{"id":109882,"date":"2025-08-06T14:13:25","date_gmt":"2025-08-06T14:13:25","guid":{"rendered":"https:\/\/my.legal500.com\/guides\/?post_type=comparative_guide&#038;p=109882"},"modified":"2025-08-19T11:24:50","modified_gmt":"2025-08-19T11:24:50","slug":"new-zealand-tmt","status":"publish","type":"comparative_guide","link":"https:\/\/my.legal500.com\/guides\/chapter\/new-zealand-tmt\/","title":{"rendered":"New Zealand: TMT"},"content":{"rendered":"","protected":false},"template":"","class_list":["post-109882","comparative_guide","type-comparative_guide","status-publish","hentry","guides-tmt","jurisdictions-new-zealand"],"acf":[],"appp":{"post_list":{"below_title":"<div class=\"guide-author-details\"><span class=\"guide-author\">Russell McVeagh<\/span><span class=\"guide-author-logo\"><img src=\"https:\/\/my.legal500.com\/guides\/wp-content\/uploads\/sites\/1\/2019\/08\/russell-mcveagh.jpg\"\/><\/span><\/div>"},"post_detail":{"above_title":"<div class=\"guide-author-details\"><span class=\"guide-author\">Russell McVeagh<\/span><span class=\"guide-author-logo\"><img src=\"https:\/\/my.legal500.com\/guides\/wp-content\/uploads\/sites\/1\/2019\/08\/russell-mcveagh.jpg\"\/><\/span><\/div>","below_title":"<span class=\"guide-intro\">This country specific Q&amp;A provides an overview of TMT laws and regulations applicable in New Zealand<\/span><div class=\"guide-content\"><div class=\"filter\">\r\n\r\n\t\t\t\t<input type=\"text\" placeholder=\"Search questions and answers...\" class=\"filter-container__search-field\">\r\n\t\t\t<\/div>\r\n\r\n\t\t\t\r\n\r\n\r\n\t\t\t<ol class=\"custom-counter\">\r\n\r\n\t\t\t\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Software \u2013 How are proprietary rights in software and associated materials protected?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Software can be legally protected in New Zealand in two key ways:<\/p>\n<ul style=\"padding-left: 0\">\n<li><strong>Copyright: <\/strong>Copyright protects original works and arises automatically.\u00a0 The underlying source code or machine-readable translation of the object code of original software may be protected by copyright, under the Copyright Act 1994.\u00a0 The duration of protection depends on the category of the work the copyright subsists in.<strong>\u00a0 <\/strong>Copyright can also protect materials associated with the software.<\/li>\n<li><strong>Patents: <\/strong>Following successful application, patents allow the creator of a new invention exclusive use of that invention for up to 20 years and the ability to bring an action against anyone who infringes on that right.\u00a0 Software &#8220;as such&#8221; is excluded from protection under the Patents Act 2013 if the actual contribution made by the alleged invention lies solely in it being a computer program.\u00a0 However, if the &#8220;actual contribution&#8221; of the software is part of a redevelopment or improvement of the qualities or features of a machine, the software may be patentable.<\/li>\n<\/ul>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Software \u2013 In the event that software is developed by a software developer, consultant or other party for a customer, who will own the resulting proprietary rights in the newly created software in the absence of any agreed contractual position?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Under the Copyright Act 1994, the person who is the first author of the work is the first owner of any copyright in the work. However, certain exceptions apply under the Copyright Act 1994.\u00a0 Where an author creates a work in the course of their employment, that person&#8217;s employer is the first owner of any copyright in the work. Similarly, where a person commissions, and pays or agrees to pay for the work, and the work is made in pursuance of that commission, then the person who commissioned the work is the first owner of any copyright in the work. However, it is typically not recommended to rely on default IP ownership laws and IP ownership should be set out clearly in the relevant contract.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Software \u2013 Are there any specific laws that govern the harm \/ liability caused by Software \/ computer systems?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>There are no specific laws that govern the harm or liability caused by software or computer systems. However, the following laws apply broadly:<\/p>\n<p><strong>a) Harmful Digital Communications Act 2013<\/strong>: The Harmful Digital Communications Act 2013 applies to online content hosts (including any organisation that hosts websites or social media platforms in New Zealand). Online content hosts may be civilly or criminally liable for the content that is on their website unless they follow a prescribed process, which requires complaints to be received and dealt with in a prescribed way.<\/p>\n<p><strong>b) Crimes Act 1961:<\/strong> Under New Zealand criminal laws, it is an offence to:<\/p>\n<ol style=\"padding-left: 0\" type=\"i\">\n<li>intend to access, or to access, a computer system dishonestly or by deception;<\/li>\n<li>intentionally or recklessly destroy, damage or alter a computer system knowing, or where one ought to know, that danger to life is likely to result;<\/li>\n<li>intentionally or recklessly and without authorisation:\n<ol style=\"padding-left: 5\" type=\"a\">\n<li>damage, delete or otherwise interfere with or impair any data or software in a computer system;<\/li>\n<li>cause any of the above to occur; or<\/li>\n<li>cause any computer system to fail, or to deny service to any authorised users; or<\/li>\n<\/ol>\n<\/li>\n<li>make, sell, distribute or process software to assist someone to commit an offence; or<\/li>\n<li>access a computer system without authorisation.<\/li>\n<\/ol>\n<p>These offences are drafted very widely and cover hacking and distributed denial of service.\u00a0 The penalties under these offences range from prison terms of 2 years to a maximum of 10 years.