Privacy Act review 2026: what changes are on the horizon

The Minister of Justice has announced a comprehensive review of the Privacy Act 2020, with a discussion document expected in mid-2026. This review comes six years after the Act replaced the Privacy Act 1993 and follows several years of rapid technological change.

Expected focus areas

AI and automated decision-making. The review is expected to consider how the Privacy Act should regulate automated decision-making, including AI systems that process personal information. This could include new transparency requirements when decisions affecting individuals are made using third-party data.

Increased penalties. Following the 2024 amendment that raised penalties to $50,000, there is discussion about further increases to bring NZ closer to international standards. Australia's privacy penalties reach into the millions.

Expanded notification obligations. The review may consider expanding IPP3A to require more specific notification — not just that collection occurred, but the specific data points collected and the algorithmic processes applied.

Children's data. Special protections for children's data, similar to those in the UK Age Appropriate Design Code, are on the table.

How to prepare

• Review your current compliance processes and ensure they are robust.

• Document your data flows — especially where personal information is processed by AI or automated systems.

• Ensure your IPP3A evidence trail covers the specific information collected, not just the fact of collection.

• Use DEIS to maintain a comprehensive compliance record that will meet current and likely future requirements.