Cross-Border Data Transfers Under The NZ Privacy Act

If you run a New Zealand business, chances are you’re already sending information overseas - even if you don’t realise it.

Using cloud storage, outsourcing payroll, hiring overseas contractors, running email marketing tools, or storing customer details in a CRM can all involve overseas data handling. And once personal information crosses a border (or is accessed from another country), New Zealand privacy law may still have something to say about it.

That’s why the Privacy Act rules around cross-border data transfers are a key part of your compliance toolkit. Getting it right helps you protect your customers, reduce the risk of privacy complaints, and keep your business reputation intact as you grow.

Below, we’ll break down what “cross-border data transfers” actually means under the Privacy Act 2020, what your obligations are, and the practical steps you can take to handle overseas providers properly - without drowning in legal jargon.

What Is A “Cross-Border Data Transfer” In Practice?

In simple terms, a cross-border data transfer is when personal information is disclosed or otherwise made available to a person or organisation outside New Zealand.

For small businesses, this usually happens in day-to-day operations, not as a one-off “international transfer project”. Common examples include:

• Cloud services storing data on overseas servers (or moving data between regions).
• Overseas contractors accessing your customer database or internal systems.
• Customer support teams offshore viewing personal details to resolve tickets.
• Website analytics and tracking tools collecting identifiers and usage data.
• Email marketing and CRM platforms processing subscriber lists and behavioural data.
• Payment processing and fraud detection where data is routed through overseas systems.

It’s also worth noting that “transfer” isn’t just physically sending a spreadsheet to someone overseas. It can include remote access (for example, if an offshore provider logs into your system and views customer information).

If you’re thinking, “This is basically every tool we use,” you’re not wrong. The goal isn’t to stop using global services - it’s to set them up and manage them in a way that meets NZ standards.

What Does The NZ Privacy Act Require For Overseas Disclosures?

New Zealand’s Privacy Act 2020 includes a specific rule for overseas disclosures: Information Privacy Principle 12 (IPP 12).

IPP 12 is the key principle people are referring to when they talk about cross-border data transfers under the Privacy Act. Broadly, it’s designed to prevent businesses from “exporting” personal information to an overseas recipient where protections aren’t comparable - and then treating any overseas misuse or mishandling as “not our problem”.

When Does IPP 12 Apply?

IPP 12 generally applies when your business discloses personal information to a foreign person or entity (for example, an overseas organisation), including disclosures to:

• your overseas service providers (cloud hosting, SaaS platforms, outsourced support);
• your related companies offshore (e.g. a parent company or subsidiary);
• business partners located overseas; and
• other third parties who receive data from you and can use it for their own purposes.

Whether something is a “disclosure” can get nuanced depending on the facts. For example, some providers operate purely as your “agent” (processing information only on your instructions and for your purposes). In that kind of setup, IPP 12 may not apply in the same way as it would for a true third-party recipient - but you’re still responsible for protecting the information and for making sure your arrangements and controls are robust.

If you’re not sure how IPP 12 applies to your actual tools and suppliers, it’s a good idea to get tailored Privacy Advice so you can map your data flows properly.

What Safeguards Are We Talking About?

IPP 12 doesn’t just say “take reasonable steps” in the abstract - it sets out specific gateways you can rely on to disclose personal information overseas. In practical terms, you need to be able to point to a lawful basis for the overseas disclosure and (in many common scenarios) a reason to be confident the recipient will be required to protect the information in a way that’s comparable to New Zealand’s privacy protections.

Depending on your situation, that confidence (and compliance) usually comes from one (or more) of the following:

• Comparable privacy laws in the recipient’s country (in some cases).
• A binding agreement (contract) requiring the recipient to protect the data in a Privacy Act-compliant way.
• A binding scheme that applies to the recipient and provides comparable safeguards.
• Customer authorisation after being clearly told what will happen and the key risks (this can be tricky, and you generally don’t want to rely on this as your default).
• Other specific exceptions that may apply depending on the circumstances (for example, where disclosure is required or authorised by law).

For most small businesses, the most practical and reliable approach is: do your due diligence and lock it down contractually, particularly where a supplier will access or handle customer or employee data.

A Practical Compliance Checklist For NZ Businesses Using Overseas Providers

If you want a straightforward way to approach cross-border transfers, here’s a process that works well for many NZ SMEs.

1. Identify What Personal Information You’re Handling

Start by listing what you collect and store. This can include:

• customer names, emails, phone numbers and addresses;
• employee information (payroll, bank details, IRD details);
• health information or other sensitive details (if relevant);
• IP addresses, device identifiers and behavioural data from your website; and
• any notes or records that can identify a person.

This matters because higher-risk data needs stronger controls. A mailing list is one thing; medical notes or ID documents are another.

2. Map Where That Data Goes (Including “Invisible” Transfers)

Next, map the tools and people who can access that data. In many businesses, your biggest cross-border exposures are:

• cloud-based business systems;
• storage and backup providers;
• outsourced bookkeeping/payroll;
• IT support and security providers; and
• marketing and analytics platforms.

