![F-SECURE OPERATES A SHEBEEN AT THE WEB SUMMIT [DON’T WORRY IT WAS LEGAL]-109941](https://b2bnews.co.nz/wp-content/uploads/2026/06/privacy-fines-are-coming-and-businesses-should-stop-pretending-otherwise.webp)
A law with no teeth
New Zealand updated its privacy framework in 2020. The Privacy Act 2020 introduced mandatory breach notification, modernised the information privacy principles, and expanded the Commissioner’s compliance notice powers. What it conspicuously did not introduce was any mechanism for the Privacy Commissioner to directly fine an organisation that mishandles personal data.
That gap is no longer academic. The Privacy Commissioner has publicly argued that New Zealand’s privacy enforcement regime is “somewhat out of step” with comparable jurisdictions and that a law change is needed to give his office the power to issue financial penalties. The position is straightforward: reputational consequences alone are not deterring negligent data handling, and the regulatory framework has not kept pace with the explosion in data collection driven by AI adoption and cloud computing.
For every business owner who has treated privacy compliance as a box-ticking exercise, the direction of travel should be uncomfortable.
The enforcement gap is not subtle
The international comparison makes New Zealand look like an outlier, not a leader. Under the EU’s General Data Protection Regulation, organisations face fines of up to 4% of global annual turnover or EUR 20 million. Australia’s privacy amendments introduced penalties up to AUD 50 million for serious or repeated breaches. The UK’s Information Commissioner’s Office can levy fines up to GBP 17.5 million or 4% of global turnover. Canada’s proposed Consumer Privacy Protection Act contemplates penalties up to CAD 25 million or 5% of global revenue.
New Zealand’s maximum enforcement action? A compliance notice. In the most serious cases, the Commissioner can refer matters to the Human Rights Review Tribunal, which can award damages to affected individuals but does not impose the kind of regulatory fines that force boardroom attention offshore. The Privacy Act 2020 confirms the Commissioner holds no direct penalty-issuing power.
This asymmetry creates a perverse outcome. A New Zealand company operating in Australia that suffers a data breach affecting customers in both countries faces potential multimillion-dollar exposure for the Australian data and effectively nothing for the New Zealand data. Same breach, same negligence, radically different consequences depending on which passport the affected person holds.
AI changed the risk faster than Parliament moved
When the Privacy Act was drafted, most small businesses handled personal data in relatively contained ways: customer databases, employee records, marketing lists. The rapid adoption of AI tools has changed that calculus dramatically. Businesses now feed customer data into AI chatbots, use machine learning for recruitment screening, deploy predictive analytics on purchasing behaviour, and integrate third-party AI platforms that process data across multiple jurisdictions.
Each of those touchpoints represents a privacy exposure that the 2020 legislation was not designed to govern at scale. The mandatory breach notification regime is reactive by nature. It tells you what to do after data is compromised. It does nothing to penalise the failure to protect it in the first place.
High-profile cyber incidents affecting New Zealand organisations have only sharpened the pressure. When breaches make headlines and the regulatory consequence amounts to a compliance notice, public confidence in the framework erodes. The Commissioner’s push for penalty powers is a direct response to that erosion.
SMEs have the most to lose from getting this wrong
New Zealand’s business landscape is overwhelmingly small. Stats NZ data indicates that the vast majority of the country’s enterprises are SMEs without dedicated legal or privacy counsel. A financial penalties regime modelled on the EU or Australian approach without careful calibration for organisational size could impose compliance costs that dwarf the actual privacy risk.
That is the centre-right concern here, and it is legitimate. The principle of penalty powers is sound. Voluntary compliance backed by nothing more than reputational risk has demonstrably failed to keep pace with the data environment. But the design matters enormously. Any regime needs proportionate calibration by business size and breach severity, transparent enforcement criteria, safe harbour provisions for organisations with genuine compliance programmes, and a reasonable transition period.
Businesses that wait for legislation before acting will pay the highest price. The smart move is to treat the Commissioner’s public advocacy as a governance signal, not a distant policy discussion.
What to do before the law forces your hand
Practical steps are not complicated, but they require executive attention. Map what personal information your organisation holds, where it sits, who can access it, and how long you keep it. If you lack a documented breach response plan, you are already non-compliant with the mandatory notification requirements that have been in force since December 2020. Any new AI tool or product rollout should include a privacy impact assessment before deployment. Third-party data processors, from cloud providers to marketing platforms, are your liability, and contracts should reflect that.
Most importantly, privacy needs to move from the IT department to the board agenda. When penalty powers arrive, and the regulatory trajectory suggests they will, the directors who never asked the question will be the ones explaining why to shareholders.