple locations on the US West Coast, making it a critical communications link for the South Pacific region.^[28]

Documents from the Snowden disclosures indicated that the GCSB has access to traffic passing through cables landing in New Zealand, including the Southern Cross system. This access allows the GCSB to intercept communications between Australia and the United States, as well as traffic from Pacific island nations that route through New Zealand’s infrastructure.

The interception creates a jurisdictional problem: Communications between users in Australia and the United States may be intercepted by New Zealand intelligence simply because the Southern Cross Cable provides a routing path through Auckland. These users have no connection to New Zealand beyond the physical path chosen by their internet service providers, yet their communications are subject to GCSB collection under Type 2 warrants (which require ministerial authorization only, with no judicial approval).

Waihopai Satellite Interception Station (Decommissioned 2022)

Waihopai Station’s distinctive white radomes became associated with New Zealand’s participation in mass surveillance, and its ECHELON involvement drew sustained public attention to the country’s role in the Five Eyes signals intelligence network.^[20]

The facility operated under the code name FLINTLOCK and provided coverage of Intelsat satellites serving the Pacific region. In 2022, the GCSB announced the facility’s decommissioning, stating that advances in technology and changes in the global communications environment had made the station obsolete.

While Waihopai has been decommissioned, the GCSB continues to conduct signals intelligence collection through cable access and other means. The closure of the satellite facility does not indicate a reduction in New Zealand’s SIGINT capabilities; rather, it reflects a shift in focus from satellite interception to fiber-optic cable access, which now carries the vast majority of international communications.

Pacific Island Nations: Monitoring the Neighborhood

New Zealand’s SIGINT mandate includes monitoring communications from Pacific island nations, many of which are New Zealand’s closest partners and neighbors. Countries such as Fiji, Samoa, Tonga, the Cook Islands, and others route their international communications through cables and satellites that pass through New Zealand-controlled infrastructure or fall within the GCSB’s collection mandate.^[29]

This creates a sensitive diplomatic situation: New Zealand provides development aid, security assistance, and technical cooperation to Pacific island nations, while simultaneously conducting signals intelligence collection on their governments, businesses, and citizens. The Intelligence and Security Act 2017’s Type 2 warrant provisions authorize the GCSB to intercept communications from non-New Zealand persons without judicial approval, meaning that monitoring Pacific island communications requires only ministerial authorization, not oversight by the Commissioner of Intelligence Warrants.

GCSB Access to NSA Systems and XKeyscore

Like other Five Eyes members, the GCSB has access to the NSA’s XKeyscore system, allowing New Zealand analysts to search intercepted communications collected by the alliance. XKeyscore provides a searchable database of internet activity, including emails, web browsing, searches, and social media interactions, collected in bulk from cables, satellites, and other sources worldwide.^[30]

The GCSB contributes data to this pooled intelligence database, sharing communications intercepted from cables landing in New Zealand and satellite coverage of the South Pacific. In return, GCSB analysts can search intelligence collected by the NSA, GCHQ, ASD, and CSE from around the world. This reciprocal arrangement means that New Zealand’s signals intelligence capabilities extend far beyond what the country could achieve independently, but it also means that communications intercepted by the GCSB are accessible to intelligence analysts in the United States, United Kingdom, Australia, and Canada.

Legal Framework and Oversight Limitations

The GCSB’s cable and satellite interception operates under the Intelligence and Security Act 2017’s Type 1 and Type 2 warrant framework.

This bifurcated system provides strong protections for New Zealanders through the dual-authorization requirement for Type 1 warrants. However, the vast majority of communications intercepted from cables and satellites involve foreign nationals, who are subject only to the less restrictive Type 2 warrant process. A Type 2 warrant authorizing the interception of traffic from the Southern Cross Cable or satellite communications from Pacific island nations requires only the responsible Minister’s approval: no independent judicial review, no proportionality assessment by a court, and no mechanism for affected individuals to challenge their surveillance.

The Inspector-General of Intelligence and Security (IGIS) provides retrospective oversight, reviewing the GCSB’s activities to ensure compliance with the law and ministerial authorizations. However, IGIS reviews are conducted in secret, and only sanitized summaries are published publicly. Individuals whose communications are intercepted receive no notification and have no recourse to challenge their inclusion in GCSB collection.^[22]

For Pacific island nations and other foreign targets, New Zealand’s cable and satellite surveillance operates with minimal legal constraints and no transparency. The result is a disparity in surveillance capability and legal recourse: New Zealand intercepts regional communications through its position on cable routes and satellite coverage, while affected countries have no comparable access to New Zealand communications and no legal mechanisms to challenge the interception.

