This country-specific Q&A provides an overview of TMT laws and regulations applicable in New Zealand.
Is there a single regulatory regime that governs software?
In New Zealand, there is currently no specific regulatory regime that regulates software. However, certain New Zealand regulations that apply more broadly to technology may impact the development, and supply, of software, including the Privacy Act 2020, the Unsolicited Electronic Messages Act 2007, the Fair Trading Act 1986 and the Consumer Guarantees Act 1993.
How are proprietary rights in software and associated materials protected?
Software can be legally protected in New Zealand in two key ways:
Copyright: Copyright protects original works and arises automatically. The underlying source code or machine-readable translation of the object code of original software may be protected by copyright, under the Copyright Act 1994. The duration of protection depends on the category of the work the copyright subsists in. Copyright can also protect materials associated with the software.
Patents: Following successful application, patents allow the creator of a new invention exclusive use of that invention for up to 20 years and the ability to bring an action against anyone who infringes on that right. Software “as such” is excluded from protection under the Patents Act 2013 if the actual contribution made by the alleged invention lies solely in it being a computer program. However, if the “actual contribution” of the software is part of a redevelopment or improvement of the qualities or features of a machine, the software may be patentable.
In the event that software is developed by a software developer, consultant or other party for a customer, who will own the resulting proprietary rights in the newly created software in the absence of any agreed contractual position?
Under the Copyright Act 1994, the person who is the first author of the work is the first owner of any copyright in the work. However, certain exceptions apply under the Copyright Act 1994. Where an author creates a work in the course of their employment, that person’s employer is the first owner of any copyright in the work. Similarly, where a person commissions, and pays or agrees to pay for the work, and the work is made in pursuance of that commission, then the person who commissioned the work is the first owner of any copyright in the work. However, it is typically not recommended to rely on default IP ownership laws and IP ownership should be set out clearly in the relevant contract.
Are there any specific laws that govern the harm / liability caused by Software / computer systems?
There are no specific laws that govern the harm or liability caused by software or computer systems. However, the following laws apply broadly:
Harmful Digital Communications Act 2013: The Harmful Digital Communications Act 2013 applies to online content hosts (including any organisation that hosts websites or social media platforms in New Zealand). Online content hosts may be civilly or criminally liable for the content that is on their website unless they follow a prescribed process, which requires complaints to be received and dealt with in a prescribed way.
Crimes Act 1961: Under New Zealand criminal laws, it is an offence to:
intend to access, or to access, a computer system dishonestly or by deception;
intentionally or recklessly destroy, damage or alter a computer system knowing, or where one ought to know, that danger to life is likely to result;
intentionally or recklessly and without authorisation:
damage, delete or otherwise interfere with or impair any data or software in a computer system;
cause any of the above to occur; or
cause any computer system to fail, or to deny service to any authorised users; or
make, sell, distribute or process software to assist someone to commit an offence; or
access a computer system without authorisation.
These offences are drafted very widely and cover hacking and distributed denial of service. The penalties under these offences range from prison terms of 2 years to a maximum of 10 years.
To the extent not covered by (4) above, are there any specific laws that govern the use (or misuse) of software / computer systems?
Please refer to our response in item 4.
Other than as identified elsewhere in this overview, are there any technology-specific laws that govern the provision of software between a software vendor and customer, including any laws that govern the use of cloud technology?
In New Zealand, there is currently no specific regulatory regime regulating the provision of software between a software vendor and customer, or the use of cloud technology. However, certain New Zealand regulations that apply more broadly also regulate such technology services, such as the Privacy Act 2020, the Unsolicited Electronic Messages Act 2007 and the Fair Trading Act 1986 (as discussed further below).
New Zealand has an unfair contract terms (UCT) regime under the Fair Trading Act 1986 with respect to standard form consumer contracts (being business to consumer contracts which aren’t generally negotiated) and has recently extended that regime to small trade contracts.