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Software \u2013 To the extent not covered by (3) above, are there any specific laws that govern the use (or misuse) of software \/ computer systems?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Please refer to our response in item 3.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Software Transactions (Licence and SaaS) \u2013 Other than as identified elsewhere in this overview, are there any technology-specific laws that govern the provision of software between a software vendor and customer, including any laws that govern the use of cloud technology?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>In New Zealand, there is currently no specific regulatory regime regulating the provision of software between a software vendor and customer, or the use of cloud technology. \u00a0However, certain New Zealand regulations that apply more broadly also regulate such technology services, such as the Privacy Act 2020, the Unsolicited Electronic Messages Act 2007, and the Fair Trading Act 1986 (as discussed further below).<\/p>\n<p>New Zealand has an unfair contract terms (<strong>UCT<\/strong>) regime under the Fair Trading Act 1986 with respect to standard form consumer contracts (being business to consumer contracts which aren\u2019t generally negotiated) and small trade contracts.<\/p>\n<p>A &#8220;small trade contract&#8221; under the regime is a standard form contract where the parties are engaged in trade; is not a consumer contract; and does not comprise or form part of a trading relationship that exceeds an annual $250,000 value threshold when the relationship first arises.<\/p>\n<p>A term will be considered &#8220;unfair&#8221; under the UCT regime if it:<\/p>\n<ul style=\"padding-left: 0\">\n<li>would cause a significant imbalance in the parties&#8217; rights and obligations arising under the contract;<\/li>\n<li>would cause detriment (whether financial or otherwise) to a party if it were applied, enforced or relied on (with case law indicating that this is a low threshold); and<\/li>\n<li>is not reasonably necessary in order to protect the legitimate interest of the party who would be advantaged by the term.<\/li>\n<\/ul>\n<p>Suppliers of technology services and solutions in New Zealand will need to ensure the terms of their standard form consumer contracts and B2B small trade contracts are not in breach of the UCT regime. In particular, the New Zealand regulator, the Commerce Commission, has focussed on unilateral rights of variation and one-sided liability caps\/exclusions benefiting the supplier that meet the above criteria as &#8220;unfair&#8221;.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Software Transactions (License and SaaS) \u2013 Is it typical for a software vendor to cap its maximum financial liability to a customer in a software transaction? If \u2018yes\u2019, what would be considered a market standard level of cap?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>It is common for the liability of each party to be subject to a liability cap, with the quantum of that liability cap varying depending on the circumstances. For the supply of &#8220;off-the-shelf&#8221; software solutions, suppliers commonly seek to cap their liability at 100% of fees paid in a 12-month period. The liability provisions in contracts for the supply of bespoke or business critical solutions are commonly negotiated.<\/p>\n<p>In New Zealand, the Courts will generally enforce liability clauses where they are negotiated at arm&#8217;s length between commercial parties. However, there is scope, under the Fair Trading Act 1986, for challenging the enforceability of liability provisions in standard form contracts if one of the parties is a &#8220;consumer&#8221; or if the annual value of the trading relationship is less than NZD250,000 (as discussed above in item 5).<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Software Transactions (License and SaaS) \u2013 Please comment on whether any of the following areas of liability would typically be excluded from any financial cap on the software vendor\u2019s liability to the customer or subject to a separate enhanced cap in a negotiated software transaction (i.e. unlimited liability): (a) confidentiality breaches; (b) data protection breaches; (c) data security breaches (including loss of data); (d) IPR infringement claims; (e) breaches of applicable law; (f) regulatory fines; (g) wilful or deliberate breaches.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>It is common in New Zealand for software customers to seek to include certain key uncapped heads of loss in the contract, such as: breach of confidentiality; breach of the provisions relating to intellectual property rights (including third party IPR infringement claims on an indemnity basis); wilful or deliberate breaches; and fraud.<\/p>\n<p>In addition, if the software vendor will have access to personal information of the customer, customers are increasingly seeking uncapped liability, or a separate higher cap, for the software vendor&#8217;s breach of its data protection and security obligations.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Software Transactions (License and SaaS) \u2013 Is it normal practice for software source codes to be held in escrow for the benefit of the software licensee? If so, who are the typical escrow providers used? Is an equivalent service offered for cloud-based software?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Software escrow arrangements are only typically at the licensee&#8217;s request and only where the software vendor is providing business critical (and often bespoke or customised) software to a customer with significant bargaining power in circumstances where alternative solutions are not readily available in the market and\/or the time to procure and implement an alternative solution would expose the licensee to significant business risk. Escrow arrangements are more common in licence transactions than SaaS arrangements, but are becoming increasingly uncommon overall. They are now unusual in a SaaS context, except where the software is being used in high-risk, regulated applications. \u00a0Escrow NZ is New Zealand&#8217;s most commonly used escrow provider.