New Zealand: TMT

In New Zealand, there is currently no specific regulatory regime regulating the technology sector. However, certain sub-sectors (for example, telecommunications) do have their own regulatory regimes.  In addition, certain New Zealand regulations that apply more broadly also regulate technology services, such as the Privacy Act 2020 and the Unsolicited Electronic Messages Act 2007.

In addition, new legislation currently being considered by Parliament and certain new legislation soon to come into effect is also relevant to technology solutions and services, including the proposed new Consumer Data Right (CDR) and the new unfair contract terms (UCT) regime.

Consumer Data Right:

The Government has confirmed its decision to establish a CDR framework for New Zealand, with legislation to be introduced in late 2022.

Once implemented, the CDR will provide individuals (and potentially also businesses) with a statutory ability to require data holders to share information held about them with trusted third parties and the ability to require them to carry out some form of action on the relevant individual’s behalf.

The Government is still working to identify which sectors should be considered first for designation as in-scope of the CDR. However, it is likely that the banking, electricity and insurance sectors will be the first cabs off the rank on the basis of perceived high search and switch costs.

Unfair contract terms:

New Zealand recently implemented a UCT regime under the Fair Trading Act 1986 with respect to standard form consumer contracts and has recently extended that regime to small trade contracts (this extension will apply from 16 August 2022).

A small trade contract under the regime is a standard form contract where the parties are engaged in trade; is not a consumer contract; and does not comprise or form part of a trading relationship that exceeds an annual $250,000 value threshold when the relationship first arises.

A term will be considered “unfair” under the UCT regime if it:

• would cause a significant imbalance in the parties rights and obligations arising under the contract;
• would cause detriment (whether financial or otherwise) to a party if it were applied, enforced or relied on – case law indicates this is a low threshold; and
• is not reasonably necessary in order to protect the legitimate interest of the party who would be advantaged by the term.

Suppliers of technology services and solutions will need to revisit their standard form consumer contracts and B2B small trade contracts to ensure the terms are not in breach of the new regime. In particular, the regulator has focussed on unilateral rights of variation and one-sided liability caps/exclusions benefiting the supplier that meet the above criteria as “unfair”.

Telecommunications networks and services are subject to access and network security regulation – but no licences or authorisations are required to provide telecommunications services in New Zealand.

The Telecommunications Act 2001 (“Telecommunications Act“) regulates telecommunications services.  Certain designated services (such as the unbundled local loop and unbundled bitstream access) are subject to access regulation, under which the Commerce Commission (“Commission”) can set standard terms of supply – including prices.   The regime covers copper network and mobile telecommunications services.

The Commission recently established a new regulatory regime for ultra-fast broadband (“UFB“) fibre networks, modelled on “building blocks” regulation used for other utilities.  Chorus (the owner of the majority of the UFB fibre network infrastructure in New Zealand)  is subject to price-quality regulation (in the form of a revenue cap) for its regulated fibre services, and other local fibre companies will be subject to information disclosure regulation.  The price-quality path regime came into effect  on 1 January 2022.

As from 1 January 2020, Chorus and other local fibre companies are required to provide unbundled layer 1 or “dark fibre” services.  These fibre services are not currently subject to price or quality regulation, but are subject to enforceable equivalence and non-discrimination obligations.  Essentially, the services must be provided to third parties on the same terms as those on which the companies consume the services themselves.

Telecommunications network operators have obligations to maintain interception capability and network security under the Telecommunications (Interception Capability and Security) Act 2013 (“TICSA“).  Under TICSA, network operators are required to notify the Government Communications Security Bureau (“GCSB”) of any changes that could present a security risk, and the GCSB and Ministers have powers to prevent proposed changes if they believe there is a significant security risk.

Radiocommunications are regulated separately under the Radiocommunications Act 1989 (“Radiocommunications Act“) and the Radiocommunications Regulations 2001 (“Radiocommunications Regulations“), whereby it is unlawful to transmit radio waves without an appropriate licence.  Licensing is managed by Radio Spectrum Management (“RSM“).