International Data Sharing Agreements

New Zealand participates in extensive international data sharing frameworks that complement its domestic intelligence and law enforcement infrastructure. These agreements allow New Zealand agencies to access data held abroad, while providing foreign agencies with pathways to obtain New Zealand person data through processes that operate outside the Type 1 warrant “double lock” framework.

Five Eyes Intelligence Sharing: Founding Member

As a founding Five Eyes member, the GCSB shares all signals intelligence (SIGINT), human intelligence (HUMINT), military intelligence (MILINT), and geospatial intelligence (GEOINT) with the NSA, GCHQ, CSE, and ASD by default.^[31]

Under the alliance’s division of responsibilities, GCSB is responsible for signals intelligence collection in the South Pacific and Southeast Asia. This intelligence is shared automatically with Five Eyes partners, who reciprocate by providing GCSB with access to global intelligence through systems like XKeyscore.

The Five Eyes framework creates a reciprocal surveillance bypass: GCSB can collect data on US, UK, Canadian, or Australian persons and share it with those countries’ intelligence agencies, circumventing restrictions on domestic surveillance. Conversely, the NSA, GCHQ, CSE, and ASD can collect on New Zealand persons and share with GCSB, bypassing the Intelligence and Security Act’s Type 1 warrant requirements for targeting New Zealanders.

According to research, the legal underpinning of Five Eyes intelligence sharing remains “shrouded in mystery,” with no domestic legislation governing intelligence-sharing in New Zealand. Data collected via Five Eyes programs can be shared with law enforcement, potentially bypassing warrant requirements.^[32]

M5 Database Sharing: Fingerprints and Criminal Records

M5 Fingerprint Sharing: New Zealand participates in the Five Eyes fingerprint sharing program for visa applications, refugee claims, and immigration processing. New Zealand border authorities can query US, UK, Canadian, and Australian fingerprint and immigration databases in real time.

Criminal Database Sharing Proposal: New Zealand is “still considering” participation in an expanded Five Eyes proposal to query domestic criminal databases of partner countries for immigration purposes. This would allow New Zealand authorities to check criminal records from the other Four Eyes when processing visa applications, a significant expansion beyond intelligence and border control into routine law enforcement records.^[33]

CLOUD Act: Anticipated Agreement

Following the United Kingdom (2022) and Australia (2024), New Zealand is anticipated to negotiate a CLOUD Act executive agreement with the United States. Such an agreement would allow New Zealand law enforcement to directly serve legal process on US technology companies to obtain communications data, bypassing traditional MLAT processes and reducing access time from months to days. The agreement would be reciprocal, allowing US authorities to directly request data from New Zealand companies without New Zealand judicial oversight.

Multilateral Frameworks

Interpol I-24/7: New Zealand participates in Interpol’s global information sharing network, processing over 100,000 messages daily across 195 countries. The New Zealand Police use the system for real-time sharing of Red/Blue notices, biometric data, and criminal intelligence.

Egmont Group: The Financial Intelligence Unit of New Zealand participates in the Egmont Group network of 164+ FIUs, sharing financial intelligence on money laundering and terrorist financing under bilateral and multilateral agreements.

The Privacy Backdoor Effect

Despite the Intelligence and Security Act’s Type 1 warrant requirements (ministerial + judicial approval for targeting New Zealanders), international data sharing agreements create alternative pathways:

• Five Eyes Laundering: NSA/GCHQ/ASD/CSE can collect on New Zealand persons and share with GCSB, circumventing Type 1 warrant requirements; GCSB can collect on foreign Five Eyes persons and share with partner agencies
• CLOUD Act Bypass (Anticipated): Once implemented, US authorities could directly request data from NZ companies without Type 1 warrants; NZ authorities could directly request data from US companies without US judicial review
• M5 Database Queries: Border authorities routinely query Five Eyes fingerprint databases without warrants; proposed criminal database expansion would extend this to law enforcement records

For New Zealand persons, this means data nominally protected by the Privacy Act 2020 and Intelligence and Security Act can be accessed through Five Eyes intelligence sharing (default exchange with no notification), anticipated CLOUD Act requests (bypassing the Commissioner of Intelligence Warrants), or M5 database queries (routine border checks). For Pacific island nations whose communications pass through New Zealand cables or infrastructure, the protections are even more limited: Type 2 warrants require only ministerial approval (no judicial oversight) for non-New Zealand persons, and oversight occurs in secret through the IGIS with no individual notification or recourse.