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Software Transactions (License and SaaS) \u2013 Are there any export controls that apply to software transactions?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>No.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">IT Outsourcing \u2013 Other than as identified elsewhere in this questionnaire, are there any specific technology laws that govern IT outsourcing transactions?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Outsourcing transactions are not separately regulated in New Zealand. Rather, whether or not a particular outsourcing arrangement will be the subject of a specific regulatory regime will largely depend on the customer&#8217;s industry and the specific nature of the arrangement. For example, in New Zealand, large banks must comply with the Reserve Bank of New Zealand&#8217;s BS11 Outsourcing Policy in respect of certain outsourcing arrangements.<\/p>\n<p>While not relating to outsourcing specifically, New Zealand&#8217;s competition law, the Commerce Act 1986 (<strong>Commerce Act<\/strong>) contains prohibitions against cartel agreements between competitors. Namely, it is illegal &#8220;cartel conduct&#8221; for competing businesses to agree:<\/p>\n<ul style=\"padding-left: 0\">\n<li>what prices each will charge customers in competition with each other (known as &#8220;price fixing&#8221;);<\/li>\n<li>what customers or territories each will supply, or will not supply, in competition with each other (known as &#8220;market allocation&#8221;); and<\/li>\n<li>to not supply certain goods or services in competition with each other (known as an &#8220;output restriction agreement&#8221;).<\/li>\n<\/ul>\n<p>These prohibitions could apply to an outsourcing agreement where the provider of the relevant services is also a competitor of the customer of those services. Illegal conduct can be found without a written agreement and an informal expectation between competitors that they will act in a certain way is sufficient to breach the Commerce Act. Therefore, discussions with outsourcing partners that are also competitors should not &#8220;spillover&#8221; into informal understandings as to how each competes for customers and the parties should avoid sharing commercially sensitive information (such as pricing information) with each other in the areas in which they compete.<\/p>\n<p>The Commerce Act contains an exemption from the cartel prohibition for clauses included in supply contracts (such as an IT outsourcing contract), provided those clauses do not have the purpose of lessening competition between the parties. This is increasingly an area to watch in New Zealand as IT service providers are, more and more, outsourcing their own IT operations to outsourced service providers who may also be competitors in some markets.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">IT Outsourcing \u2013 Please summarise the principal laws (present or impending), if any, that protect individual staff in the event that the service they perform is transferred to a third party IT outsource provider, including a brief explanation of the general purpose of those laws.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>New Zealand&#8217;s transfer regime for employees in outsourcing scenarios only applies for particular work (cleaning, food catering and security) so does not apply in relation to an outsourcing to an IT provider.\u00a0 However, the outsourcing would likely lead to the termination of employment with the existing provider.\u00a0 The new provider may (but is not required to at law) offer employment.\u00a0 If employment is offered by the new provider, it may be on terms decided by the new provider (there is no obligation at law to offer the same terms and conditions of employment).<\/p>\n<p>Where the work of an employee is to move to another provider, the employer is required to consult with the employee prior to making a decision to outsource the work. This is the main protection provided to individual staff members in the event the service they perform is outsourced to a third party.\u00a0 A compliant consultation process is generally structured as follows:<\/p>\n<ul style=\"padding-left: 0\">\n<li>the employer provides all relevant information regarding the proposed outsourcing decision, including whether the employee&#8217;s role could be disestablished and employment terminated;<\/li>\n<li>the employee is given an opportunity to consider the information provided and formulate a response;<\/li>\n<li>the employee provides that response to the employer;<\/li>\n<li>the employer genuinely considers the employee&#8217;s feedback; and<\/li>\n<li>the employer then makes a decision regarding whether to outsource the work as proposed. If the work is to be outsourced, further consultation would occur regarding the impact on the employee (i.e. are there any alternatives to redundancy).<\/li>\n<\/ul>\n<p>The general purpose of these provisions is to ensure that employees have an opportunity to provide feedback into decisions that affect the continuity of their employment.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Telecommunications \u2013 Please summarise the principal laws (present or impending), if any, that govern telecommunications networks and\/or services, including a brief explanation of the general purpose of those laws.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Under the Telecommunications Act 2001 (&#8220;<strong>Telecommunications Act<\/strong>&#8220;), the key regulatory regimes can be summarised as follows:<\/p>\n<ul style=\"padding-left: 0\">\n<li>Regulation of fixed fibre lines services. Chorus, the main provider in New Zealand, is subject to price-quality regulation.