The Commission regulates the competition and consumer aspects of the telecommunications industry.  The two primary functions of the Commission (as specified in the Telecommunications Act) are:

• to regulate the supply of certain fixed-line and mobile services through determining price and minimum terms of access (as above); and
• monitoring and reporting on competition and consumer quality.

The Telecommunications Commissioner is appointed to have specific responsibility for the Telecommunications sector within the Commission.  The Commission is an Independent Crown Entity under the Crown Entities Act 2004 – the class of entity that is most independent from Government.  The Commission is required to have regard to government policy directions when exercising its powers, but is statutorily required to exercise its functions and powers independently.  Commissioners are appointed by the Governor-General of New Zealand on advice of the responsible Minister of Government.

Radio Spectrum Management (“RSM“) is the division of the Ministry of Business, Innovation and Employment (“MBIE“) responsible for managing non-competition aspects of radio spectrum in New Zealand.  As RSM is a branch of MBIE, it is subject to policy direction from and decision-making by the relevant Minister, but its day-to-day operational functions are exercised independently.

There is no specific regulation of platform providers. General consumer protection and privacy laws apply (e.g. Fair Trading Act 1986 (“Fair Trading Act“), Consumer Guarantees Act 1993 (“Consumer Guarantees Act“), and the Privacy Act 2020 and Privacy Regulations 2020 (“Privacy Act“)).

New Zealand consumer law applies to goods or services provided to people in, or business carried out in, New Zealand.  The Commission can regulate such activities, and in doing so can initiate enforcement action against residents of other countries.  The Privacy Act is discussed below.

The Harmful Digital Communications Act 2013 applies to online content hosts (including any organisation that hosts websites or social media platforms in New Zealand).  Online content hosts may be civilly or criminally liable for the content that is on their website unless they follow a prescribed process, which requires complaints to be received and dealt with in a prescribed way.

In 2019, New Zealand developed the Christchurch Call, which is an action plan that commits government and tech companies to a range of measures in an attempt to make the internet safer. This includes developing tools to prevent the upload of violent content and increasing transparency around the removal and detection of content. The Call is not binding, and there are no legal consequences for parties that fail to comply.

There is no requirement for a telecommunications operator to be domiciled in New Zealand.

While there are no foreign ownership restrictions specific to the telecommunications sector, the Overseas Investment Act 2005 may restrict the ability of foreign persons to control telecommunications network operators.  Overseas persons wishing to invest in significant business assets or sensitive land in New Zealand may have to obtain consent from the Overseas Investment Office to do so.

Certain interconnection services (such as mobile termination access and PSTN interconnection) are regulated under the access regime described in section 1.1 above.  Regulation applies equally to all providers of the regulated service.

Generally, interconnection is governed by commercial arrangements and industry-led regulation, which is based on codes drafted by the New Zealand Telecommunications Forum (“TCF“).  Existing codes addressing operator interconnection include end-user transfer between retailers, IP interconnection, co-siting, premises wiring, interconnection of mobile phone services, public services (such as emergency calling and interception capability) and consumer-related services.

The TCF has established a number of codes for the protection of consumers, in areas such as:

• broadband product disclosure;
• customer complaints;
• customer transfer; and
• disconnection policies.

The Telecommunications Act includes consumer provisions that require the Commission to monitor and report on aspects of retail service quality in telecommunications markets. This includes issues relating to performance, speed and availability, customer service, billing, and installation; and providing information to consumers to help them with their choices of technologies and providers.  The Commission is also empowered to create retail service quality codes if industry-led codes are inadequate.

Otherwise, general consumer protection laws apply.

Computer software can be legally protected in two key ways:

Copyright:  Copyright protects original works and arises automatically.  The underlying source code or machine-readable translation of the object code of original software may be protected by copyright, under the Copyright Act 1994.  The duration of protection depends on the category of the work the copyright subsists in.

