New Zealand is one of the clearest examples of a developed economy that has deliberately chosen not to follow the EU AI Act model. The government confirmed in 2024 that it does not plan a dedicated AI statute, preferring what it describes as a technology neutral, principles based approach built on existing law. That choice does not mean AI is unregulated in New Zealand. It means the obligations are distributed across the Privacy Act 2020, the Human Rights Act 1993, consumer protection law, a voluntary public sector algorithm charter, and a national AI strategy focused on adoption rather than restriction. This guide sets out what each instrument requires and what an operator deploying AI in New Zealand, or exporting AI products to New Zealand customers, should do in 2026.

Key takeaways

  • New Zealand has no AI-specific statute and the government confirmed in 2024 it does not intend to introduce one in the near term, favouring a technology neutral approach built on existing legislation and voluntary guidance.
  • The Algorithm Charter for Aotearoa New Zealand, administered by Stats NZ since 2020, is a voluntary public sector commitment covering transparency, partnership with Maori under Te Tiriti o Waitangi, human oversight, and bias assessment. It binds signatory government agencies only, not private operators.
  • The Privacy Act 2020 has no automated decision-making right equivalent to GDPR Article 22, but its thirteen Information Privacy Principles apply to any personal information an AI system processes, and the Office of the Privacy Commissioner has issued specific generative AI guidance applying those principles to AI use.
  • The Ministry of Business, Innovation and Employment published Responsible AI Guidance for Businesses and, in July 2025, New Zealand's first National AI Strategy, both voluntary, both framed around encouraging AI adoption rather than imposing new compliance obligations.
  • New Zealand companies exporting AI products or services to the European Union must independently assess EU AI Act extraterritorial scope, since New Zealand's domestic settings provide no equivalence with EU obligations.

The New Zealand approach: deliberate, not absent

It is easy to read the absence of an AI-specific statute in New Zealand as a regulatory gap. That is not an accurate description of the government's position. Ministers responsible for the digital economy portfolio stated explicitly in 2024 that New Zealand would not follow the EU AI Act's comprehensive, risk-tiered legislative model, and would instead rely on New Zealand's existing legal framework, supplemented by non-binding guidance, to manage AI-related risk. The stated reasoning is that New Zealand's economy is dominated by small and medium enterprises for whom a compliance regime built around large-scale conformity assessment, of the kind the EU AI Act requires for high-risk systems, would be disproportionate.

This is a genuine policy choice with real consequences for operators. It means there is no New Zealand equivalent of the EU's high-risk system classification, no mandatory conformity assessment, no AI-specific registration requirement, and no AI-specific penalty regime. It also means an operator cannot point to a single, consolidated compliance checklist. Obligations sit inside general law that happens to apply to AI systems the same way it applies to any other business process, and inside guidance documents that carry reputational rather than legal force.

The Algorithm Charter for Aotearoa New Zealand

The Algorithm Charter for Aotearoa New Zealand, launched in 2020 and administered by Stats NZ, is the country's most concrete piece of AI-adjacent governance infrastructure, even though it applies only to the public sector. More than twenty government agencies have signed the Charter, committing to a set of practical undertakings: explaining publicly, in plain language, how and why an algorithm is used in decisions affecting people; identifying and actively managing the risk of unintended bias, including engaging with Maori as Treaty partners on how data about Maori is used in algorithmic systems; retaining meaningful human oversight over decisions with significant impact on individuals; and periodically assessing algorithms against these commitments.

The Charter is not law and does not bind private sector operators. Its practical relevance for operators, including private companies contracting with government agencies, is twofold. First, an agency bound by the Charter will typically require any AI system it procures or relies on to be capable of meeting the Charter's transparency and oversight commitments, which flows into procurement contracts as a de facto technical requirement. Second, the Charter functions as the clearest public articulation of what New Zealand regulators consider responsible algorithmic governance, and businesses building an AI governance case for insurers, investors, or enterprise customers can reasonably treat its commitments as the domestic benchmark even where no legal obligation compels them to.

The Privacy Act 2020 and automated processing

The Privacy Act 2020 is the instrument most likely to apply directly to a private operator's AI system in New Zealand, because most consequential AI use cases involve processing personal information. The Act is built around thirteen Information Privacy Principles covering collection, use, disclosure, storage, and correction of personal information, enforced by the Office of the Privacy Commissioner (OPC).

Unlike the GDPR, the Privacy Act 2020 does not contain a dedicated automated decision-making provision granting individuals a right to human review or an explanation of algorithmic logic. Automated AI processing of personal information is instead governed by the same Information Privacy Principles that apply to any other processing activity. Principle 1 requires that personal information is collected only for a lawful purpose connected to a function of the agency. Principle 10 restricts use of personal information for a purpose other than the one for which it was collected, which is directly relevant where an AI system repurposes data collected for one function to train or fine-tune a model for another. Principle 5 requires reasonable security safeguards, which the OPC has indicated extends to safeguards against model inversion, data leakage, and other AI-specific security risks.

