The law you’re under
Agents at Work — CC BY 4.0
Most small operators using AI to handle people’s information have a comfortable belief: there’s no AI law here, so there’s nothing to worry about. It’s the most dangerous misread in this whole course. There may be no bespoke “AI Act” in New Zealand — but the law that already exists reaches what your agent does, and “no AI-specific rule” is not the same as “no rules.” This lesson is the map. It is general education, not legal advice — the ground is genuinely unsettled in places, and your specifics deserve a qualified opinion.
New Zealand — general law, and it bites
New Zealand has no equivalent of Europe’s automated-decision rule. The Privacy Act 2020’s thirteen information privacy principles contain no AI or automated-decision provision at all. (The Privacy Commissioner’s five-year review has been considering whether to add safeguards for automated decision-making — so this may change; watch it.) What that means in practice is that AI in hiring and in handling personal data is governed by general privacy law and discrimination law — which apply to you whether or not anyone mentions “AI.”
The Privacy Act principles that bite hardest:
- IPP1 — collect only what you need. You shouldn’t require identifying detail the purpose doesn’t call for. This is the legal grounding under “identity-blind” from Tier 2 — feeding an agent a name, photo or birthdate it doesn’t need to do the job cuts against the principle.
- IPP5 — keep personal information secure, and this expressly covers what you type into an AI tool. The Privacy Commissioner has said plainly that your security duty reaches the prompt. Pasting a customer’s or applicant’s details into a public LLM that may store or train on them is not a grey area — it’s the thing this principle is about. This is the single fact that should stop “we just pasted the CVs into a chatbot” cold.
- IPP8 — accuracy, and IPP11 — limits on disclosure. Whether handing personal information to an outside service (especially offshore) counts as a disclosure needing a lawful basis is genuinely unsettled in New Zealand — no case law yet — which is exactly why you decide it before switching the agent on.
The Human Rights Act 1993 — the one people forget. Section 21 lists the prohibited grounds (sex, age, ethnic or national origins, disability, family status, and more). Section 22 makes it unlawful to refuse a qualified applicant on a prohibited ground — and s22(2) expressly reaches recruiters. Crucially, a disparate-impact outcome can breach it regardless of intent: a screen that’s neutral on its face but falls disproportionately on a protected group can be unlawful even though no one meant to discriminate. That’s why the adverse-impact testing in Tier 3 isn’t optional politeness — it’s how you find out whether you’re on the wrong side of this.
What the Privacy Commissioner expects (guidance, not black-letter law — but it shapes what “reasonable” means): senior-leadership sign-off; a privacy impact assessment before you use the tool; transparency with the people affected; engaging Māori about the risks to the taonga of their information; a genuine human review before acting; and tools that don’t retain or disclose the data. The Commissioner flags AI screening of job applications as having a “not good” track record, warns that a token human-in-the-loop may not cure automation blindness — and says, in as many words: if in doubt, do not use AI tools to handle personal information.
Europe — if you touch even one EU-based candidate
You might think EU law is someone else’s problem. It can reach a New Zealand business through one specific door: not where your business is, but where the output is used. If your agent’s decision is used in respect of a person located in the EU, EU rules can apply to you.
- GDPR Article 22 — solely-automated decisions about a person are prohibited in principle. A hiring decision made solely by machine is the textbook example. What pulls it back out of the prohibition is a genuine, non-token human involvement — someone with the authority and information to reach a different answer. If it’s truly solely-automated, it’s lawful only on narrow bases and always with safeguards (human intervention, the right to a view, an explanation, to contest, and anti-bias measures).
- The EU AI Act treats recruitment AI as high-risk. Systems used to recruit or select — to filter applications or evaluate candidates — are named as high-risk, carrying obligations including meaningful human oversight. A system that ranks or filters people does not escape this by claiming to be a “narrow task.” (The Act’s obligations phase in on a transitional timetable; confirm the current commencement dates against the Regulation itself before you rely on a specific date — this field moves fast.)
Where the exposure sits
Put the two jurisdictions together and the same shape appears from both: a decision about a person, made or heavily shaped by a machine, with no genuine human judgment and no test for bias, is where the legal exposure lives — through discrimination law and privacy law here, and through Article 22 and the AI Act if you reach into Europe. “There’s no AI law” was never a defence. The disciplines from the earlier tiers — collect less, keep custody, test for adverse impact, a real human decision, and sometimes don’t automate at all — are not just good practice. They’re how you stay the right side of law that already exists.
Think of a personal-data task you’d give an agent. Which single line above would a lawyer most want to ask you about — the pasted prompt (IPP5), the disparate impact (HRA s22), or the missing human decision (Art 22)? That’s the one to get advice on first.
Next
The law names one obligation that’s also a value: engaging Māori about their data. It deserves its own lesson.
Shared freely, in good faith. If it's been of value, a koha toward development and running costs is warmly welcomed.
Leave a koha →