Patents:  Following successful application, patents allow the creator of a new invention exclusive use of that invention for up to 20 years and the ability to bring an action against anyone who infringes on that right.  Software “as such” is excluded from protection under the Patents Act 2013 if the actual contribution made by the alleged invention lies solely in it being a computer program.  However, if the “actual contribution” of the software is part of a redevelopment or improvement of the qualities or features of a machine, the software may be patentable.  For example, software which enables a washing machine to use less water or electricity while achieving the same or better performance could be patentable.

There are no specific intellectual property rights which apply to data/databases.  However, provided a database is original, it is eligible for copyright protection as a literary work.

The Privacy Act regulates the collection and processing of personal information.  The Privacy Act contains thirteen Information Privacy Principles (the “IPPs“) which apply to the use of “personal information” by “agencies”.  “Personal Information” is broadly defined to mean information about an identifiable individual, and therefore any information that can be used to identify an individual will come under the ambit of the Privacy Act. “Agency” is also broadly defined and would capture government agencies as well as private organisations.

The Privacy Act has extra-territorial effect, extending coverage of New Zealand privacy laws to overseas agencies in relation to any action taken by the overseas agency in the course of carrying on business in New Zealand.  While the Privacy Act is not crystal clear on what “carrying on business in New Zealand” means, it is clear that it can include cases where the overseas agency does not have a commercial operation or place of business in New Zealand.   There is yet to be any clear guidance provided by the Office of the Privacy Commissioner (“OPC“) as to how far the net will be cast in terms of the interpretation of “carrying on business in New Zealand“. However, during the second reading of the bill that is now the Privacy Act, it was discussed that overseas agencies that are systematically and deliberately taking opportunities to engage in trade in New Zealand would be considered to be carrying on business here.

The IPPs relate to the manner and purpose of collection, storage, access, use, retention, disclosure, deletion and the overseas transfer of personal information (as discussed in paragraph 4.2 below).  The consent of the individual concerned is not always required for the collection and processing of personal information, but it must always be lawfully obtained and managed in accordance with the terms of the Privacy Act.

In addition to the above, there are a number of related Codes issued by the Privacy Commissioner that apply to different agencies in certain industries.  In particular, agencies providing personal or public health or disability services are also subject to the Health Information Privacy Code 1994, which includes specific rules regarding the processing of health information.

Europe’s GDPR, and other foreign privacy law regimes which apply on a similar extra-territorial basis, may also be applicable to organisations operating in New Zealand where their activities fall within the jurisdiction of the applicable regime.

IPP 12 in the Privacy Act provides that a New Zealand agency may only transfer personal information to an overseas agency if:

• the individual concerned authorises the disclosure of their personal information overseas after being expressly informed by the New Zealand agency that the overseas agency may not be required to protect the information in a way that, overall, provides comparable safeguards to those in the Privacy Act;
• the overseas agency is carrying on business in New Zealand, and in relation to the information, the New Zealand agency believes on reasonable grounds that the overseas agency is subject to the Privacy Act;
• the New Zealand agency believes on reasonable grounds that the overseas agency is subject to privacy laws that, overall, provide comparable safeguards to those in the Privacy Act; or
• the New Zealand agency believes on reasonable grounds that the overseas agency is a participant in a prescribed binding scheme, or is subject to privacy laws of a prescribed country; or
• the New Zealand agency believes on reasonable grounds that the overseas agency is required to protect the information in a way that, overall, provides comparable safeguards to those in the Privacy Act (for example, by entering into the standard contractual clauses developed by the OPC or other similar arrangements).

The export of personal information to a third party which merely holds that data as agent on behalf of the first party (e.g. for safe custody, such as a cloud service provider) is expressly excluded from this restriction in  IPP 12 if the agent only stores or processes the personal information on the relevant agency’s behalf.

The maximum fine under the Privacy Act is NZ$10,000. This is for a range of offences, including failure to comply with an access order, compliance notice or transfer prohibition notice, and failure to notify a privacy breach where required under the Privacy Act.

The Privacy Act has a similar standard to the GDPR in some areas, including in respect of cross border transfers of personal information as discussed above and mandatory breach reporting (discussed further in paragraph 8.1). However, in other areas a more permissive standard than the GDPR’s prescriptive requirements apply.