\u00a0 Other providers are subject to information disclosure.\u00a0 There are powers to allow price regulation of specific services provided over fibre.\u00a0 Providers are also subject to enforceable Deeds with the Crown which require them to provide services on an equivalence of inputs and\/or non-discriminatory basis.<\/li>\n<li>Access regulation of copper lines services. Some broadband services remain subject to standard terms determinations, which govern the prices and terms on which the services are provided to access seekers.\u00a0 There is a regime governing the withdrawal of coppers services as and when they are replaced by fibre.<\/li>\n<li>Regulation of some aspects of mobile services. For example, mobile termination access services are subject to price regulation, and mobile co-location services are subject to access (but not price) regulation.<\/li>\n<li>Line of business restrictions. Chorus must not enter the retail market.<\/li>\n<li>A general power for the Commission to undertake market studies. For example, it has reviewed issues that could inhibit mobile market development, and has undertaken a review of rural connectivity services.<\/li>\n<li>Consumer protection. This includes the ability for the Commission to prescribe industry codes (such as the 111 contact code and retail service quality code) and undertake retail market monitoring.<\/li>\n<li>A property and road \/ rail corridor access regime for network operators.<\/li>\n<\/ul>\n<p>The Telecommunications (Interceptions Capability and Security) Act 2013 (<strong>&#8220;TICSA<\/strong>&#8220;) applies to network operators (lines and mobile) and governs:<\/p>\n<ul style=\"padding-left: 0\">\n<li>Obligations to ensure networks have interception capability and duties to cooperate with law enforcement and surveillance agencies;<\/li>\n<li>Requirements for network security, including engagement with the Government Communications Security Bureau on security risks and network changes that could impact security.<\/li>\n<\/ul>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Telecommunications \u2013 Please summarise any licensing or authorisation requirements applicable to the provision or receipt of telecommunications services in your country. Please include a brief overview of the relevant licensing or authorisation regime in your response.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>There are no licencing requirements for the supply or receipt of telecommunications services.<\/p>\n<p>Under the Telecommunications Act 2001, telecommunications providers may apply to be declared a &#8220;network operator&#8221; for the purposes of the Telecommunications Act, though it is not mandatory.<\/p>\n<p>Under TICSA a person who controls or operates a public telecommunications network or supplies another person with the capability to provide a telecommunications service constitutes a &#8220;network operator&#8221;.\u00a0 TICSA requires network operators to register on the register of network operators maintained by the New Zealand Police.<\/p>\n<p>TICSA also requires network operators to notify the Director-General of the Government Communications Security Bureau (&#8220;<strong>Director-General<\/strong>&#8220;) (&#8220;<strong>Bureau<\/strong>&#8220;) of proposed decisions, courses of action or changes regarding certain parts of their network.\u00a0 Only proposals affecting an &#8220;area of specified security interest&#8221; need to be notified.\u00a0 An &#8220;area of specified security interest&#8221; means \u2013<\/p>\n<ul style=\"padding-left: 0\">\n<li>network operations centres;<\/li>\n<li>lawful interception equipment or operations;<\/li>\n<li>any part of a public telecommunications network that manages or stores aggregated information or authentication credentials of a significant amount of customers;<\/li>\n<li>any place in a public telecommunications network where data belonging to a customer or end user aggregates in large volumes; and<\/li>\n<li>any area prescribed by the Governor-General by Order in Council.<\/li>\n<\/ul>\n<p>Additionally, network operators must engage, in good faith, with the Bureau if they become aware that the implementation of any other decision, course of action, or change to any part of their network may give rise to a network security risk.<\/p>\n<p>Notifications will be subject to assessment by the Director-General, or if the case requires, the Minister responsible for the Bureau.\u00a0 If a network security risk is identified, then the action, decision or change must not be implemented unless the Director has accepted a proposal to mitigate the risk or directions by the Minister are complied with.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Telecommunications \u2013 Please summarise the principal laws (present or impending) that govern access to communications data by law enforcement agencies, government bodies, and related organisations. In your response, please outline the scope of these laws, including the types of data that can typically be requested, how these laws are applied in practice (e.g., whether requests are confidential, subject to challenge, etc.), and any legal or procedural safeguards that apply.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Government agencies, including police and other law enforcement agencies, commonly make requests for personal information from other various agencies.<\/p>\n<p>The Intelligence and Security Act 2017 (&#8220;<strong>Security Act<\/strong>&#8220;) provides the legislative regime for the New Zealand Security Intelligence Service and the Government Communications Security Bureau.\u00a0 The Security Act provides for these agencies to request information from other agencies in situations where they have a reasonable belief that this information is necessary for the performance of its functions.