A “small trade contract” under the regime is a standard form contract where the parties are engaged in trade; is not a consumer contract; and does not comprise or form part of a trading relationship that exceeds an annual $250,000 value threshold when the relationship first arises.
A term will be considered “unfair” under the UCT regime if it:
would cause a significant imbalance in the parties’ rights and obligations arising under the contract;
would cause detriment (whether financial or otherwise) to a party if it were applied, enforced or relied on(with case law indicating that this is a low threshold); and
is not reasonably necessary in order to protect the legitimate interest of the party who would be advantaged by the term.
Suppliers of technology services and solutions in New Zealand will need to revisit their standard form consumer contracts and B2B small trade contracts to ensure the terms are not in breach of the new UCT regime. In particular, the New Zealand regulator, the Commerce Commission, has focussed on unilateral rights of variation and one-sided liability caps/exclusions benefiting the supplier that meet the above criteria as “unfair”.
Is it typical for a software vendor to cap its maximum financial liability to a customer in a software transaction? If ‘yes’, what would be considered a market standard level of cap?
It is common for the liability of each party to be subject to a liability cap, with the quantum of that liability cap varying depending on the circumstances. For the supply of “off-the-shelf” software solutions, suppliers commonly seek to cap their liability at 100% of fees paid in a 12-month period. The liability provisions in contracts for the supply of bespoke or business critical solutions are commonly negotiated.
In New Zealand, the Courts will generally enforce liability clauses where they are negotiated at arm’s length between commercial parties. However, there is scope, under the Fair Trading Act 1986, for challenging the enforceability of liability provisions if one of the parties is a “consumer” or for standard form small trade contracts with an annual value of less than NZD250,000 (as discussed above in item 6).
Please comment on whether any of the following areas of liability would typically be excluded from any financial cap on the software vendor’s liability to the customer or subject to a separate enhanced cap in a negotiated software transaction (i.e. unlimited liability): (a) confidentiality breaches; (b) data protection breaches; (c) data security breaches (including loss of data); (d) IPR infringement claims; (e) breaches of applicable law; (f) regulatory fines; (g) wilful or deliberate breaches.
It is common in New Zealand for software customers to seek to include certain key uncapped heads of loss in the contract, such as: breach of confidentiality; breach of the provisions relating to intellectual property rights (including third party IPR infringement claims on an indemnity basis); wilful or deliberate breaches; and fraud.
In addition, if the software vendor will have access to personal information of the customer, customers are increasingly seeking uncapped liability for the software vendor’s breach of its data protection obligations (or agreeing a separate higher cap for such breaches), which would include breach of the vendor’s security obligations.
Is it normal practice for software source codes to be held in escrow for the benefit of the software licensee? If so, who are the typical escrow providers used?
Software escrow arrangements are only typically at the licensee’s request and only where the software vendor is providing business critical software to a customer with significant bargaining power in circumstances where alternative solutions are not readily available in the market and/or the time to procure and implement an alternative solution would expose the licensee to significant business risk. Escrow arrangements are more common in licence transactions than SaaS arrangements, but are becoming increasingly uncommon overall. They are now unusual in a SaaS context, except where the software is being used in high-risk, regulated applications. Escrow NZ is New Zealand’s most commonly used escrow provider.
Are there any export controls that apply to software transactions?
Other than as identified elsewhere in this questionnaire, are there any specific technology laws that govern IT outsourcing transactions?
Outsourcing transactions are not separately regulated in New Zealand. Rather, whether or not a particular outsourcing arrangement will be the subject of a specific regulatory regime will largely depend on the customer’s industry and the specific nature of the arrangement. For example, in New Zealand, large banks must comply with the Reserve Bank of New Zealand’s BS11 Outsourcing Policy in respect of certain outsourcing arrangements.