New Zealand has not enacted any cloud-specific legislation.  However, general laws will nonetheless apply (for example, the Privacy Act).

The Contract and Commercial Law Act 2017 (“CCLA“) sets out specific rules regarding the validity of electronic signatures in instances where the signature is required by law.  In these circumstances, the law generally recognises an electronic signature that is required by law as valid if:

• it adequately identifies the signatory;
• adequately indicates the signatory’s approval of the information to which the signature relates; and
• is appropriately reliable given the purpose for which, and the circumstances in which, the signature is required.

If the legal requirement for a signature relates to information legally required to be given to a person, the recipient of that information must consent to receiving an electronic signature for that signature to be valid.  The CCLA also contains a presumption as to the reliability of an electronic signature where the use of an electronic signature is only under the control of the relevant signatory, essentially being a description of an effective digital signature.

There are some signatures required under law for which an electronic signature will be not valid, such as affidavits, statutory declarations, wills and other testamentary instruments.

Where the signature is not required by law the CCLA will not apply and therefore, there are no specific requirements for the use of an electronic signature.  However, to ensure that the contract is enforceable, it is good practice to nonetheless apply the statutory standard described above when using an electronic signature to demonstrate an intention to be bound by a contract that is not required by law to be signed.

New Zealand does not have specific legislation relating to transfers of employees, assets or third party contracts if an organisation outsources its IT services.  Whether any such transfer will occur is typically dealt with through commercial negotiation between the parties. Where applicable, the transfer would be documented through contract.

To the extent that that malfunctioning causes personal injury, there is unlikely to be any liability due to the existence of New Zealand’s no-fault accident compensation scheme (known as “ACC”).

Where AI is part of products or services which are sold to consumers, liability for malfunction will be subject to New Zealand consumer law, such as the Consumer Guarantees Act and the Fair Trading Act.  The obligations these Acts impose are discussed above.  However,  where there is no relationship between the parties (e.g. if an autonomous vehicle or a drone causes damage to third party property), it is not clear under New Zealand law who would be liable for that damage in the event of any claim.

Given the extent to which AI often relies on the processing of data (including personal information) liability under the Privacy Act is also possible in circumstances where AI malfunctions.  In that scenario, the relevant agency holding or processing the personal information would be liable where a privacy breach occurs, and may also be subject to mandatory breach notification obligations (discussed further in paragraph 8.1).

Outside of obligations at law, liability for defects would ordinarily be negotiated between contractual counterparties and managed through the terms of the applicable contract.

(a) obligations as to the maintenance of cybersecurity; and

There are no specific laws relating to the maintenance of cybersecurity.

Under the Privacy Act, an agency holding personal information must ensure that it is protected by security safeguards which are reasonable in the circumstances to take against loss, unauthorised access, use, modification or disclosure or other misuse.

The Privacy Act has a mandatory breach notification regime for certain notifiable privacy breaches.  A “notifiable privacy breach” is defined as a privacy breach that it is reasonable to believe has caused serious harm, or is likely to cause serious harm, to an affected individual.  The Privacy Act provides that an agency must consider the following when assessing whether a privacy breach is likely to cause serious harm:

• any action taken by the agency to reduce the risk of harm following the breach;
• whether the personal information is sensitive in nature:
• the nature of the harm that may be caused to affected individuals:
• the person or body that has obtained or may obtain personal information as a result of the breach (if known);
• whether the personal information is protected by a security measure; and
• any other relevant matters.

The OPC must be notified as soon as practicable after an agency becomes aware that a notifiable privacy breach has occurred. The OPC considers that, unless there are extenuating circumstances, such notification should be within 72 hours. Privacy breaches can be notified to the OPC via an online form found on the OPC’s website.

Subject to certain exceptions, there is also an obligation to notify the affected individual(s) of the notifiable privacy breach or give public notice of the notifiable privacy breach if it is not reasonably practicable to notify the affected individual(s).

Other more general obligations may also be relevant, for example the Companies Act 1993 obliges directors of companies to exercise due care, skill and diligence in undertaking their role. For most companies, reliance on technology and data is business critical, meaning that the management of cyber risk is likely to form part of a director’s obligations under this duty.

