The New Zealand Privacy Act 2020 came into force in December 2020 and introduced the most significant update to NZ privacy law in nearly 30 years. It was designed for a data environment that includes AI — and its obligations apply directly to organisations that use AI systems to process personal information about New Zealanders.
Important notice
This page provides general information for educational purposes. It is not legal advice. Organisations should seek independent legal counsel when assessing their Privacy Act obligations in relation to specific AI deployments.
Does the Privacy Act 2020 apply to AI?
Yes. The Privacy Act applies to any agency — which includes businesses, non-profits, government agencies, and community organisations — that collects, holds, uses, or discloses personal information. It does not matter whether a human or an automated AI system is doing the collecting, holding, using, or disclosing.
This means that if your organisation uses an AI system that processes personal information about NZ residents, your organisation must comply with all 13 Information Privacy Principles in relation to that use.
The Privacy Principles most relevant to AI
While all 13 principles apply, the following are most directly relevant to AI deployments:
Purpose of collection
Personal information should only be collected for a lawful purpose connected to the agency's functions, and only if collection is necessary for that purpose. AI systems fed with personal data must have a clear, documented purpose for that data use.
Source of personal information
Personal information should be collected directly from the individual where practicable. AI systems that scrape or aggregate personal information from secondary sources may breach this principle.
Storage and security
Organisations must take reasonable steps to protect personal information from loss, misuse, and disclosure. AI systems — including the infrastructure they run on — must meet appropriate security standards. This is a key argument for sovereign AI: if the AI runs on infrastructure you control, you can directly verify security measures.
Access to personal information
Individuals have the right to access personal information held about them. If an AI system holds personal information — in a knowledge base, conversation log, or derived profile — individuals may request access to that information.
Accuracy
Organisations must not use personal information that is inaccurate or out of date without taking reasonable steps to check accuracy. AI systems that make decisions based on personal information must have processes to ensure that information is current and accurate.
Limits on use of personal information
Personal information collected for one purpose should not be used for an incompatible purpose. An AI system that is given access to HR data to answer staff queries should not use that data to generate management reports without separate authorisation.
Limits on disclosure
Personal information should not be disclosed without the individual's authorisation unless a specific exception applies. AI systems that generate responses containing personal information about third parties may breach this principle.
Disclosure overseas
Personal information should not be disclosed to overseas recipients unless equivalent privacy protections exist. This is the principle that creates the most complexity for cloud AI tools, which process data on overseas infrastructure.
The cross-border question: does cloud AI comply with PP12?
This is the most practically important question for NZ organisations considering AI tools like Microsoft Copilot, ChatGPT Enterprise, or Google Gemini.
Principle 12 says personal information should not be disclosed to an overseas person or entity unless:
When an NZ organisation uses a cloud AI tool that processes personal information on US or other overseas servers, this arguably constitutes a disclosure to an overseas personunder PP12 — even if the AI provider contractually commits to data privacy. The Privacy Commissioner's position on this specific question has not been definitively stated, but the risk is real and should be assessed via a Privacy Impact Assessment.
How sovereign AI addresses PP12
When AI runs inside your own NZ infrastructure, personal information is never transmitted to an overseas recipient for processing. PP12 compliance becomes architectural rather than contractual — you can verify it technically, not just rely on vendor commitments.
Breach notification under the Privacy Act 2020
One of the most significant changes introduced by the 2020 Act was mandatory breach notification. Organisations must notify the Privacy Commissioner and affected individuals of any privacy breach that is likely to cause serious harm.
AI-related breaches that may require notification include:
Practical steps for Privacy Act compliance when using AI
Step 1
Privacy Impact Assessment
Assess the privacy implications of any AI deployment before it goes live, particularly for systems handling personal information.
Step 2
Purpose documentation
Document the specific purposes for which personal information is used by the AI system and ensure those purposes are lawful.
Step 3
Data minimisation
Only give the AI access to personal information that is necessary for its purpose. Not every system needs access to full records.
Step 4
Cross-border analysis
Identify whether your AI tool processes personal information on overseas infrastructure and assess PP12 compliance.
Step 5
Audit trail implementation
Ensure all AI interactions involving personal information are logged and accessible for review.
Step 6
Breach response planning
Have a documented process for identifying, assessing, and notifying AI-related privacy breaches.
Frequently asked questions
Does the NZ Privacy Act 2020 apply to AI systems?
Yes. The Act applies to any agency that collects, holds, uses, or discloses personal information — including through automated AI systems. All 13 Information Privacy Principles apply regardless of whether processing is automated or human-led.
Can cloud AI tools like Microsoft Copilot comply with the Privacy Act?
They may comply with many Privacy Act obligations through contractual commitments. However, using cloud AI with personal information may engage Principle 12 (cross-border disclosure) if data is processed on overseas infrastructure. A Privacy Impact Assessment is recommended before deploying cloud AI with personal data.
What are the penalties for Privacy Act breaches involving AI?
The Privacy Commissioner can investigate complaints and issue compliance notices. Interfering with privacy can result in proceedings before the Human Rights Review Tribunal. While the Act does not provide for direct fines, reputational and operational harm from a serious breach can be significant — particularly for community organisations that rely on community trust.
Does a Privacy Impact Assessment need to be done for AI?
The Privacy Act does not mandate PIAs, but the Office of the Privacy Commissioner strongly recommends them for high-risk processing activities — which includes most AI deployments involving personal information. Many government and public-sector procurement processes now require a PIA as part of supplier onboarding.
Get Privacy Act-compliant AI for your organisation
Sovata's sovereign AI architecture is designed with NZ Privacy Act 2020 compliance built in — not bolted on. Book a free Discovery Call to understand what compliant AI deployment looks like for your organisation.
Book a free Discovery CallFree · 1 hour · New Zealand-based team