A good rule of thumb: if a vendor has an “admin portal”, a support team, or a global server network, assume there may be overseas access unless you’ve confirmed otherwise.

3. Check The Provider’s Privacy And Security Standards

IPP 12 expects you to use an appropriate compliance pathway for overseas disclosures, and (in many cases) that will involve being satisfied the recipient will be required to protect the information appropriately. For a small business, that usually means you’ve done a sensible level of due diligence, such as:

• reading the vendor’s privacy and security documentation;
• checking where data is stored and where support teams are located;
• looking for security certifications and practices (e.g. encryption, access controls);
• checking whether they subcontract processing to other overseas entities; and
• confirming how they handle breaches and incident response.

You don’t need to become an information security expert overnight, but you should be able to explain (if asked) why you trusted that vendor with personal information.

4. Put The Right Paperwork In Place

Most businesses can’t negotiate every clause with a major software provider, but you can still set yourself up properly by having the right internal and external documents.

At a minimum, your public-facing Privacy Policy should clearly explain:

• what personal information you collect;
• why you collect it;
• who you share it with (including service providers); and
• whether it may be stored or accessed overseas.

Then, where you can negotiate (or where the provider is a contractor you’re directly engaging), you’ll want contractual obligations that align with NZ expectations and your chosen IPP 12 compliance pathway.

What Contracts And Policies Help Manage Cross-Border Transfer Risk?

When you’re dealing with cross-border data flows, contracts and policies are where you turn “we think they’re fine” into “we’ve made it clear what they must do”.

Data Processing Clauses (Or A Dedicated Agreement)

If an overseas provider is processing personal information on your behalf (for example, an outsourced support provider or a specialist contractor), you’ll usually want written terms covering:

• what data they can access and why;
• that they can only use the data on your instructions;
• confidentiality obligations;
• minimum security standards;
• subcontracting restrictions;
• breach notification timeframes; and
• data return/deletion at the end of the engagement.

Depending on your setup, this can sit inside a broader services contract, or as a standalone Data Processing Agreement.

Information Security And Internal Rules

Cross-border risk isn’t only about vendors - it’s also about how your team uses tools. An Information Security Policy can help you set baseline standards for:

• passwords and MFA (multi-factor authentication);
• device security and remote work;
• who is allowed access to which systems;
• approved software tools (and what’s banned); and
• how data is stored and shared.

This is especially important if you have staff or contractors working remotely from different countries, or if your team regularly shares files through third-party tools.

Website And Online Business Terms

If your business operates online, data collection can happen through your website and apps (think sign-up forms, account creation, marketing opt-ins, analytics and cookies).

It’s usually smart to align your privacy disclosures with your customer-facing terms too, such as Website Terms and Conditions, so the overall customer experience is consistent and clear.

What Happens If There’s A Privacy Breach In Another Country?

This is where planning ahead really pays off.

If personal information is lost, accessed without authorisation, or disclosed improperly (even by an overseas provider), you may still have obligations in New Zealand. In some situations, you may need to notify:

• the affected individuals; and
• the Office of the Privacy Commissioner (OPC).

Whether notification is required depends on whether the breach has caused (or is likely to cause) serious harm. That assessment is fact-specific, so it’s not something you want to figure out in the middle of a crisis.

For many businesses, the practical approach is:

• have an internal plan for responding to incidents;
• make sure vendors are required to tell you quickly if something happens; and
• document what you did, when, and why.

A good starting point is having a Data Breach Response Plan that fits how your business actually operates, plus a clear process for Data Breach Notification when required.

Just as importantly, if you rely on overseas providers, build breach handling into your supplier onboarding:

• Who do they notify?
• How fast must they notify you?
• What information will they provide?
• Will they cooperate with investigations and remediation?

These aren’t “nice to haves”. If something goes wrong, you’ll be judged on how you responded - and how prepared you were.

Key Takeaways

• Many NZ businesses make overseas disclosures every day through cloud tools, outsourced services, and overseas access - even if they don’t intentionally “transfer” data.
• IPP 12 under the Privacy Act 2020 is the key rule for overseas disclosures, but whether it applies (and which compliance gateway you rely on) can depend on whether the overseas party is receiving the information as a third party or acting purely on your behalf.
• For most small businesses, a safe path is doing sensible due diligence on overseas providers and putting contractual protections in place where possible.
• Your Privacy Policy should clearly disclose overseas storage/access where relevant, so customers understand what happens to their data.
• Strong contracts and internal controls (like a Information Security Policy) help you manage risk “from day one” and avoid messy disputes later.
• If a breach happens offshore, you may still have NZ notification obligations - having a Data Breach Response Plan and clear vendor obligations makes responding much easier.

If you’d like help reviewing your cross-border data setup, updating your privacy documents, or getting the right contract terms in place, you can reach us at 0800 002 184 or team@sprintlaw.co.nz for a free, no-obligations chat.