(b) The criminality of hacking/DDOS attacks?

Under New Zealand criminal law, it is an offence to:

• intend to access, or to access, a computer system dishonestly or by deception;
• intentionally or recklessly destroy, damage or alter a computer system knowing, or where one ought to know, that danger to life is likely to result;
• intentionally or recklessly and without authorisation
  • damage, delete or otherwise interfere or impair with any data or software in a computer system;
  • cause any of the above to occur; or
  • cause any computer system to fail, or to deny service to any authorised users; or
• access a computer system without authorisation.

These offences are drafted very widely and cover hacking and distributed denial of service.  The maximum penalties under these offences include a prison term not exceeding 10 years.

In New Zealand, the technology development that is likely to create the most legal change over the next few years is artificial intelligence (AI).

The Government is developing a national digital strategy for New Zealand, which is likely to include a national AI strategy the proposed regulation of certain applications of AI (rather than AI technology as a whole). The AI strategy is likely to focus on certain applications that are perceived to be high risk for New Zealand society in terms of public safety, privacy and/or human rights. While the AI strategy is still under development, applications that may be regulated in some form include autonomous vehicles and facial recognition technology.

The Government is also consulting separately on the use of autonomous weapons as part of its disarmament policy (and in the context of ongoing multilateral discussions). Legislation addressing the risks from autonomous weapons is expected to be introduced in the next few years, and this could have a wider impact on the development and use of AI generally in New Zealand.

The Government released an Algorithm Charter in July 2020, which (among other things) requires signatory public agencies to use algorithms in an ethical, trustworthy way. While the Algorithm Charter applies only to public sector agencies that have signed up to it, the ethical principles reflected in the Charter are likely to have a flow down effect on the private sector. Further policy or regulatory developments relating to the ethical use of AI are likely to form a core part of the national AI strategy and, potentially, future legislation and/or guidelines.

From a TMT perspective, there is not one particular provision or regime that specifically hinders economic development and commerce in New Zealand.  It is more often the case that innovators feel they have a lack of certainty as to accepted practices and guidelines in relation to the development and implementation of new or emerging technologies. Such uncertainty can, in some cases, act as an impediment to innovation and development.

New Zealand has cultivated a fairly permissive regime in its approach to digital services, which is likely to encourage use and development.  Laws are often drafted in a way that is technology-neutral and regulators tend to be conscious of encouraging, rather than hindering, digital services and innovation.  Having said that, as noted above, many innovators are demanding more certainty around a legal framework specifically designed to deal with the unique issues arising in the digital arena (particularly in the FinTech sector).

Traditional legal doctrines have coped fairly well with technological developments historically and it is likely that the New Zealand judiciary will remain flexible and responsive when interpreting the law in relation to new technologies.  Regulators and legislators tend to opt for technology-neutral responses to issues, to avoid new laws and regulations becoming quickly outdated or being likely to cause unanticipated difficulties in practice.

A number of the novel legal issues which may arise as a result of AI could already be dealt with through existing practices and legal principles.  For example, if artificial intelligence were to cause personal injury (such as accidents involving autonomous vehicles), this could be dealt with under New Zealand’s existing no-fault ACC regime.

However, as noted above, there are very few instances where the legal system has sought to specifically legislate or regulate AI. This means that we are unlikely to be well-placed to deal with issues arising from artificial intelligence which are unique and not readily able to be resolved by reference to traditional laws and legal principles.  For example, legal responsibility has historically rested with persons or organisations, determined by reference to principles such as causation and remoteness.  This approach has limits in the context of AI because, as AI continues to develop, it is foreseeable that there could be circumstances where a loss has been caused with minimal and/or remote human or organisational involvement.  Continuing to attribute liability in the way we currently do could therefore eventually lead to unfair or unexpected outcomes, which, although currently untested, the law does not appear to yet be well-placed to deal with.

As noted above, it is likely that specific legislation will be introduced in New Zealand over the next few years in order to address risks arising from particular AI applications such as autonomous vehicles and autonomous weapons.