The OPC issued specific guidance addressing generative AI use, setting expectations that agencies and businesses assess privacy risk before deploying generative AI tools, avoid inputting personal information into public AI tools without assessing the vendor's data handling practices, and maintain accountability for outputs generated using personal information regardless of which AI tool produced them. This guidance is not binding law but signals how the OPC is likely to interpret the existing Information Privacy Principles when investigating AI-related complaints, and reflects an approach broadly consistent with how EU and UK data protection regulators have approached AI within their own automated decision-making and general data protection frameworks. For the EU comparison, see the Article 14 human oversight guide on agentliability.eu.

The Human Rights Act 1993 and algorithmic discrimination

The Human Rights Act 1993 prohibits discrimination on prohibited grounds including age, sex, race, disability, and several others, in specified areas of public life including employment, provision of goods and services, and access to facilities. The Act does not distinguish between discrimination arising from a human decision and discrimination arising from an algorithmic or AI-assisted decision. An AI hiring tool, credit scoring model, or insurance underwriting system that produces a disparate outcome on a prohibited ground exposes the operator to a complaint before the Human Rights Commission and, ultimately, proceedings before the Human Rights Review Tribunal, on the same basis as a human decision-maker would face.

The practical risk for AI-specific deployments is scale. A human recruiter with an undetected bias affects a limited number of decisions. An AI hiring or screening tool with an equivalent bias, deployed across an entire applicant pool, can produce a systemic pattern of discriminatory outcomes before anyone notices, and that pattern is precisely what regulators and plaintiffs' counsel look for when building a discrimination case. Operators using AI in employment, lending, insurance, or service access decisions should document bias testing as a standard part of deployment, both to reduce the underlying risk and to have evidence available if a complaint is made.

Responsible AI Guidance for Businesses and the 2025 National AI Strategy

The Ministry of Business, Innovation and Employment (MBIE) has published voluntary Responsible AI Guidance for Businesses, aimed at helping New Zealand businesses, particularly small and medium enterprises, adopt AI in a way that manages foreseeable risk without imposing formal compliance obligations. The guidance covers practical themes including data governance, transparency with customers about AI use, human oversight of consequential decisions, and ongoing monitoring of AI system performance, mirroring the substance of more formal international frameworks including ISO/IEC 42001 without adopting their certification structure.

In July 2025, New Zealand published its first National AI Strategy, led by MBIE under the government's digital economy and science, innovation and technology portfolios. The strategy is explicitly framed around economic growth and AI adoption rather than restriction, encouraging businesses to build AI capability and confirming that New Zealand's existing technology neutral legal settings will remain the primary regulatory mechanism rather than new AI-specific legislation. The strategy references international alignment, including the OECD AI Principles, to which New Zealand adheres as an OECD member, as the touchstone for responsible AI development rather than any domestically legislated standard.

For operators, the practical reading of this strategy is that New Zealand's light-touch settings are a considered policy position rather than a temporary gap likely to be closed by near-term legislation. Businesses should not expect an EU AI Act equivalent to arrive in New Zealand on a comparable timeline, but should also recognise that voluntary guidance, once published by MBIE and referenced by regulators including the OPC and the Human Rights Commission, tends to shape how existing law is actually enforced in practice, even without formal legal force.

New Zealand and the EU AI Act

New Zealand is not a European Union member state and is not directly bound by Regulation (EU) 2024/1689. The EU AI Act nonetheless has extraterritorial reach that is directly relevant to any New Zealand company with EU market exposure. The Regulation applies to providers that place AI systems on the EU market, and to deployers whose AI system outputs are used within the EU, regardless of where the provider or deployer is established. A New Zealand company that sells an AI-enabled product or service to EU customers, or whose AI system's outputs affect persons in the EU, must independently assess whether it falls within the Regulation's scope for that activity, separately from its New Zealand compliance position.

There is no bilateral instrument between New Zealand and the EU that incorporates EU AI Act obligations or creates an equivalence mechanism. New Zealand's technology neutral domestic settings do not reduce or satisfy EU AI Act obligations for a New Zealand company's EU-facing activities. For the full framework, the EU AI Act operator obligations guide on agentliability.eu sets out provider and deployer duties in detail, and the US, EU, and UK liability comparison on this site provides a structured comparison point for New Zealand companies weighing which regime most closely resembles their home settings.

What operators should do now

Given the distributed, non-statutory structure of New Zealand's approach, a practical compliance programme for 2026 should proceed in four steps. First, map every AI system that processes personal information against the thirteen Information Privacy Principles, with particular attention to Principle 1 (purpose of collection), Principle 5 (security safeguards), and Principle 10 (use limitation), and document that mapping in case the Office of the Privacy Commissioner investigates a complaint.