\u00a0 Both the Security Act and the Search and Surveillance Act 2012 contain provisions relating to obtaining information through search warrants and production orders.<\/p>\n<p>TICSA contains obligations on network operators to ensure that their networks have interception capability.\u00a0 Such capability requires that surveillance agencies lawfully authorised to intercept will be able to intercept telecommunications on the network unobtrusively and obtain call associated data and content of telecommunications in a usable format.<\/p>\n<p>Additionally, when presented with a lawful authority to intercept (by a surveillance agency), network operators and service providers are under a duty to assist.\u00a0 This requires making officers and employees available to provide technical assistance and \/ or taking other reasonable steps necessary to give effect to the warrant or lawful authority such as assisting with the lawful interception itself.<strong><br \/>\n<\/strong><\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Mobile communications and connected technologies \u2013 What are the principle standard setting organisations (SSOs) governing the development of technical standards in relation to mobile communications and newer connected technologies such as digital health or connected and autonomous vehicles?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>There are currently no SSOs or specific regulatory regimes governing the overall setting of technical standards in relation to mobile communications.\u00a0 In New Zealand, mobile network operators develop and maintain the standards that must be met for them to consent to connection to their networks.<\/p>\n<p>Radio Spectrum Management administers the radiocommunications regime in New Zealand.\u00a0 Regulations and notices under that regime establish a product compliance framework, including designating the performance standards that apply to all electrical, electronic and radio products.\u00a0 The applicable standards are outlined in the Radiocommunications (EMC Standards) Notice 2019 and Radiocommunications (Radio Standards) Notice 2023.<\/p>\n<p>Industries using connected technologies in New Zealand may also develop and manage their own standards.\u00a0 For example, Te Whatu Ora &#8211; Health New Zealand has established its own Health Information Standards Organisation, which sets non-binding data and digital standards for New Zealand&#8217;s health sector in line with international standards.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Mobile communications and connected technologies \u2013 How do technical standards facilitating interoperability between connected devices impact the development of connected technologies?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Technical standards facilitating interoperability in New Zealand are relatively limited and do not impact the development of connected technologies to any greater extent than applicable overseas standards.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Data Protection \u2013 Please summarise the principal laws (present or impending), if any, that govern data protection, including a brief explanation of the general purpose of those laws.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The Privacy Act 2020 regulates the collection and processing of personal information.\u00a0 The purpose of the Privacy Act 2020 is to promote and protect individual privacy by:<\/p>\n<ul style=\"padding-left: 0\">\n<li>providing a framework for protecting an individual\u2019s right to privacy of personal information, including the right of an individual to access their personal information, while recognising that other rights and interests may at times also need to be taken into account; and<\/li>\n<li>giving effect to internationally recognised privacy obligations and standards in relation to the privacy of personal information, including the OECD Guidelines and the International Covenant on Civil and Political Rights.<\/li>\n<\/ul>\n<p>The Office of the Privacy Commissioner has also issued several codes of practice pursuant to the Privacy Act 2020, which become part of the law. These include codes in the areas of civil defence, credit reporting, health information, justice sector unique identifiers, superannuation scheme unique identifiers, and telecommunications information. A new Biometric Processing Privacy Code is also currently being prepared by the Office of the Privacy Commissioner (as described in more detail in item 23 below).<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Data Protection \u2013 What is the maximum sanction that can be imposed by a regulator in the event of a breach of any applicable data protection laws?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The maximum fine under the Privacy Act 2020 is NZ$10,000. This is for a range of offences, including failure to comply with an access order, compliance notice or transfer prohibition notice, and failure to notify a privacy breach where required under the Privacy Act 2020.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Data Protection \u2013 Do technology contracts in your country typically refer to external data protection regimes, e.g. EU GDPR or CCPA, even where the contract has no clear international element?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Technology contracts in New Zealand typically require both parties to comply with the Privacy Act 2020 at a minimum.\u00a0 This applies even if the software vendor is EU GDPR, UK GDPR or CCPA compliant.\u00a0 The Privacy Act 2020 has a similar standard to the EU GDPR in some areas, including in respect of cross border transfers of personal information and mandatory breach reporting. However, in other areas a more permissive standard than the EU GDPR&#8217;s prescriptive requirements apply. This usually means that if a software vendor is EU or UK GDPR compliant, then it is likely that they will be Privacy Act 2020 compliant as well in most areas.