Privacy Under Pressure: Navigating New Zealand’s Evolving Privacy and Cyber Landscape

Published by Anthony Cooke, Partner, Atmos New Zealand and Hamish Krebs, Executive Director, Digital Forensics and Incident Response, CyberCX on 12 May 2025

New Zealand Privacy Week acts as a reminder that organisations increasingly operate in a climate of rising privacy expectations, rapid digital transformation, and a sharp uptick in cyber threats.

These pressures, combined with new legislative reforms and international regulatory alignment, create a complex environment where legal compliance and cyber security must go hand in hand.

Against this shifting privacy landscape, Atmos and CyberCX have unpacked the latest legal reforms and their practical implications for regulatory risk, cyber exposure, and operational readiness.

Key Changes and Their Implications

Incident Awareness – Statutes Amendment Bill

• Objective: Clarifies that organisations subject to the Privacy Act 2020 (Privacy Act) remain legally responsible for privacy breaches that are known to or caused by their service providers. This reinforces the importance of strong contract terms and timely breach reporting mechanisms.
• Why It Matters: While the Office of the Privacy Commissioner (OPC) expects agencies to notify within 72 hours of becoming aware of a notifiable privacy breach, the proposed amendment to the Privacy Act confirms that the clock starts when the service provider becomes aware – emphasising the need for agencies to have timely and direct visibility into incidents involving their service providers.
• Legal Risk: Without clear contractual obligations, agencies may face liability if a service provider delays reporting a breach – especially where the contract doesn’t set specific timeframes or assign responsibility for breach detection and reporting.
• Cyber Risk: If service providers lack appropriate technical and organisational controls to detect, assess, and escalate breaches quickly, the agency may be blind to high-risk incidents and unable to respond within expected timeframes – especially when weekends and holidays are a factor.
• Read more: Third party compromises remained a top incident type in CyberCX’s Threat Report and an ongoing blind spot for many organisations, underscoring a need to be aware of where your organisation’s data is stored and who you are allowing into your platforms and networks. All organisations should have an Incident Response Plan that accounts for third party breaches.
• Source: Statutes Amendment Bill 80-1 (2024), Government Bill – New Zealand Legislation

Digital Identity – The New Trust Framework

• Objective: To establish a formal trust framework for digital identity providers that imposes baseline privacy, security, and consent standards, enabling safe and reliable identity verification across sectors.
• Why It Matters: As more services shift online, digital identity is becoming a core infrastructure for public and private sector interaction. This framework brings clarity to who can provide identity services and under what obligations. It also raises the bar for how personal information is collected, verified, and stored.
• Legal Risk: Entities offering digital identity services must comply with registration and certification requirements. Failing to meet framework obligations may result in deregistration, reputational damage, or legal exposure for misrepresentation.
• Cyber Risk: Complying with the requirements to be a provider will require strong people, process and technology controls across identity management, protecting data and technologies involved. Weak implementation or insecure identity architecture can become a prime target for threat actors. Exploited identity systems can lead to large-scale fraud or unauthorised access across integrated platforms – potentially affecting all users within a database and undermining the reliability of the trust framework for other uses.
• Read more: CyberCX’s Hack Report revealed that almost half of severe-rated vulnerabilities stemmed from identity and access management weaknesses.
• Source: Digital ID Services Trust Framework Rules

IPP 3A — Planning for indirect notification requirements

• Objective: Introduce a new Information Privacy Principle (IPP 3A) that requires agencies to notify individuals when collecting personal information from third parties (i.e. not directly from the individual), unless a specific exception applies.
• Why It Matters: Indirect collection of personal information is increasingly common, especially with the use of surveillance tools, social media scraping, and third-party analytics. IPP 3A reinforces the right of individuals to know when their data is collected and strengthens transparency and trust in line with the Privacy Act.
• Next Steps: Parliament has indicated that IPP3A will come into force on 1 May 2026.
• Legal Risk: If enacted, agencies that fail to notify individuals of indirect data collection may be in breach of the Privacy Act. This risk is heightened where data is collected through partners or vendors without adequate contract terms or processes in place. The risk also extends to misapplying exceptions or failing to notify “as soon as practicable.”
• Cyber Risk: Without robust data classification, organisations may overlook how staff and systems collect personal information indirectly. Many systems lack monitoring or alerts, increasing the risk of unintentional breaches, missed notifications, and regulatory non-compliance.
• Read more: CyberCX’s Ransomware and Cyber Extortion Guide outlines third-party cyber extortion incidents create significant complexity and pressure. They often carry legal, contractual, and reputational risks – especially when the affected organisation lacks visibility over whose data is involved. Where individuals are unaware their data is being held, meeting notification obligations or managing expectations becomes even more challenging, further compounding the fallout.
• Source: OPC | The Privacy Amendment Bill is coming soon – here’s what you need to know

