New Zealand: Implemented Privacy Act 2020 including cross-border data transfer regulation (Act 2020 No. 31)

On 1 December 2020, the Privacy Act 2020 (Act No. 31), including cross-border data transfer regulation, entered into force. Agencies can transfer personal information overseas if the recipient is subject to privacy laws or contractual obligations providing safeguards comparable to the New Zealand Privacy Act. If such protections are not in place, the individuals have to provide informed consent for their data to be transferred. The Privacy Commissioner can prohibit transborder dataflows if the information received from another state is likely to be sent to a third state that lacks comparable safeguards, potentially violating the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data and the Privacy Act's basic principles.