Detailed overview
New Zealand does not currently have a single comprehensive AI Act. AI is regulated through existing law, especially privacy law, public-sector algorithm governance, consumer law, employment law, human-rights law and sector-specific regulation.
Privacy Act 2020
The New Zealand Privacy Commissioner states that the Privacy Act 2020 applies to organisations using AI tools where personal information is involved. This includes AI systems used for profiling, automated recommendations, decision support, recruitment, customer analytics, identity verification, fraud detection, generative AI prompts and other personal-information processing.
Organisations using AI with personal information should assess privacy risks before use. The Privacy Commissioner recommends privacy impact assessments for AI tools, particularly where the system processes sensitive information, uses personal data for training, makes or supports significant decisions, or may affect people's rights and interests.
Generative AI
Generative AI is also covered by the Privacy Act where it involves personal information. This may occur when personal information is submitted in prompts, used in training or fine-tuning, generated in outputs, stored in logs, or shared with third-party AI providers. Individuals may complain to the Privacy Commissioner where AI use breaches privacy law.
Algorithm Charter
New Zealand also has a public-sector Algorithm Charter. It is a government commitment to use algorithms in a fair, ethical and transparent way. The Charter requires participating agencies to explain how algorithms are used, identify and manage bias, maintain human oversight, consider privacy and ethics, and ensure appropriate governance.
Penalties
New Zealand does not have one AI-specific fine table. Penalties depend on the underlying legal regime, such as privacy, consumer protection, employment, public-sector duties, financial regulation, healthcare regulation or criminal law.