<\/p>\n<p>If the customer provides the software vendor with personal information of European Union or United Kingdom residents, then customers may require the supplier to be EU GDPR and\/or UK GDPR compliant in addition to Privacy Act 2020 compliance.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Cybersecurity \u2013 Please summarise the principal laws (present or impending), if any, that govern cybersecurity (to the extent they differ from those governing data protection), including a brief explanation of the general purpose of those laws.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The New Zealand Cybersecurity Strategy 2019, while not law, outlines New Zealand&#8217;s priorities for improving cybersecurity for individuals, businesses and government agencies alike, through cybersecurity awareness, resilience, proactiveness and involvement in international discussion.<\/p>\n<p>In New Zealand, specific cybercrime is broadly criminalised under the Crimes Act 1961, as discussed in item 3.\u00a0 Additionally, while there is no principal regulation governing cybersecurity, certain New Zealand regulations which apply to components of cybersecurity such as data protection and network security, also apply more broadly to cybersecurity.\u00a0 For example, provisions under the Privacy Act 2020 including the requirement for agencies to protect personal information from loss, access, misuse and modification, and as discussed at item 13, provisions under TICSA that require notification and engagement with the Bureau on network security risks.<\/p>\n<p>New Zealand&#8217;s cyber-security agency, the National Cyber Security Centre, which is part of the Bureau, targets cybersecurity at a national level through its protection of New Zealand&#8217;s critical infrastructure from cyber threats.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Cybersecurity \u2013 What is the maximum sanction that can be imposed by a regulator in the event of a breach of any applicable cybersecurity laws?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The maximum sentence for a breach of the Crimes Act 1961 cybercrime provisions (sections 248 \u2013 252) is a term of 10 years imprisonment (see item 3).\u00a0 Failure to comply with the Privacy Act 2020 provisions can lead to fines of NZD10,000 per offence, notably for failures to report data breaches.\u00a0 Fines under TICSA can reach a maximum of NZD500,000.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Artificial Intelligence \u2013 Which body(ies), if any, is\/are responsible for the regulation of artificial intelligence?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>There is no specific regulator of artificial intelligence (<strong>AI<\/strong>) in New Zealand. However, relevant laws that apply more broadly are regulated by the Office of the Privacy Commissioner and the Commerce Commission.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Artificial Intelligence \u2013 Please summarise the principal laws (present or impending), if any, that govern the deployment and use of artificial intelligence, including a brief explanation of the general purpose of those laws.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>In New Zealand, there is currently no specific regulatory regime that regulates artificial intelligence (<strong>AI<\/strong>) but certain New Zealand legislation that applies more broadly to technology will apply to AI including the Privacy Act 2020, Human Rights Act 1993, and the Fair Trading Act 1986.<\/p>\n<p>The Government released an Algorithm Charter (<strong>Charter<\/strong>) in July 2020, which (among other things) requires signatory public agencies to use algorithms in an ethical, trustworthy way. The Algorithm Charter applies only to public sector agencies that have signed up to it.<\/p>\n<p>The Office of the Privacy Commissioner (<strong>OPC<\/strong>) is currently preparing to issue a Biometric Processing Privacy Code (<strong>Biometrics Code<\/strong>). The Biometrics Code will apply to agencies that collect and use biometric information (such as fingerprints or facial images) to verify, identify or categorise individuals using\u00a0automated\u00a0processing.\u00a0 However, it will not apply to the biometric processing activities of health agencies or biometric information collected or held by health agencies, and there are some limited exceptions for intelligence and security agencies.\u00a0The Privacy Commissioner has indicated that a final version of the Biometrics Code will be issued mid-2025.<\/p>\n<p>The New Zealand Government has indicated that it has a low appetite for AI-specific regulation in New Zealand. In a Cabinet Paper dated 25 July 2024 the current Government stated that it will take a &#8220;light-touch, proportionate and risk-based approach&#8221; to AI regulation. The Government confirmed this approach in its National AI Strategy, which was released in July 2025. Accordingly, it is expected that there will be very limited AI-focused regulation in New Zealand in the near future (if any).<\/p>\n<p>The Government has also recently released &#8220;Responsible AI Guidance for the Public Service&#8221; and a &#8220;Public Sector AI Framework&#8221; to support public sector agencies in using AI.\u00a0 The guidance builds on the interim public sector guidance released in 2023 and, alongside the Public Service AI Framework, forms part of the National AI Strategy mentioned above. In July 2025, the Government also released Responsible AI Guidance for Businesses to provide guidance in the private sector on a voluntary basis.