Second, if the business operates in employment, lending, insurance, or any other area covered by the Human Rights Act 1993, implement and document bias testing for any AI system that materially influences a decision about an individual, since scale is what converts an isolated error into a systemic discrimination exposure.

Third, treat the MBIE Responsible AI Guidance for Businesses as a practical baseline even though it is voluntary. Adopting its themes, transparency, human oversight, and ongoing monitoring, produces documentation that satisfies both New Zealand's expectations and the broader international direction reflected in frameworks such as Agent Certified, which maps governance evidence to the dimensions insurers and enterprise customers increasingly ask about regardless of jurisdiction.

Fourth, if the business has any EU-facing activity, conduct a separate EU AI Act scoping exercise. New Zealand's domestic settings provide no shortcut for that analysis, and the two frameworks must be worked through independently. See the frameworks overview for a structured comparison across jurisdictions.

The penalty landscape

New Zealand does not have an AI-specific penalty regime, and this is a deliberate feature of the technology neutral approach rather than an oversight. Penalties instead flow from the general law an AI-related harm falls under. Privacy Act 2020 breaches can result in a compliance notice from the OPC and, since the Act's 2020 reforms, proceedings before the Human Rights Review Tribunal, which can award damages of up to NZD 350,000 in the most serious cases involving significant humiliation, loss of dignity, or injury to feelings. Human Rights Act 1993 discrimination claims proceed through the Human Rights Commission's dispute resolution process and, where unresolved, to the Tribunal, with damages available on a similar basis. The Fair Trading Act 1986 imposes penalties, including fines, for misleading or deceptive conduct, which could apply where an AI system's outputs make false or misleading representations to consumers.

None of these penalty structures approach the scale of the EU AI Act's turnover-based fines, which can reach EUR 35 million or 7 percent of global annual turnover for the most serious violations. For AI liability analysis in markets with more developed penalty regimes, including the insurance and contractual indemnity dimensions relevant to any New Zealand company with international exposure, see the agentliability.eu EU regulatory desk.

Frequently asked questions

Does New Zealand have a dedicated AI law?

No. New Zealand does not have an AI-specific statute and the government confirmed in 2024 that it does not intend to introduce one in the near term. The stated policy is a technology neutral, principles based approach that relies on existing law, including the Privacy Act 2020, the Human Rights Act 1993, and consumer protection legislation, supplemented by voluntary guidance rather than a binding AI-specific regime comparable to the EU AI Act.

What is the Algorithm Charter for Aotearoa New Zealand?

The Algorithm Charter for Aotearoa New Zealand is a voluntary commitment, administered by Stats NZ, that government agencies can sign to formalise how they use algorithms in decisions that affect people. Signatory agencies commit to transparency, partnership with Maori under Te Tiriti o Waitangi where data affects Maori, human oversight of significant algorithmic decisions, and regular bias assessment. It applies only to signatory public sector agencies and does not bind private operators, though it sets an informal benchmark for responsible algorithmic governance.

Does the Privacy Act 2020 give individuals rights over automated decisions?

The Privacy Act 2020 does not contain a standalone automated decision-making right equivalent to Article 22 of the GDPR or the EU AI Act. The thirteen Information Privacy Principles apply generally to any personal information an AI system processes. The Office of the Privacy Commissioner has issued specific generative AI guidance applying those principles to AI use, requiring a lawful basis, use limitation, and reasonable security safeguards regardless of whether an AI system is involved.

Is there an AI-specific penalty regime in New Zealand?

No dedicated AI penalty regime exists. Penalties flow from the underlying law an AI-related harm falls under: Privacy Act compliance notices and Human Rights Review Tribunal damages of up to NZD 350,000 for serious privacy breaches, Human Rights Act discrimination remedies through the Tribunal, and Fair Trading Act penalties for misleading conduct. There is no AI-specific fine structure comparable to the EU AI Act's turnover-based penalties.

References

  1. Stats NZ. Algorithm Charter for Aotearoa New Zealand, launched 2020, signatory agency list and commitments.
  2. Privacy Act 2020 (New Zealand), Information Privacy Principles, Office of the Privacy Commissioner.
  3. Office of the Privacy Commissioner (New Zealand). Guidance on generative artificial intelligence and the Information Privacy Principles.
  4. Human Rights Act 1993 (New Zealand), prohibited grounds of discrimination and Human Rights Review Tribunal jurisdiction.
  5. Ministry of Business, Innovation and Employment (MBIE). Responsible AI Guidance for Businesses.
  6. Ministry of Business, Innovation and Employment (MBIE). New Zealand's National AI Strategy, published July 2025.
  7. Fair Trading Act 1986 (New Zealand), misleading and deceptive conduct provisions.
  8. OECD. OECD Principles on Artificial Intelligence, updated 2024 revision, OECD Legal Instruments OECD/LEGAL/0449.
  9. European Parliament and Council. Regulation (EU) 2024/1689 (EU AI Act), Official Journal of the European Union, 12 July 2024.