New Report on Limits of “Consent” in New Zealand’s Data Protection Law

Authors: Elizabeth Santhosh and Dominic Paulger

Elizabeth Santhosh is a current law student at Singapore Management University and an FPF Global Privacy intern.


Today, the Future of Privacy Forum (FPF) and Asian Business Law Institute (ABLI), as part of their ongoing joint research project: “From Consent-Centric Data Protection Frameworks to Responsible Data Practices and Privacy Accountability in Asia Pacific,” are publishing the fourth in a series of detailed jurisdiction reports on the status of “consent” and alternatives to consent as lawful bases for processing personal data in Asia Pacific (APAC).

This report provides a detailed overview of relevant laws and regulations in New Zealand, including: 

notice and consent requirements for processing personal data in New Zealand’s data protection law;the status of alternative legal bases for processing personal data which permit processing of personal data without consent if the data controller undertakes a risk impact assessment (e.g., legitimate interests); andstatutory bases for processing personal data without consent and exceptions or derogations from consent requirements in-laws and regulations. 

The findings of this report and others in the series will inform a forthcoming comparative review paper which will make detailed recommendations for legal convergence in APAC.

New Zealand’s Data Protection Landscape

New Zealand is one of the few jurisdictions in APAC which, together with Hong Kong and Australia, passed comprehensive data protection legislation before the turn of the millennium.

The Privacy Act, which was initially passed in 1993 and repealed then enacted in substantially updated form in 2020, provides the default

Read more

Explore the site

More from the blog

Latest News