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Artificial Intelligence \u2013 Are there any specific legal provisions (present or impending) in respect of the deployment and use of Large Language Models and\/or generative AI (including agentic AI)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>There is no specific regulatory regime that regulates generative AI. However, the comments at item 23 will also apply to generative AI. In addition, the Office of the Privacy Commissioner has released practical guidance on the use of generative AI by New Zealand organisations. While the guidance is limited to generative AI, it is also relevant to the use of other AI tools.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Artificial Intelligence \u2013 Do technology contracts in your jurisdiction typically contain either mandatory (e.g. mandated by statute) or recommended provisions dealing with AI risk? If so, what issues or risks need to be addressed or considered in such provisions?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>There are currently no mandatory provisions dealing with AI-specific risks in New Zealand. Customers of AI systems in New Zealand will generally expect the supplier to provide assurances in respect of key AI risks such as bias, copyright infringement, human oversight and transparency. Contracts also typically deal with other key matters such as privacy and data protection, adherence to specifications or published documentation, and IP ownership in outputs. However, whether technology contracts relating to AI systems address AI-specific risks will depend on a range of factors including the nature of the AI system and its intended use.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Artificial Intelligence \u2013 Do software or technology contracts in your jurisdiction typically contain provisions regarding the application or treatment of copyright or other intellectual property rights, or the ownership of outputs in the context of the use of AI systems?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Technology contracts dealing with AI systems in New Zealand typically address the ownership of intellectual property rights in the AI system and in the output produced by the AI system. The supplier will typically retain rights in the underlying AI system unless it has been commissioned as a bespoke offering for the customer. The customer will typically own the output of an AI system and be responsible for its use (including compliance with applicable laws in connection with such use). However, this position varies depending on various factors including those discussed at item 25.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Blockchain \u2013 What are the principal laws (present or impending), if any, that govern (i) blockchain specifically (if any) and (ii) digital assets, including a brief explanation of the general purpose of those laws?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>New Zealand lacks targeted legislation that governs blockchain or digital assets alone. Instead, digital assets and services related to digital assets in New Zealand are regulated by existing, technology neutral legislation. Given that the rights and functions created in respect of digital assets are flexible, each asset or service associated with digital assets will be regulated according to its specific properties.\u00a0 The two regimes most relevant to blockchain and digital assets are those which govern financial products under the FMCA and the AML\/CFT Act.<\/p>\n<p>The FMCA is the principal piece of legislation that regulates financial products. The FMCA:<\/p>\n<ul style=\"padding-left: 0\">\n<li>imposes fair dealing obligations on conduct in both the retail and wholesale financial markets;<\/li>\n<li>sets out the disclosure requirements for offers of financial products;<\/li>\n<li>set out a regime of exclusions and wholesale investor categories in connection with the disclosure requirements;<\/li>\n<li>set out the governance rules that apply to financial products; and<\/li>\n<li>impose licensing regimes.<\/li>\n<\/ul>\n<p>Whether the more onerous requirements of the FMCA apply in relation to a specific digital asset depends on whether that digital asset meets the definition of &#8220;financial product&#8221; as set out in the FMCA.<\/p>\n<p>The AML\/CFT Act sets out a range of anti-money laundering obligations (such as customer due diligence) which applies to reporting entities.\u00a0 The definition of reporting entity includes virtual asset service providers, which means that service providers in relation to digital assets are typically subject to obligations under that legislation.\u00a0 The primary purpose of that legislation is to deter and detect money laundering and the financing of terrorism.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Search Engines and Marketplaces \u2013 Please summarise the principal laws (present or impending), if any, that govern search engines and marketplaces, including a brief explanation of the general purpose of those laws.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>There is no specific regulation of search engines and marketplaces. General consumer protection and privacy laws apply (e.g. Fair Trading Act 1986, Consumer Guarantees Act 1993, and the Privacy Act 2020 and Privacy Regulations 2020).<\/p>\n<p>New Zealand consumer law applies to goods or services provided to people in, or business carried out in, New Zealand.\u00a0 The Commerce Commission can regulate such activities, and in doing so can initiate enforcement action against residents of other countries.\u00a0 The Privacy Act 2020 is discussed above.<\/p>\n<p>The Harmful Digital Communications Act 2013, as discussed in item 3, applies to online content hosts (including any organisation that hosts websites or social media platforms in New Zealand).\u00a0 Online content hosts may be civilly or criminally liable for the content that is on their website unless they follow a prescribed process, which requires complaints to be received and dealt with in a prescribed way.