While not relating to outsourcing specifically, New Zealand’s competition law, the Commerce Act 1986 (Commerce Act) contains prohibitions against cartel agreements between competitors. Namely, it is illegal “cartel conduct” for competing businesses to agree:
what prices each will charge customers in competition with each other (known as “price fixing”);
what customers or territories each will supply, or will not supply, in competition with each other (known as “market allocation”); and
to not supply certain goods or services in competition with each other (known as an “output restriction agreement”).
These prohibitions could apply to an outsourcing agreement where the provider of the relevant services is also a competitor of the customer of those services. Illegal conduct can be found without a written agreement and an informal expectation between competitors that they will act in a certain way is sufficient to breach the Commerce Act. Therefore, discussions with outsourcing partners that are also competitors should not “spillover” into informal understandings as to how each competes for customers and the parties should avoid sharing commercially sensitive information (such as pricing information) with each other in the areas in which they compete.
The Commerce Act contains an exemption from the cartel prohibition for clauses included in supply contracts (such as an IT outsourcing contract), provided those clauses do not have the purpose of lessening competition between the parties. This is increasingly an area to watch in New Zealand as IT service providers are, more and more, outsourcing their own IT operations to outsourced service providers who may also be competitors in some markets.
Please summarise the principal laws (present or impending), if any, that protect individual staff in the event that the service they perform is transferred to a third party IT outsource provider, including a brief explanation of the general purpose of those laws.
New Zealand’s transfer regime for employees in outsourcing scenarios only applies for particular work (cleaning, food catering and security) so does not apply in relation to an outsourcing to an IT provider. However, the outsourcing would likely lead to the termination of employment with the existing provider. The new provider may (but is not required to at law) offer employment. If employment is offered by the new provider, it may be on terms decided by the new provider (there is no obligation at law to offer the same terms and conditions of employment).
Where the work of an employee is to move to another provider, the employer is required to consult with the employee prior to making a decision to outsource the work. This is the main protection provided to individual staff members in the event the service they perform is outsourced to a third party. A compliant consultation process is generally structured as follows:
the employer provides all relevant information regarding the proposed outsourcing decision, including whether the employee’s role could be disestablished and employment terminated;
the employee is given an opportunity to consider the information provided and formulate a response;
the employee provides that response to the employer;
the employer genuinely considers the employee’s feedback; and
the employer then makes a decision regarding whether to outsource the work as proposed. If the work is to be outsourced, further consultation would occur regarding the impact on the employee (i.e. are there any alternatives to redundancy).
The general purpose of these provisions is to ensure that employees have an opportunity to provide feedback into decisions that affect the continuity of their employment.
Which body(ies), if any, is/are responsible for the regulation of telecommunications networks and/or services?
The Commerce Commission for telecommunications services. The Telecommunications Commissioner leads the Commission’s work on telecommunications regulation. The Government Communications Security Bureau for network security.
Please summarise the principal laws (present or impending), if any, that govern telecommunications networks and/or services, including a brief explanation of the general purpose of those laws.
Under the Telecommunications Act 2001, the key regulatory regimes can be summarised as follows:
Regulation of fixed fibre lines services. Chorus, the main provider in New Zealand, is subject to price-quality regulation. Other providers are subject to information disclosure. There are powers to allow price regulation of specific services provided over fibre. Providers are also subject to enforceable Deeds with the Crown which require them to provide services on an equivalence of inputs and/or non-discriminatory basis.
Access regulation of copper lines services. Some broadband services remain subject to standard terms determinations, which govern the prices and terms on which the services are provided to access seekers. There is a regime governing the withdrawal of coppers services as and when they are replaced by fibre.
Regulation of some aspects of mobile services. For example, mobile termination access services are subject to price regulation, and mobile co-location services are subject to access (but not price) regulation.
Line of business restrictions – Chorus must not enter the retail market.
A general power for the Commission to undertake market studies. For example, it has reviewed issues that could inhibit mobile market development, and has recently commenced a review of rural connectivity services.
