Does the Privacy Act apply to organisations based overseas?

Any organisation operating in New Zealand is required to comply with the Privacy Act, regardless of where the organisation is based. Any agency which provides services to New Zealanders and/or collects their personal information for its own purposes is subject to the Privacy Act.

This means organisations, even if they are based overseas, will have all the same legal obligations as New Zealand organisations. They will need to comply with the Privacy Act principles which set out how personal information must be handled, and will have to have a privacy officer, provide privacy statements etc.

You can read this blog post(external link) as an illustration of how the Privacy Act applies to Facebook. For example, section 23(external link) of the Privacy Act 2020 states that, for the purposes of access rights in principle 6, information held by an agency includes information held by that agency outside New Zealand.

Updated December 2020