Recent Developments

Privacy Amendment Act 2025

The Privacy Amendment Act 2025 received Royal Assent on September 23, 2025, introducing the new Information Privacy Principle 3A (indirect collection notification). IPP 3A requires agencies to take reasonable steps to ensure that individuals are made aware when their personal information is collected from a source other than the individual. The new principle takes effect on May 1, 2026.^[9]

The amendment was motivated in significant part by the need to preserve New Zealand’s EU adequacy status. Since 2012, New Zealand has held EU adequacy recognition, one of only 15 jurisdictions worldwide, which allows the free flow of personal data between the EU and New Zealand without requiring additional safeguards. The European Union identified the absence of an indirect collection notification obligation as a gap during its periodic adequacy review, and the amendment was designed to address this concern and secure continued adequacy into the future.^[26]

Biometric Processing Privacy Code

The Biometric Processing Privacy Code, which came into force on November 3, 2025, makes New Zealand one of the first countries in the Asia-Pacific region to establish dedicated legal rules for biometric data processing. Early indications suggest that the Code’s requirements for privacy impact assessments and restrictions on high-risk applications are prompting significant operational changes across both public and private sector agencies as they work toward the August 3, 2026 compliance deadline.^[12]

Digital Identity Services Trust Framework

The Digital Identity Services Trust Framework Act 2023, along with its supporting Regulations (2024) and Rules (2024–2025), establishes a voluntary accreditation scheme for digital identity services in New Zealand. The Framework came into effect on July 1, 2024, and covers five categories of digital identity services: information, binding, authentication, credential, and facilitation services. Providers seeking accreditation must demonstrate compliance with technical and operational requirements and relevant legislation, with the rules updated approximately twice yearly to keep pace with technological change.^[27]

Commissioner’s Reform Agenda

Privacy Commissioner Michael Webster has publicly outlined a reform agenda that goes well beyond the incremental changes enacted to date. His key advocacy positions include:^[3]

• Civil penalty regime: Introducing multimillion-dollar fines for serious privacy violations, bringing New Zealand into line with Australia, the United Kingdom, and the EU
• Right of erasure: Granting individuals the right to request deletion of their personal information, similar to the GDPR’s Article 17
• AI and automated decision-making safeguards: Requiring transparency and accountability when algorithms are used to make decisions that significantly affect individuals
• Enhanced breach notification: Strengthening the existing mandatory breach notification regime

Whether these reforms will be enacted remains uncertain. The current government has not prioritized expanding regulatory powers, and the Privacy Act 2020 took nearly a decade to progress from initial proposals to enactment. In the meantime, New Zealand’s privacy regime continues to rely on a complaint-driven model with limited punitive teeth, a model that Commissioner Webster himself has characterized as inadequate for the scale of modern privacy challenges.

Customer and Product Data Act 2025 (Consumer Data Right)

The Customer and Product Data Act 2025 was enacted on March 29, 2025, establishing New Zealand’s Consumer Data Right (CDR) regime. The Act gives consumers the right to direct businesses holding their data to share it securely with accredited third parties, beginning with the banking sector. The four major banks—ANZ, ASB, BNZ, and Westpac—went live on December 1, 2025, with Kiwibank scheduled to follow in June 2026. The electricity sector is next in line, with designation expected during 2026.^[34][35]

The CDR has direct privacy implications: while it empowers consumers with greater control over their data, it also creates new data-sharing pathways that will need to operate within the constraints of the Privacy Act 2020 and its Information Privacy Principles. The accreditation framework for third-party data recipients will be critical in determining whether the CDR strengthens or complicates New Zealand’s privacy landscape.

First National AI Strategy

On July 8, 2025, the New Zealand government released its first national Artificial Intelligence Strategy, taking an explicitly light-touch, principles-based approach and declining to introduce standalone AI legislation. The strategy relies on existing regulatory frameworks, including the Privacy Act 2020 and sector-specific rules, to govern AI deployment. Alongside the strategy, the government published “Responsible AI Guidance for Businesses,” a non-binding set of guidelines intended to help organizations adopt AI responsibly.^[36][37]

The decision not to legislate contrasts with the EU’s AI Act and emerging regulatory proposals in Australia and Canada. Commissioner Webster’s earlier calls for AI and automated decision-making safeguards remain unaddressed by binding law, leaving the Privacy Act’s general principles as the primary legal constraint on AI systems that process personal information in New Zealand.