Consumer protection. This includes the ability for the Commission to prescribe industry codes (such as the 111 contact code and retail service quality code) and undertake retail market monitoring.
A property and road / rail corridor access regime for network operators.
The Telecommunications (Interceptions Capability and Security Act) applies to network operators (lines and mobile) and governs:
Obligations to ensure networks have interception capability and duties to cooperate with law enforcement and surveillance agencies;
Requirements for network security, including engagement with the Government Communications Security Bureau on security risks and network changes that could impact security.
Which body(ies), if any, is/are responsible for data protection regulation?
The Office of the Privacy Commissioner and the Human Rights Tribunal.
Please summarise the principal laws (present or impending), if any, that that govern data protection, including a brief explanation of the general purpose of those laws.
The Privacy Act 2020 regulates the collection and processing of personal information. The purpose of the Privacy Act 2020 is to promote and protect individual privacy by:
providing a framework for protecting an individual’s right to privacy of personal information, including the right of an individual to access their personal information, while recognising that other rights and interests may at times also need to be taken into account; and
giving effect to internationally recognised privacy obligations and standards in relation to the privacy of personal information, including the OECD Guidelines and the International Covenant on Civil and Political Rights.
What is the maximum sanction that can be imposed by a regulator in the event of a breach of any applicable data protection laws?
The maximum fine under the Privacy Act 2020 is NZ$10,000. This is for a range of offences, including failure to comply with an access order, compliance notice or transfer prohibition notice, and failure to notify a privacy breach where required under the Privacy Act 2020.
Do technology contracts in your country typically refer to external data protection regimes, e.g. EU GDPR or CCPA, even where the contract has no clear international element?
Technology contracts in New Zealand require both parties to comply with the Privacy Act 2020 at a minimum. This applies even if the software vendor is EU GDPR, UK GDPR or CCPA compliant. The Privacy Act 2020 has a similar standard to the EU GDPR in some areas, including in respect of cross border transfers of personal information and mandatory breach reporting. However, in other areas a more permissive standard than the EU GDPR’s prescriptive requirements apply. This usually means that if a software vendor is EU or EK GDPR compliant, then it is likely that they will be Privacy Act 2020 compliant as well.
If the customer provides the software vendor with personal information of European Union or United Kingdom residents, then customers may require the supplier to be EU GDPR and/or UK GDPR compliant in addition to Privacy Act 2020 compliance.
Which body(ies), if any, is/are responsible for the regulation of artificial intelligence?
There is no specific regulator of artificial intelligence (AI) in New Zealand. However, relevant laws that apply more broadly are regulated by the Office of the Privacy Commissioner and the Commerce Commission.
Please summarise the principal laws (present or impending), if any, that that govern the deployment and use of artificial intelligence, including a brief explanation of the general purpose of those laws.
In New Zealand, there is currently no specific regulatory regime that regulates artificial intelligence (AI) but certain New Zealand legislation that applies more broadly to technology will apply to AI including the Privacy Act 2020, Human Rights Act 1993, and the Fair Trading Act 1986.
The Government released an Algorithm Charter (Charter) in July 2020, which (among other things) requires signatory public agencies to use algorithms in an ethical, trustworthy way. While the Algorithm Charter applies only to public sector agencies that have signed up to it, the principles reflected in the Charter are likely to have a flow down effect on the private sector.
The New Zealand Government has also recently released the Digital Technologies Industry Transformation Plan (ITP) as part of its wider national Digital Strategy. The development and advancement of an AI strategy is a future focus area under the ITP (subject to government funding). An AI strategy may include a focus on New Zealand’s existing regulatory framework and a review of any regulatory gaps.
It is not yet clear what approach will be taken to the regulation of AI in New Zealand and the likelihood and nature of future regulation is likely to depend on the outcome of New Zealand’s general election in Q4 of 2023. Any AI regulation is likely to focus on certain applications that are perceived to be high risk for New Zealand society in terms of public safety, privacy and/or human rights. AI regulation is also likely to have an impact on existing laws that apply more broadly to AI such as the Privacy Act 2020. In particular, the penalties for breaches of the Privacy Act 2020 may be increased to ensure that any unlawful processing of personal information by an AI tool has adequate consequences under law.
