Calls to strengthen New Zealand's Privacy Act grow amid an increasing number of major breaches

In early December 2025, Aotearoa New Zealand Privacy Commissioner Michael Webster wrote the Privacy Act 2020 "needs further changes to respond to today's needs." It is unlikely he suspected this message would be brought into such sharp focus mere weeks later. 

NZ is not immune to attack

In late 2025, a cyberattack compromised the online patient portal provided to public health organizations by Manage My Health, which held medical records of about 120,000 patients. Ransom hackers accessed and downloaded documents stored in the My Health Documents section of the portal and threatened to make these available on the dark web. 

The MMH breach is one of the most serious privacy incidents in New Zealand's history, and the latest in a number of high-profile privacy breaches since the 2020 law came into effect. The scale of the incident and the sensitivity of the health information involved have understandably generated public concern. 

On 22 Feb., MediMap — a private portal used by aged-care homes, hospices, disability services and community health providers to coordinate prescriptions and record medication histories — was taken offline after it was discovered that some patient records had been tampered with by an unauthorized actor. MediMap's early investigations identified changes to fields including names, birthdates, assigned prescriber, location of care and resident status, with some living patients incorrectly marked as "deceased."  

For privacy professionals, these events are unsettling not only because of the direct impact on individuals and clinical operations, but also because they suggest a broader pattern of cyber risk in health tech that goes beyond isolated vendor errors. The breaches have also drawn attention to a more systemic issue: whether New Zealand's privacy enforcement settings are strong enough to deter serious failures in the first place.

The Privacy Act is falling behind …

The New Zealand Privacy Act was one of the first privacy laws in the world. Passed in 1993, it established a well-regarded, flexible and principles-based regime overseen by a privacy commissioner. In 2020, the Privacy Act was reformed. Changes included the introduction of a notifiable privacy breaches regime. However, lawmakers fell well short of bringing the act into line with global best practice.

A significant gap, which was not addressed in 2020, was the absence of any civil penalties regime for serious breaches. Under the current framework, financial penalties — of up to NZD10,000 — are available only in relation to a small number of offenses, including a failure to notify the privacy commissioner of a serious privacy breach. However, there are no financial penalties at all for breaching the information privacy principles in the first place, such as a failure to take reasonable steps to protect personal information.

While the Human Rights Review Tribunal can award damages of up to NZD350,000 to an aggrieved individual, which could really add up in the case of a class action, this is a lengthy judicial process that requires referral from the privacy commissioner — or a decision from the commissioner not to investigate a complaint further allowing individuals to lodge a claim. 

Further, damages awards are not punitive in nature; they require a complainant to prove harm. Thus far, this has not proved to be a significant catalyst for privacy uplift. 

… While other countries stride ahead

Most major overseas privacy laws now include civil penalties regimes. Brazil, China and Singapore have all introduced legislation that includes significant financial penalties, with most modeled on the approach taken in the EU General Data Protection Regulation. 

Closer to home, following reforms to the Australian Privacy Act 1988, the Office of the Australian Information Commissioner can pursue very substantial civil penalties for serious or repeated privacy interferences. Maximum penalties can reach up to AUD50 million, a multiple of the benefit obtained or a percentage of annual turnover. 

This gap is not sustainable

The OPC's 2024-25 Annual Report noted a 43% increase in the number of serious privacy breaches notified to the regulator. Within this context, the OPC was clear that the need for change to the act is increasingly urgent. 

It is clear — and recent breaches further emphasize — that privacy is not being given the attention it deserves in New Zealand. Of course, reputational risk is a major concern for many organizations. However, this alone is not enough. The lack of any real financial consequences for serious privacy breaches means privacy loses out to other board-level financial and regulatory risks. The incentive to invest properly in privacy is simply not there. 

The longer this gap continues, the greater the risk New Zealand could lose its coveted EU adequacy status. Losing EU adequacy could impact New Zealand's reputation and power in the global economy and prejudice our growing technology and innovation sector. 

The call for change is becoming a clamor 

Anyone who has been following these breaches will have seen many commentators pushing for increased legislative powers for the OPC. Individuals and organizations across New Zealand are joining the OPC in calling for the introduction of financial penalties for serious breaches. An opposition member of Parliament has agreed to present a petition calling for strengthened enforcement powers and penalties for privacy breaches. 

In the aftermath of the MediMap breach, NZ's Prime Minister Christopher Luxon publicly underscored the need to "strengthen our cybersecurity laws." This was followed 27 Feb. by the publication of NZ's Cyber Security Strategy 2026-2030, with the vision of a New Zealand that embraces "cyber security to enable innovation, drive a prosperous economy and protect our digital way of life." 

This strategy, and the associated Cyber Security Action Plan 2026-2027, provides the first concrete signs that the NZ Privacy Act might finally be strengthened. The Action Plan tasks the Ministry of Justice with providing advice on: options to incentivize the protection of personal information from cyber threats, such as introducing a civil pecuniary penalty regime to the Privacy Act; and a potential new offense targeted at people who view, possess or disseminate personal information when they are aware it has been illegally obtained. 

Many organizations will disagree with claims that they are not taking privacy seriously and no doubt many organizations do have robust privacy controls in place. However, the recent flurry of serious privacy breaches hitting the headlines seems to tell a different story. Certainly, reputational risk alone will not be enough to incentivize improvements in privacy and cyber practices, and a general uplift in baseline expectation is needed. 

Without a civil penalties regime, privacy practices will be slower to improve, and New Zealanders will be at increasing risk of serious privacy breaches. While not a silver bullet, such a regime must be part of New Zealand's legislative toolkit for addressing privacy and cyber failures. Without, New Zealand's global reputation will suffer.