AI and Privacy in New Zealand: a practical guide

Staff Editor 2026-05-20

AI and Privacy in New Zealand: a practical guide

https://www.bellgully.com/insights/ai-and-privacy-in-new-zealand-a-practical-guide/

Publish Date: 2026-05-20 00:10:00

Source Domain: www.bellgully.com

As AI adoption accelerates, understanding how New Zealand privacy law applies in practice is becoming increasingly important.

In this second article in Bell Gully’s AI Series, we examine the key privacy risks across the AI lifecycle – from training data and inputs, processing and inference, to outputs and retention – and set out practical steps for managing them.

New Zealand privacy laws – where are the risks?
New Zealand has so far taken a relatively ‘light touch’ approach to AI regulation, preferring to rely on existing legal frameworks rather than introducing AI-specific rules1.  As such, the Privacy Act 2020 and its Information Privacy Principles (IPPs) remain the core framework for privacy considerations related to AI.

While the Privacy Act does not refer specifically to AI, many of the IPPs have direct relevance to various aspects of the development and use of AI tools. In addition, where an AI system processes biometric information (for example, facial recognition technology) the recently introduced Biometric Processing Privacy Code 2025 imposes further obligations, including mandatory proportionality assessments before using biometrics and enhanced transparency requirements2.

Understanding where those risks are most likely to emerge, and which IPPs may be engaged at each stage in the AI development life cycle, can help organisations identify and manage privacy obligations more effectively. We consider some of the key risk areas below.

1. Collection of training data
AI systems are often trained using large datasets, which may include personal information collected from customers, employees or third-party providers. This is relevant to IPP 1 which requires personal information to be collected only where it is necessary for a lawful purpose connected with the agency’s functions or activities. AI development can create tension with this principle where organisations collect or retain large volumes of information on a speculative basis and on the…

Source

More Stories

Christine Van Geyn: Privacy isn’t a crime, but Bill C-22 acts like it is

Christine Van Geyn: Privacy isn’t a crime, but Bill C-22 acts like it is

Staff Editor 2026-06-06
“I feel like that monkey”: Paul McCartney on maintaining privacy and the “luxury” of modern songwriting – Music News

“I feel like that monkey”: Paul McCartney on maintaining privacy and the “luxury” of modern songwriting – Music News

Staff Editor 2026-06-06
Meta quietly adds facial recognition ‘NameTag’ to smart glasses, raising privacy concerns

Meta quietly adds facial recognition ‘NameTag’ to smart glasses, raising privacy concerns

Staff Editor 2026-06-06

Terms and Conditions - Privacy Policy