The Government has also consulted separately on the use of autonomous weapons as part of its disarmament policy (and in the context of ongoing multilateral discussions). Legislation addressing the risks from autonomous weapons may be introduced in the next few years, and this could have a wider impact on the development and use of AI generally in New Zealand.
Are there any specific legal provisions (present or impending) in respect of the deployment and use of Large Language Models and/or generative AI?
There is no specific regulatory regime that regulates generative AI. However, the comments at item 20 will also apply to generative AI. In addition, the Office of the Privacy Commissioner has released practical guidance on the use of generative AI by New Zealand organisations. While the guidance is limited to generative AI, it is also relevant to the use of other AI tools.
Which body(ies), if any, is/are responsible for the regulation of blockchain and / or digital assets generally?
Three New Zealand bodies currently have responsibility over digital assets generally; the Financial Markets Authority (FMA), the Department of Internal Affairs (DIA) and the Reserve Bank of New Zealand (RBNZ).
The FMA has responsibility for the regulation of offers of financial products in New Zealand under the Financial Markets Conduct Act 2013 (FMCA).
The DIA has responsibilities under New Zealand’s Anti-Money Laundering and Countering Financing of Terrorism Act (AML/CFT Act), which includes obligations on virtual asset service providers.
The RBNZ has responsibility for the prudential regulation of registered banks, non-bank deposit takers and insurers in New Zealand. The RBNZ does not directly regulate digital assets, but considers the impact of digital assets when carrying out its functions as a central bank. The RBNZ recently consulted on the possibility of a central bank digital currency in New Zealand.
What are the principal laws (present or impending), if any, that govern (i) blockchain specifically (if any) and (ii) digital assets, including a brief explanation of the general purpose of those laws?
New Zealand lacks targeted legislation that governs blockchain or digital assets alone. Instead, digital assets and services related to digital assets in New Zealand are regulated by existing, technology neutral legislation. Given that the rights and functions created in respect of digital assets are flexible, each asset or service associated with digital assets will be regulated according to its specific properties. The two regimes most relevant to blockchain and digital assets are those which govern financial products under the FMCA and the AML/CFT Act.
The FMCA is the principal piece of legislation that regulates financial products. The FMCA:
imposes fair dealing obligations on conduct in both the retail and wholesale financial markets;
sets out the disclosure requirements for offers of financial products;
set out a regime of exclusions and wholesale investor categories in connection with the disclosure requirements;
set out the governance rules that apply to financial products; and
impose licensing regimes.
Whether the more onerous requirements of the FMCA apply in relation to a specific digital asset depends on whether that digital asset meets the definition of “financial product” as set out in the FMCA.
The AML/CFT Act sets out a range of anti-money laundering obligations (such as customer due diligence) which applies to reporting entities. The definition of reporting entity includes virtual asset service providers, which means that service providers in relation to digital assets are typically subject to obligations under that legislation. The primary purpose of that legislation is to deter and detect money laundering and the financing of terrorism.
Are blockchain based assets such as cryptocurrency or NFTs considered “property” capable of recovery (and other remedies) if misappropriated?
Yes. The 2017 High Court case of Ruscoe v Cryptopia held for the first time in New Zealand that cryptocurrencies are property under the Companies Act 1993. Justice Gendall considered that the $170 million of cryptocurrencies held by Cryptopia Limited (in liquidation) (Cryptopia) were property and, importantly, held on trust for the accountholders of Cryptopia and not the property of Cryptopia itself.
Which body(ies), if any, is/are responsible for the regulation of search engines and marketplaces?
