New Zealand Faces Rising Privacy Risks as Regulator Pushes for a Modern Privacy Act

Key Takeaways

• Rising Privacy Risks: New Zealand saw a 21% jump in privacy complaints and a 43% rise in serious breach notifications in 2024/25.
• Public Concern: Survey findings show strong worry about children’s privacy, AI-driven decisions, and a desire for greater control over personal data.
• Modernization Push: The Privacy Commissioner is calling for updates to the Privacy Act, including a right to erasure, stronger penalties, and safeguards for automated decision-making.
• Cost of Non-Compliance: The average financial settlement for privacy complaints exceeded $7,540 (NZD 13,000), while Tribunal awards averaged $12,180 (NZD 21,000).
• Technology & Trust: New Zealand aims to support innovation, including AI and biometrics, while ensuring privacy protections remain strong and fit for the digital age.

Deep Dive

New Zealand’s privacy regulator is sounding the alarm as privacy complaints and serious breach notifications surge across the country. In its latest Annual Report, the Office of the Privacy Commissioner warned that New Zealanders’ rising anxiety about personal data isn’t just theoretical anymore, it reflects a real increase in harm.

Privacy Commissioner Michael Webster said complaints jumped 21 percent in 2024/25 compared to the previous year, which was already a record-breaker. Serious privacy breaches rose even faster, climbing 43 percent.

New Zealanders are feeling the pressure. The Office’s 2025 Privacy Survey found that:

• 66% see protecting personal privacy as a major concern
• 67% are worried about children’s privacy
• 62% are uneasy about agencies or businesses using AI to make decisions about them
• 82% want more control over how their personal information is collected and used

Webster said the numbers reflect a system that’s coming under strain.

“People are right to worry,” he said. “More needs to be done to improve New Zealanders’ privacy.”

A Framework That Isn’t Keeping Up

New Zealand’s Privacy Act is still grounded in recommendations made back in 2011, before modern biometrics, widespread AI adoption, and large-scale commercial data sharing reshaped the privacy landscape. While many countries have updated their privacy regimes to address these shifts, New Zealand has fallen behind.

Webster said the Act now provides “insufficient incentives” for many organizations to meet even basic privacy requirements. A growing number of agencies lack privacy officers, policies, or internal processes, core controls expected in most modern regulatory environments.

The regulator’s Annual Report shows the consequences:

• The Office handled 1,598 complaints, often involving real harm
• Privacy breach notifications reached 1,093
• The average financial settlement for complaints resolved through the Office exceeded $7,540 (NZD 13,000)
• Tribunal-awarded damages for emotional harm averaged more than $12,180 (NZD 21,000)

For businesses and agencies, weak privacy governance is becoming expensive.

A Push for Modernization

The Office is renewing its call for targeted updates to the Privacy Act, changes designed to bring New Zealand’s privacy protections in line with current risks and international standards.

The proposed reforms include:

• A right to erasure, allowing individuals to ask organizations to delete their personal data
• A stronger penalty regime to incentivize compliance
• Requirements for agencies to demonstrate compliance, such as through privacy management programs
• Enhanced safeguards for automated decision-making, addressing risks like discriminatory outputs or opaque logic

Public backing for reform is strong. Three-quarters of survey respondents said the Privacy Commissioner should have the ability to audit agencies, issue infringement fines, and ask courts to impose larger penalties for serious breaches.

Privacy and Innovation Don’t Have to Be Opposites

Webster also used the Annual Report to challenge a long-standing misconception, the idea that privacy and progress are mutually exclusive.

He argued that privacy is not an either/or trade-off but an “and”—something that must be protected while new technologies are adopted, while AI is deployed in the health sector, and while biometrics are implemented in business and government services.

Examples from the past year reinforce that approach:

• The Office approved Foodstuffs North Island’s live facial recognition trial, while issuing expectations for privacy-safe implementation
• It introduced the Biometric Processing Privacy Code, establishing a legal framework for the sensitive handling of biometric data
• It issued extensive guidance, including new resources on children’s privacy and upcoming rules on indirect notification
• It engaged with Māori through a newly established Māori Reference Panel, embedding te ao Māori perspectives into privacy policy and system design

A System at a Crossroads

The Commissioner emphasized that privacy protections benefit everyone, individuals, businesses, agencies, and society as a whole. When privacy is taken seriously, trust increases, breaches decrease, and organizations face fewer financial and reputational consequences.

But the growing volume of incidents and complaints makes the need for reform more urgent. Without modernization, the Privacy Act risks becoming increasingly ineffective in a digital environment where data flows are faster, more complex, and more consequential than ever.

“We will continue to advocate for changes to make the Privacy Act fit for the digital age,” Webster said. “New Zealanders want their privacy rights respected and protected and the system needs to evolve to meet that expectation.”

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.