Privacy Act amendments 2024: what changed and what it means for data users

The Privacy Amendment Act 2024, which received Royal Assent in September 2024, introduced several important changes that directly affect businesses using third-party data sources.

Key changes

Increased penalties. The maximum fine for failing to comply with a compliance notice increased from $10,000 to $50,000 for organisations. This is a significant escalation and signals the Government's intent to take privacy enforcement more seriously.

Clarified IPP3A obligations. The amendment clarified that "reasonable steps" in IPP3A must be proportionate to the sensitivity of the information collected and the potential harm from the collection. This moves away from a one-size-fits-all approach and requires businesses to assess each lookup individually.

Enhanced OPC powers. The Privacy Commissioner now has the power to initiate investigations without a complaint (own-motion investigations). Previously, the OPC needed a complaint to begin an investigation. This means businesses can now be investigated proactively.

Digital notification recognised. The amendment explicitly recognises email, SMS, and in-app notifications as valid methods for IPP3A notification, provided there is evidence of delivery. This is good news for platforms like DEIS that handle notification digitally.

What you should do

• Review your IPP3A compliance processes in light of the "proportionate" standard.

• Ensure your notification records include evidence of delivery, not just evidence of sending.

• Budget for the increased penalty regime — $50,000 is a meaningful amount for most NZ businesses.

• Consider whether your current systems can withstand an own-motion investigation by the OPC.