NCSC Mandatory Cybersecurity Standards

On October 30, 2025, the National Cyber Security Centre (NCSC), a division of the GCSB, issued the first mandatory baseline cybersecurity standards for New Zealand government agencies. The framework establishes ten minimum standards aligned to Capability Maturity Model Level 2 (CMM2), covering areas such as access management, vulnerability management, and incident response. Government agencies are required to begin compliance reporting by April 2026.^[38]

The mandatory standards represent a significant shift from the previously voluntary approach to government cybersecurity. Given that privacy breaches frequently originate from cybersecurity failures, the standards should have an indirect but meaningful impact on the protection of personal information held by government agencies.

Social Media Under-16 Ban Bill

In October 2025, a member’s bill proposing a ban on social media use by children under 16 was drawn from the parliamentary ballot. The Prime Minister subsequently committed to a government-backed version of the legislation before the 2026 general election, following a similar trajectory to Australia’s Online Safety Amendment (Social Media Minimum Age) Act 2024. The bill raises questions about age verification mechanisms and the privacy implications of requiring platforms to verify the age of all New Zealand users.

Online Harms Select Committee Interim Report

In December 2025, the Education and Workforce Select Committee released its interim report on the harm young New Zealanders encounter online. The report found that online harm is “widespread” among young New Zealanders and recommended the establishment of a single national regulator for online safety, consolidating functions currently spread across multiple agencies. The final report is expected to shape legislation in the lead-up to the 2026 election.^[39]

GCSB Sovereign Data Centre

In mid-2025, the GCSB opened a NZD $326 million sovereign data centre at the Whenuapai Air Force base in Auckland. The facility is designed to house New Zealand’s most sensitive classified information for at least 25 years, providing a sovereign alternative to offshore or commercial cloud storage for the country’s intelligence and security data. The data centre underscores New Zealand’s dual approach to data sovereignty: advocating for privacy protections for citizens while simultaneously expanding domestic infrastructure for classified intelligence operations.^[40]

Manage My Health Breach Details

Further details emerged regarding the Manage My Health cyber incident that prompted the Privacy Commissioner’s formal inquiry in January 2026. The breach affected between 108,000 and 126,000 users of the health platform, with compromised data including sensitive health records. The breach was attributed to a threat actor operating under the name “Kazu,” who reportedly demanded a NZD $60,000 ransom. The Commissioner set a Phase 1 investigation deadline of April 30, 2026. The incident highlights the vulnerability of health data in New Zealand and the limited deterrent effect of the current NZD $10,000 maximum penalty for breach notification failures.

PAK’nSAVE CCTV Breach

On December 17, 2025, a privacy breach was disclosed involving PAK’nSAVE supermarket stores, where security guards were found to have captured CCTV footage on personal phones and disclosed the recordings outside authorized channels. The incident followed the Commissioner’s earlier public naming of PAK’nSAVE for Privacy Act breaches and illustrates ongoing compliance challenges in the retail sector, particularly around employee handling of surveillance footage and the gap between organizational privacy policies and frontline practice.

Breach Notification Statistics and Enforcement Reform Pressure

Breach notification volumes continued to rise sharply, with a 43% increase in serious privacy breach notifications to approximately 600 notifications in the latest reporting period. An OPC-commissioned survey found that 75% of New Zealanders support granting the Privacy Commissioner audit and fine powers, adding public mandate to Commissioner Webster’s advocacy for a civil penalty regime. The rising breach volumes and strong public support for enforcement reform may increase political pressure for legislative change ahead of the 2026 election.

IGIS 2025–26 Work Programme

The Inspector-General of Intelligence and Security (IGIS) published its 2025–26 work programme, which includes reviews of intelligence requests from Five Eyes partner agencies and oversight of the GCSB’s new sovereign data centre at Whenuapai. The programme signals increased scrutiny of the procedures by which partner agencies request New Zealand intelligence assistance, a mechanism that has been identified as a potential pathway for circumventing domestic warrant protections. The IGIS’s focus on the data centre will examine how classified information is stored, accessed, and shared within Five Eyes frameworks from the new facility.

Sources