NEW ZEALAND Law and Practice Contributed by: Liz Blythe, Troy Pilkington, Emma Peterson and Craig Shrive, Russell McVeagh
Consumer Data Right The Customer and Product Data Act 2025, which establishes New Zealand’s consumer data right (CDR) framework, became law in March 2025. Once imple - mented, the CDR will provide individuals and busi - nesses with a statutory right to require data holders to share information held about them with trusted third parties and the right to require them to carry out cer - tain actions on the relevant individual’s or business’s behalf. The government has announced that banking will be the first sector in scope for the CDR and has consult - ed industry on designating electricity next. Regarding the banking sector, the Ministry of Business, Innova - tion and Employment has announced that the banking regulations to be issued under the Act are anticipated to come into effect from December 2025. 2.3 Restrictions on Data Processing or Data Security Organisations must comply with the Privacy Act 2020 and the Privacy Regulations 2020 (the “Privacy Act”). New Zealand organisations must ensure that they comply with the information privacy principles in the Privacy Act 2020, which govern the rights of individu - als in relation to their personal information. The Privacy Act includes a number of regulatory requirements relevant to outsourcing services and technology transactions. These include: • restrictions on cross-border transfers of personal information, whereby agencies may only transfer personal information overseas if certain excep - tions under the Privacy Act apply – noting that the export of personal information to a third party (eg, a cloud service provider) that merely holds that data as an agent on behalf of the first party (eg, for safe custody) is expressly excluded from the restrictions on cross-border transfers if the third party only stores or processes the personal infor - mation on the relevant agency’s behalf (and not for the third party’s own purposes); • a mandatory breach notification regime for cer - tain notifiable privacy breaches, which requires an organisation to:
(a) notify the New Zealand Privacy Commissioner (and, in most cases, the individuals concerned) as soon as practicable after becoming aware of the breach; or (b) make a public notification regarding the breach; • public notifications to be published on an internet website maintained by the organisation and in at least one other medium, with a range of require - ments for the content of the notice (including a description of the breach and notification of the right to complain about the breach); • specific reference to foreign agencies, expressly bringing them within the scope of the Privacy Act to the extent that they undertake regulated activi - ties in the course of carrying out business in New Zealand; and • clarification that the Privacy Act will apply to all actions by a New Zealand agency, whether inside or outside New Zealand. In 2023, a bill was introduced in Parliament to amend the Privacy Act, whereby the notification require - ments under the Privacy Act will be broadened so that they apply to the collection of personal informa - tion about an individual by agencies indirectly through a third party, rather than directly from the individual concerned. The bill’s third reading in April 2025 was interrupted and it still awaits royal assent. Following enactment, agencies that obtain personal information indirectly from other agencies after 1 May 2026 will be subject to additional compliance requirements under the Privacy Act. Additionally, New Zealand organisations that process the personal data of people residing in the UK or the EU are required to comply with the UK or EU General Data Protection Regulation (GDPR) (as applicable) in some circumstances – for example, where those busi - nesses offer goods and/or services to such people residing in the EU or the UK. In August 2025, the OPC released a new Biometric Processing Privacy Code (Code). The Code applies to all agencies regulated by the Privacy Act 2020 that collect or use biometric information (such as finger - prints or facial images) to verify, identify or categorise individuals using automated systems. Certain excep -
28 CHAMBERS.COM
Powered by FlippingBook