There is no specific regulator of search engines and marketplaces. However, under laws that apply more broadly as discussed below, the Commerce Commission and the Ministry of Justice are the relevant regulators.
Please summarise the principal laws (present or impending), if any, that govern search engines and marketplaces, including a brief explanation of the general purpose of those laws.
There is no specific regulation of search engines and marketplaces. General consumer protection and privacy laws apply (e.g. Fair Trading Act 1986, Consumer Guarantees Act 1993, and the Privacy Act 2020 and Privacy Regulations 2020).
New Zealand consumer law applies to goods or services provided to people in, or business carried out in, New Zealand. The Commerce Commission can regulate such activities, and in doing so can initiate enforcement action against residents of other countries. The Privacy Act 2020 is discussed above.
The Harmful Digital Communications Act 2013, as discussed in item 4, applies to online content hosts (including any organisation that hosts websites or social media platforms in New Zealand). Online content hosts may be civilly or criminally liable for the content that is on their website unless they follow a prescribed process, which requires complaints to be received and dealt with in a prescribed way.
In 2019, New Zealand developed the Christchurch Call , which is an action plan that commits government and tech companies to a range of measures in an attempt to make the internet safer. This includes developing tools to prevent the upload of violent content and increasing transparency around the removal and detection of content. The Christchurch Call is not binding, and there are no legal consequences for parties that fail to comply.
Which body(ies), if any, is/are responsible for the regulation of social media?
Our comments in relation to search engines and marketplace in item 25 also apply to social media.
Please summarise the principal laws (present or impending), if any, that govern social media, including a brief explanation of the general purpose of those laws?
Our comments in relation to search engines and marketplace in item 26 also apply to social media.
What are your top 3 predictions for significant developments in technology law in the next 3 years?
Our top 3 predictions for significant developments in technology law in New Zealand in the next 3 years are as follows:
Artificial Intelligence: New Zealand is likely to establish AI-specific regulations in the coming years. Please see our comments in item 20 for further details.
New legislation: New legislation currently being considered by the Government and certain new legislation that has recently come into effect may have a significant impact on technology law in New Zealand:
Customer and Product Data Bill: The Government has released a consultation draft of the Customer and Product Data Bill – New Zealand’s consumer data right (CDR) framework. The Government aims to introduce legislation to Parliament by the end of 2023. Once implemented, the CDR will provide individuals and businesses with a statutory ability to require data holders to share information held about them with trusted third parties and the ability to require them to carry out some form of action on the relevant individual’s or businesses’ behalf. The Government has confirmed that the banking sector will be the first sector to be designated in-scope of the CDR.
Digital Identity Trust Framework: The Digital Identity Trust Framework Act 2023 (Act) came into effect earlier this year and will impact the provision and receipt of digital identity services in New Zealand. The core objective of the Act is to help develop digital identity services that are trusted and people-centric. While the primary obligations in the Act will be on digital identity service providers on an opt-in basis, it will also have an impact on individuals and organisations in the digital identity ecosystem, including banks, government agencies, utility and telecommunications providers. The rules that will apply to digital identity service providers who opt-in to the framework are still in development.
Regulation of Biometrics: The Office of the Privacy Commissioner (OPC) released a consultation paper in 2022 seeking submissions on how biometrics (including facial recognition technology) should be regulated to protect privacy in New Zealand. As a result of this consultation, the OPC announced that it is exploring a Code of Practice under the Privacy Act 2020 to regulate biometrics. Regulation on biometrics is likely to affect any organisation developing or using biometric technologies in their business in New Zealand, and is likely to cover facial and voice recognition and fingerprint scanning technologies.
Do technology contracts in your country commonly include provisions to address sustainability / net-zero obligations or similar environmental commitments?
Yes. Organisations that are subject to net-zero obligations or environmental commitments under law or internal policies may request their suppliers to comply with certain environmental, social and governance (ESG) requirements.
Estimated word count: 4969
Join our mailing list to receive updates on new Guides: