Detailed overview
New Zealand does not currently have a single comprehensive AI Act. AI is regulated through existing law, especially privacy law, public-sector algorithm governance, consumer law, employment law, human-rights law and sector-specific regulation.
Privacy Act 2020
The New Zealand Privacy Commissioner states that the Privacy Act 2020 applies to organisations using AI tools where personal information is involved. This includes AI systems used for profiling, automated recommendations, decision support, recruitment, customer analytics, identity verification, fraud detection, generative AI prompts and other personal-information processing.
Organisations using AI with personal information should assess privacy risks before use. The Privacy Commissioner recommends privacy impact assessments for AI tools, particularly where the system processes sensitive information, uses personal data for training, makes or supports significant decisions, or may affect people's rights and interests.
Generative AI
Generative AI is also covered by the Privacy Act where it involves personal information. This may occur when personal information is submitted in prompts, used in training or fine-tuning, generated in outputs, stored in logs, or shared with third-party AI providers. Individuals may complain to the Privacy Commissioner where AI use breaches privacy law.
Algorithm Charter
New Zealand also has a public-sector Algorithm Charter. It is a government commitment to use algorithms in a fair, ethical and transparent way. The Charter requires participating agencies to explain how algorithms are used, identify and manage bias, maintain human oversight, consider privacy and ethics, and ensure appropriate governance.
Penalties
New Zealand does not have one AI-specific fine table. Penalties depend on the underlying legal regime, such as privacy, consumer protection, employment, public-sector duties, financial regulation, healthcare regulation or criminal law.
Practical requirements & details
Sourced from the Privacy Act 2020, the OPC's Generative AI guidance and AI implementation guidance, the Algorithm Charter for Aotearoa New Zealand, and the Human Rights Act 1993 + Bill of Rights Act 1990.
Privacy Act 2020 — 13 Information Privacy Principles
- Lawful purpose, collection from individual, collection notice, lawful collection, storage and security, access, correction, accuracy, retention, use limit, disclosure limit, use of unique identifiers, cross-border disclosure.
- AI must satisfy purpose-of-collection, notice, accuracy and disclosure-limit principles — especially for training data scraped from public sources.
OPC generative AI expectations
- Senior leadership sign-off before deploying generative AI involving personal information.
- Privacy impact assessment.
- Lawful, fair and ethical use.
- Transparency to affected individuals.
- Engage Maori on AI affecting Maori data.
- Effective human review of significant decisions.
- Ensure accuracy and avoid harm.
Algorithm Charter (public sector)
- Signatory agencies commit to: transparency about algorithm use; partner with Maori; focus on people; data, ethics, identifying bias; human oversight; review of algorithm performance.
Penalties
- Privacy Act: civil penalties up to NZD 10,000 per failure to comply with compliance notice; broader sanctions in the Privacy Amendment Bill 2024.
- Human Rights Act — discrimination remedies before the Human Rights Review Tribunal.
- Sectoral law (FMCA, Consumer Guarantees Act, Fair Trading Act) for AI-driven misconduct.