6 min read

Operating in Australia and New Zealand? Here's What Privacy Law Requires

Australian and NZ privacy law are similar in structure but have critical differences. Here's what trans-Tasman businesses need to know — and how to stay compliant in both countries.

The Short Answer

If your business operates in both Australia and New Zealand, you're subject to two separate privacy frameworks — the Australian Privacy Act 1988 and the New Zealand Privacy Act 2020. Both are built around 13 privacy principles and mandatory breach notification, but they have important differences that affect what your privacy policy must cover.

The good news: the two frameworks are structurally similar enough that a single well-drafted policy can cover both jurisdictions — if it's written specifically for AU and NZ law, not adapted from a US template.

Table of Contents

The Two Frameworks at a Glance

FeatureAustraliaNew Zealand
LegislationPrivacy Act 1988Privacy Act 2020
Core principles13 Australian Privacy Principles (APPs)13 Information Privacy Principles (IPPs)
Small business exemptionYes — under $3M turnover (being removed 2026-2027)No — all businesses covered regardless of size
Breach notificationNotifiable Data Breaches (NDB) schemeNotifiable Privacy Breach (NPB) scheme
Overseas disclosureAPP 8IPP 13
RegulatorOAIC (oaic.gov.au)Privacy Commissioner (privacy.org.nz)
Max penaltyUp to $50M for serious/repeated breachesCourt-ordered compensation
Statutory tortYes — since June 2025No direct equivalent

Both frameworks apply to any business that collects personal information from individuals in that country — regardless of where the business is based.

Key Differences That Matter for Your Business

1. The Small Business Exemption — Australia Only

Australia's biggest structural difference is the small business exemption: businesses with annual turnover under $3 million are currently exempt from the Privacy Act 1988.

New Zealand has no equivalent exemption. Every NZ business — from a sole trader to a large corporation — is covered by the Privacy Act 2020 from day one.

What this means for trans-Tasman businesses:

  • If you're under $3M turnover and only operating in Australia, you may currently be exempt
  • If you're operating in New Zealand at all, you're covered regardless of size
  • Australia's exemption is being removed under Tranche 2 reforms expected in 2026-2027 — bringing all AU businesses under the same framework as NZ

Read more: OAIC Small Business Exemption Removal — What's Changing

2. Breach Notification — Similar But Different Regulators

Both countries have mandatory breach notification schemes, but they report to different regulators:

  • Australia: Notify the OAIC (oaic.gov.au) and affected individuals
  • New Zealand: Notify the Privacy Commissioner (privacy.org.nz) and affected individuals

The threshold for notification is similar in both — a breach that is likely to cause serious harm to affected individuals. But the penalty regimes differ significantly:

  • Australia has direct financial penalties up to $50 million for serious breaches
  • New Zealand relies primarily on court-ordered compensation and the Privacy Commissioner's enforcement powers

Your privacy policy must reference the correct regulator for each jurisdiction. A policy that only mentions the OAIC isn't compliant for NZ customers, and vice versa.

Read more: The Notifiable Data Breaches Scheme: Complete Guide

3. Overseas Disclosure — Both Countries Have Requirements

Both frameworks restrict sending personal information to overseas recipients without adequate protections:

  • Australia APP 8: Take reasonable steps to ensure overseas recipients will handle information consistently with the APPs — or ensure the individual consents
  • NZ IPP 13: Take reasonable steps to ensure comparable privacy protection before disclosing to overseas recipients

In practice, both requirements are satisfied by the same thing: using reputable overseas service providers (AWS, Stripe, Mailchimp, Google Workspace) and disclosing their use in your privacy policy. But your policy must mention both frameworks' requirements explicitly.

4. Australia's Statutory Tort — NZ Has No Equivalent

Since June 2025, individuals in Australia can sue directly for serious privacy invasions — without needing to prove financial damage. This has created meaningful litigation risk for AU-covered businesses.

New Zealand has no direct equivalent of this statutory tort, though individuals can still complain to the Privacy Commissioner and seek compensation through the Human Rights Review Tribunal.

For trans-Tasman businesses, this means the litigation risk profile is meaningfully higher for your Australian operations than your NZ operations.

5. Terminology Differences

The two frameworks use different terminology for equivalent concepts:

ConceptAustraliaNew Zealand
Core principlesAustralian Privacy Principles (APPs)Information Privacy Principles (IPPs)
Breach notificationNotifiable Data Breaches (NDB) schemeNotifiable Privacy Breach (NPB) scheme
RegulatorOAICPrivacy Commissioner
Response timeframe30 days to assess a breachAs soon as reasonably practicable

A privacy policy that uses only Australian terminology won't clearly address NZ obligations — and vice versa. A combined policy needs to address both sets of terms.

What Your Privacy Policy Must Cover for Both

A compliant trans-Tasman privacy policy needs to address all requirements of both frameworks. Here's what that means in practice:

Core Principles — Both Sets

Your policy must address all 13 APPs (for Australian customers) and all 13 IPPs (for NZ customers). In practice, the principles are structurally very similar — but the terminology and specific requirements differ enough that a policy needs to explicitly address both.