Biometric Code

• Objective: The OPC plans to introduce a Biometric Code regulating how organisations collect and use biometric data (e.g. facial recognition, fingerprints, voice), requiring necessity, proportionality, and meaningful consent.
• Why It Matters: Biometric data is uniquely identifying and cannot be changed if compromised. Its use is growing including facial recognition in retail, fingerprint access systems in workplaces, voice authentication in banking, and biometric attendance tools in schools and childcare. These use cases are expanding, often without clear justification or transparency.
• Next Steps (Code): Public consultation on the draft IPP 3A closed in mid-2025. The OPC is now reviewing submissions, with updated guidance or a finalised position expected later this year.
• Legal Risk: Organisations that use biometric tools without demonstrating necessity, obtaining valid consent, or ensuring lawful use risk breaching the Privacy Act. Contracts with vendors that provide biometric services must clearly assign responsibility for compliance, security, and breach management.
• Cyber Risk: Biometric data is a high-value target for cybercriminals. Systems collecting this data – often embedded in mobile devices, surveillance platforms, or third-party applications – may be inadequately secured or monitored. A breach could lead to irreversible privacy harm – your biometric data can’t be changed or replaced, like a passport – and long-term identity fraud.
• Source: Office of the Privacy Commissioner | Biometrics

Consumer Data Right (CDR)

• Objective: To create a regulated system for consumer-directed data sharing, beginning with the banking sector.
• Why It Matters: CDR enhances competition and innovation by enabling individuals to safely share their data between providers – but strong privacy and security safeguards are essential.
• Next Steps: Sector-specific regulations are on the way. Businesses in banking and electricity should prepare by reviewing current practices and aligning them with likely compliance requirements.
• Legal Risk: Non-compliance with consent, record-keeping, or secure API obligations may trigger enforcement. Ongoing review and system certification will be required.
• Cyber Risk: Approval to receive CDR data will likely depend on demonstrating strong security. Weak APIs, poor authorisation, or flawed internal processes can lead to data exposure and costly breaches.
• Read more: CyberCX’s Hack Report found that 86% of all severe web findings fell into the category of Insecure Web Application and API Design and Management.
• Source: Customer and Product Data Act 2025

Regulatory Enforcement and Litigation Risk

• Objective: Highlight the increasing regulatory and legal exposure for privacy breaches in New Zealand, including proposed reforms to the civil penalties regime, the rising viability of class actions, and the expanding role of the Human Rights Review Tribunal in enforcing privacy obligations.
• Why It Matters: New Zealand’s privacy enforcement framework is evolving. While the OPC is currently limited to imposing fines of up to $10,000, it is actively seeking reform to align its powers with jurisdictions such as Australia and the EU. In the interim, the OPC can refer matters to the Human Rights Review Tribunal, which has awarded significant damages in cases involving internal mishandling of personal information. Courts are also showing increased willingness to allow representative proceedings under Rule 4.24 of the High Court Rules.
• Legal Risk: Organisations face growing exposure from three directions: potential civil penalties under proposed Privacy Act reforms; rising class actions following major breaches; and Tribunal proceedings for internal privacy failings like unauthorised staff access. Repeat issues, weak breach response, or large affected groups can significantly heighten reputational and financial risk.
• Cyber Risk: Weak breach detection, delayed notifications, inadequate incident response, or poor internal access controls (e.g. over-permissioned users, weak monitoring) materially elevate the risk of regulatory enforcement and litigation. These shortcomings can also damage reputation and increase vulnerability to further attacks by opportunistic threat actors.
• Source: BMN-v-Stonewood-Group-Ltd.pdf | OPC| Greater penalties needed

Responding Proactively

As the privacy landscape in New Zealand continues to evolve, organisations must take a dual-lens approach – legal compliance and cyber resilience are now inseparable. Failure on one or both of these fronts brings reputational consequences.

Atmos is a specialist legal and advisory firm focused on cyber, privacy, and digital risk across New Zealand and Australia. Drawing on over 12 years of experience managing thousands of incidents globally, we understand the unique factors that influence the frequency and impact of cyber events across SMEs, mid-market and enterprise businesses, and government agencies.

Our end-to-end expertise allows us to partner closely with clients and the broader incident response community to proactively build resilience, manage long-tail exposure, and safeguard operations when things go wrong. We also provide practical, informed legal advice on what compliance looks like in real-world scenarios – based on deep experience supporting organisations through complex cybersecurity incidents, and privacy and data protection challenges.

CyberCX is the leading provider of end-to-end cyber security and cloud services. With a workforce of 1,400 cyber security professionals, CyberCX is a trusted partner to private and public sector organisations, helping customers confidently manage cyber risk, respond to incidents, and build resilience in an increasingly complex and challenging threat environment.

CyberCX is accredited as both a security and privacy evaluator under the New Zealand Digital Trust Services Framework and can perform Privacy Impact Assessments, privacy reviews and draft privacy policies.

This article does not constitute legal advice.