Data Points

11 April 2024

Privacy and data protection is an evolving area of law as regulators try to keep up with fast-developing technologies, the rapid accumulation of data and increasingly sophisticated cyber-criminals.

It is important to stay on top of these developments. The risk for organisations getting it wrong can be very high – both when the organisation is a victim and when the organisation fails to maintain expected standards of confidentiality and data integrity.

In this edition of Data Points we summarise the latest New Zealand and international privacy and data protection news.



New Zealand



New Zealand 

NZ clears EU adequacy test

The European Commission has determined that the protection of personal data under New Zealand law is sufficient to allow personal information to continue to be transferred from the EU into New Zealand. The Privacy Commissioner is, however, seeking further amendment to the Privacy Act 2020 to future-proof the legislation.
Privacy Commission statement

Briefing to Incoming Minister - Privacy Act needs an update 

The Office of the Privacy Commissioner has used its Briefing to the Incoming Minister to call for a number of amendments to the Privacy Act 2020 including introducing:

  • a right to erasure;
  • greater protections against automated decision making; and
  • higher financial penalties for breaches (the maximum fine available in New Zealand is $10,000 compared to $50m in Australia).

Briefing paper

Latest Kordia Cyber Security Report shows increasing global threat

The latest Kordia Cyber Security Report shows cyber risk continuing to increase. The 25-page analysis is based on an online survey of 219 business leaders between 2 October and 26 November 2023. Among the findings is that full response and recovery from a cyber event took more than a month in 46% of cases.
Kordia report

500,000 number plate scans a day in Auckland

The use of vehicle tracking systems in Auckland is now so widespread that about 500,000 scans are taken a day – either by traffic cameras or by residents parking enforcement. The data base can be accessed by the police.

AI a source of concern in New Zealand

New research shows that New Zealanders are more concerned about the possible effects of AI than are excited by its potential. Privacy Commissioner

AirBnB to ban indoor security cameras worldwide from 30 April

AirBnB will ban the use of indoor security cameras from all AirBnB-listed guest premises worldwide from 30 April this year.

TikTok pixel causing concern

A pixel used by TikTok, although legal, is causing privacy concerns in New Zealand and in Australia.

Privacy Act and CCTV footage

A supermarket’s refusal for privacy reasons to allow a woman whose car was dinged in the customer carpark to look at the CCTV footage so that she could identify the perpetrator drew the Privacy Commissioner into a defence of the Privacy Act. He defended the decision but said the Act would have allowed access to the police or the woman’s insurance company acting on her behalf.
Privacy Commissioner article

Privacy Commissioner inquiry into Foodstuffs’ Facial Recognition Technology (FRT) trial

Foodstuffs has been trialling the use of FRT in its supermarkets since 8 February as part of its response to burgeoning retail crime. The Office of the Privacy Commissioner launched an inquiry into the trial on 4 April to ensure it is justified and is being conducted in a manner that complies with the Privacy Act 2020.  
Privacy Commissioner statement


Textbook response from Te Whatu Ora

Te Whatu Ora offered a textbook response to the breach where an anti-vaxxer on staff released private information without authority.
Te Whatu Ora webpage

MediaWorks data hack

MediaWorks is investigating a data hack covering large numbers of people over several years. The hacker has offered the stolen data for sale on the dark web, with MediaWorks advising affected individuals not to pay if approached.
MediaWorks statement 

Parliament affected by cyber-attack

The offices of Parliament – Parliamentary Service and Parliamentary Counsel - were victim to a China-linked cyberattack in 2021. Other countries, including the United States and the United Kingdom, have imposed sanctions against China in response to its alleged cyber activity.



Official data confirms escalating cyber risk

The latest notifiable breaches report from the Australian Government, covering the second half of 2023, shows an increase over the previous six months of 19% in the number of reported incidents. A key trend was the increased incidence in multiple party breaches, arising from a cloud or software provider malfunction.
Press statement


EU AI Act almost there

The EU has reached provisional agreement on the EU AI Act, the first attempt globally to exert regulatory control over the use of AI technologies. The Act will become law once it has been formally adopted by the EE Parliament and the EU Council.

TikTok under pressure in the US

The US House of Representatives has passed a Bill that would require TikTok’s Chinese owner to divest its US assets in TikTok within six months or have the app banned in the US market.

President Joe Biden says he will pass the law if it comes across his desk but it first has to make it through the Senate and the chances of that are not clear.  


Security vendor fined USD16.5m

Anti-virus vendor Avast has been fined USD16.5m for harvesting and on-selling consumer data without consent.

Large bank fined €2.8m for privacy breach

The Italian data protection authority has fined Unicredit, Italy’s second largest bank, €2.8m for a breach case dating back to 2018.

Related insights

See all insights