Breach Notification — Both Schemes

Your policy must explain:

  • What constitutes an eligible data breach / notifiable privacy breach
  • Your obligation to notify the OAIC (Australia) and the Privacy Commissioner (New Zealand)
  • How affected individuals can contact you
  • How affected individuals can contact the relevant regulator in each country

Overseas Disclosure — Both Requirements

If you use overseas service providers (cloud hosting, payment processing, email marketing), your policy must:

  • Disclose that personal information may be transferred overseas
  • Reference compliance with APP 8 (Australia) and IPP 13 (New Zealand)
  • Explain what protections are in place

Contact Details and Complaints — Per Jurisdiction

Your policy should make clear how individuals in each country can:

  • Make a privacy inquiry or complaint to your business
  • Escalate to the relevant regulator (OAIC for AU, Privacy Commissioner for NZ)

Do You Need One Policy or Two?

Both options are valid — and the right choice depends on your business structure.

One Combined Policy

Best for: Businesses that operate seamlessly across both countries, with the same data practices for AU and NZ customers.

A combined policy addresses both frameworks in a single document. It's simpler to maintain and easier for customers to read. The risk is that it can become unwieldy if your AU and NZ practices differ significantly.

What a combined policy looks like: Sections that explicitly reference both the Privacy Act 1988 (AU) and the Privacy Act 2020 (NZ), both the NDB scheme and the NPB scheme, and both regulators.

Two Separate Policies

Best for: Businesses with meaningfully different data practices in each country, or businesses with distinct AU and NZ brands/websites.

Separate policies are cleaner for customers — an NZ customer doesn't need to wade through Australian regulatory references, and vice versa. The downside is double the maintenance overhead.

The Trans-Tasman Bundle Approach

ComplianceKit's Trans-Tasman bundle generates a single combined privacy policy covering both the Privacy Act 1988 (AU) and the Privacy Act 2020 (NZ) — including all 13 APPs, all 13 IPPs, the NDB scheme, and the NPB scheme. With Managed Compliance, both frameworks are kept up to date automatically as either country's law changes.

Common Mistakes Trans-Tasman Businesses Make

1. Using an Australian policy for NZ customers

An AU-only privacy policy doesn't address NZ-specific requirements — particularly IPP 13 (overseas disclosure) and the NPB scheme terminology. NZ customers dealing with a business using an AU-only policy may not understand their rights or how to complain.

2. Using a US-generated policy for both countries

US privacy policy generators miss both the AU APPs and the NDB scheme, and the NZ IPPs and the NPB scheme. A policy generated by a US tool that "supports international jurisdictions" almost certainly doesn't adequately cover either AU or NZ law.

3. Assuming the AU small business exemption applies to NZ operations

If you're under $3M turnover and relying on the AU small business exemption, that exemption only applies to Australian operations. Your NZ operations are covered by the NZ Privacy Act 2020 regardless of turnover.

4. Only notifying one regulator after a breach

If you experience a data breach affecting both AU and NZ customers, you may need to notify both the OAIC and the NZ Privacy Commissioner. Many businesses don't realise they have dual notification obligations.

5. Not preparing for the AU small business exemption removal

If you're currently relying on the AU small business exemption, Tranche 2 reforms expected in 2026-2027 will remove it. At that point, your AU obligations will align with your existing NZ obligations — making now a good time to get a combined trans-Tasman policy in place.

Summary

Operating across Australia and New Zealand means navigating two privacy frameworks — but they're more similar than different. Both are built around 13 principles and mandatory breach notification. The key differences are:

  • NZ has no small business exemption — all NZ businesses are covered now
  • Different regulators — OAIC (AU) vs Privacy Commissioner (NZ)
  • Different terminology — APPs/NDB scheme (AU) vs IPPs/NPB scheme (NZ)
  • Higher litigation risk in AU — statutory tort in effect since June 2025

A single well-drafted combined policy can cover both jurisdictions — but it needs to be built for AU and NZ law specifically, not adapted from a US template.

Last updated: April 27, 2026

This guide provides general information about Australian and New Zealand privacy law. It is not legal advice. For specific questions about your trans-Tasman compliance obligations, consult a qualified privacy lawyer in the relevant jurisdiction.

Need a Policy That Covers Both?

ComplianceKit's Trans-Tasman bundle generates a single privacy policy covering both the Australian Privacy Act 1988 and the NZ Privacy Act 2020 — all 13 APPs, all 13 IPPs, the NDB scheme, and the NPB scheme. With Managed Compliance, both frameworks stay up to date automatically.

Generate Your Trans-Tasman Privacy Policy →

Generate Your Compliant Privacy Policy

ComplianceKit automatically includes all 13 Australian Privacy Principles and the NDB scheme. Generate your policy in 5 minutes.

Get Started →

Last updated: 27 April 2026

This guide provides general information about Australian privacy law. It's not legal advice. For specific legal questions about your situation, consult a qualified privacy lawyer.