Strengthening Privacy Protections in New Zealand with the Privacy Act 2020

 |   Maciej Surowiec

New Zealand Landscape

New Zealand’s Parliament has passed today amendments to the Privacy Act with unanimous support of all parties. We welcome these changes and applaud the success of the country’s legislature in working above political divisions when such a fundamental right as privacy is at stake – it’s an encouraging sign of strong democratic foundations in today’s turbulent world.

The new Privacy Act introduces, among other things, several key changes to the law, which bring privacy protections in line with global standards, and strengthen the role of the NZ Privacy Commissioner:

  • The Act clarifies that it applies to all organisations that carry on business in New Zealand, regardless of their place of establishment.
  • The Privacy Commissioner may now issue enforceable compliance notices to organisations where the Commissioner considers the organisation breached the Act.
  • Organisations that suffer a data breach which has caused or has the potential to cause serious harm to affected individuals must notify the Commissioner and affected individuals, and may be subject to criminal penalties for failing to notify the Commissioner without reasonable excuse.

New Zealand can be justifiably proud of today’s development and can now move to the next step of implementing the new regime before it takes effect on 1 December 2020. Since I was based in Brussels at the time, I remember very well that it was a busy period between adopting the European Union’s General Regulation on Data Protection (GDPR) and its entry into force: organisations all over Europe geared up to understand their obligations, establish relevant new processes, and vet technologies to ensure compliance.

Microsoft is committed to making sure that its products and services are fully compliant with the Privacy Act 2020 by 1 December. However, we see our mission to be broader than that: hence, we are committing ourselves to support all our NZ customers in meeting their new obligations.

Microsoft’s privacy vision

At Microsoft, we believe privacy is a fundamental right and we apply this principle to our operations worldwide – including in New Zealand.

This commitment manifests itself in Microsoft taking a proactive, voluntary step by extending core GDPR rights to all our customers worldwide – a commitment we made when GDPR entered into force in May 2018.

In order to help our customers understand and exercise their rights, we built a privacy dashboard where individuals can manage their privacy settings, see what data we have stored, and delete that data if they want to. The dashboard has been used over 28 million times so far.

Finally, we are proud and humbled that NZ’s Privacy Commissioner, after careful consideration of Microsoft Office 365, trusts both our commitments to privacy as well as our industry leading data security enough that he has chosen to store the Office of the Privacy Commissioner’s data in Microsoft data centres.

New set of privacy challenges

There is no such thing as end of history in the privacy world.

We continue to think critically about how technology can continue to evolve while protecting and advancing public interests, and will continue to support the NZ Privacy Commissioner and the NZ Government’s efforts to protect privacy in light of these emerging challenges.


This new decade has begun with a pandemic that nobody expected. COVID-19 is a health crisis and an economic challenge but certain projects, implemented or proposed by various governments, have also led to a number of questions related to the need to ensure privacy protection and social legitimacy while managing crises.

While Microsoft continues to support various COVID-19 related efforts – such as medical research, remote working, or helping those most in need – we also outlined clear privacy-protecting principles, which, we believe, need to be considered while addressing the pandemic.

Facial Recognition Technology

While Facial Recognition Technology (FRT) presents important opportunities, it also brings the potential for abuse.  We have recently seen increased scrutiny and discussion of the trial deployment of FRT by NZ law enforcement, and Microsoft has also been engaged in this discussion in the U.S.

Since 2018, Microsoft’s President, Brad Smith, has urged policymakers to address the issues posed by FRT through regulation, in order to avoid a commercial race to the bottom.  In the absence of U.S. laws to address some of the risks and potential for abuse related to FRT, and ensure that human rights are protected, Microsoft has determined that it will not sell FRT technology to police departments in the U.S. until there is a federal law regulating it.


We also know that there is no privacy without security – hence, we continue on a mission to bring our state-of-the-art technology and threat intelligence from billions of datapoints to protect our customers.

This prompted us recently to extend protection to NZ’s entities engaged in the electoral process against state-sponsored cyberthreats. Also, in March, our Digital Crimes Unit as led a joint operation with 35 governments’ Computer Emergency Response Teams (CERTs), including New Zealand’s CERT.  This operation focused on taking down one of the biggest cybercriminal botnets in the world, which had 8610 victims (distinct unique IPs) and 2 supernodes in New Zealand.

Privacy as an opportunity for an economic recovery?

Aotearoa is in a unique position at the moment with COVID-19 virtually eliminated in the country at this point in time, so I observe with great interest the public debate about the models the country may want to adopt post-pandemic across different fields – in trade, tourism, and education.

As the debate has clearly shifted from health management towards economic recovery, New Zealand will surely and deservedly be attempting to leverage its global brands: bastion of democracy, ease of doing business, corruption-free status, and Pure NZ. Today’s passage of the revised Privacy Act may also allow the country to strengthen the above brands or establish Aotearoa’s new role as a privacy champion in the region.

New Zealand is scheduled to host and chair Asia Pacific Economic Forum in 2021 and will have a unique opportunity to promote privacy towards other regional economies. Privacy protections in line with global best practices can help in economic recovery – they both positively impact investors’ confidence as well as may help a country’s own services-exporting industry reassure their overseas customers that they operate within the parameters of strong privacy laws.

We are looking forward to working further with New Zealand’s Government on these fundamental rights matters and helping our Kiwi customers on their privacy journey.


Maciej Surowiec

Government Affairs Lead – New Zealand

Corporate, External & Legal Affairs (CELA)


To learn more about Microsoft’s approach to privacy, please visit our Trust Center.

Tags: , , , , ,