<\/p>\n<p>In 2019, New Zealand developed the Christchurch Call, which is an action plan that commits government and tech companies to a range of measures in an attempt to make the internet safer. This includes developing tools to prevent the upload of violent content and increasing transparency around the removal and detection of content. The Christchurch Call is not binding, and there are no legal consequences for parties that fail to comply.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Social Media \u2013 Please summarise the principal laws (present or impending), if any, that govern social media and online platforms, including a brief explanation of the general purpose of those laws?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Our comments in relation to search engines and marketplace in item 28 also apply to social media.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Social Media \u2013 What is the maximum sanction that can be imposed by a regulator in the event of a breach of any applicable online safety laws?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Sanctions under general consumer protection and privacy laws can differ greatly depending on the relevant provision breached.\u00a0 Under the Harmful Digital Communications Act 2013, a person who causes harm by posting digital communication is liable on conviction to imprisonment for up to 2 years or a fine up to NZD50,000 in the case of an individual, or a fine up to NZD200,000 in the case of a body corporate.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Spatial Computing \u2013 Please summarise the principal laws (present or impending), if any, that govern spatial computing, including a brief explanation of the general purpose of those laws?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>There are no specific regulations pertaining to spatial computing in New Zealand.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Quantum Computing \u2013 Please summarise the principal laws (present or impending), if any, that govern quantum computing and\/or issues around quantum cryptography, including a brief explanation of the general purpose of those laws?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>There are no specific regulations pertaining to quantum computing in New Zealand.\u00a0 However, given that quantum computing has the potential to compromise cryptographic systems, existing legislation such as the Crimes Act 1961 and the Privacy Act 2020 will likely have application to issues created by quantum computing and cryptography.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Datacentres \u2013 Does your jurisdiction have any specific regulations that apply to data centres?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>New Zealand does not have legislation that specifically applies to datacentres.\u00a0 However, due to the importance of data sovereignty, general information protection regulations under the Privacy Act 2020, as discussed at item 17 above, apply more broadly to datacentres.<\/p>\n<p>TICSA also has limited application to datacentres.\u00a0 Datacentres that provide \/ make available telecommunications services are considered &#8220;service providers&#8221; under TICSA and therefore, when required, must assist with the lawful interception of telecommunications.<\/p>\n<p>The International Organization for Standardization&#8217;s (&#8220;<strong>ISO<\/strong>&#8220;) international standard 27001 guides best practice for information security management.\u00a0 While adherence to this standard provides credibility for datacentres, it is not mandatory.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">General \u2013 What are your top 3 predictions for significant developments in technology law in the next 3 years?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Our top 3 predictions for significant developments in technology law in New Zealand in the next 3 years are as follows:<\/p>\n<ol style=\"padding-left: 0\" type=\"a\">\n<li><strong>New legislation: <\/strong>New legislation currently being considered by the Government and certain new legislation that has recently come into effect may have a significant impact on technology law in New Zealand:\n<ol style=\"padding-left: 5\" type=\"i\">\n<li><strong>Customer and Product Data Act: <\/strong>The Customer and Product Data Act (&#8220;<strong>Act<\/strong>&#8220;) was passed into law and came into force in March 2025 \u2013 forming New Zealand&#8217;s consumer data right (CDR) framework. Once implemented, the CDR will provide individuals and businesses with a statutory ability to require data holders to share information held about them with trusted third parties and the ability to require them to carry out some form of action on the relevant individual&#8217;s or businesses&#8217; behalf. The Government has confirmed that the banking sector will be the first sector to be designated in-scope of the CDR and has consulted on whether the electricity sector should be designated next. The Ministry of Business, Innovation and Employment has confirmed that the banking regulations to be issued under the Act are expected to be in force from December 2025.<\/li>\n<li><strong>Digital Identity Trust Framework: <\/strong>The Digital Identity Trust Framework Act 2023 (<strong>Act<\/strong>) will impact the provision and receipt of digital identity services in New Zealand. The core objective of the Act is to help develop digital identity services that are trusted and people-centric. While the primary obligations in the Act will be on digital identity service providers on an opt-in basis, it will also have an impact on individuals and organisations in the digital identity ecosystem, including banks, government agencies, utility and telecommunications providers. The rules that will apply to digital identity service providers who opt-in to the framework are still in development.<\/li>\n<\/ol>\n<\/li>\n<li><strong>Regulation of Biometrics:<\/strong> The Office of the Privacy Commissioner (<strong>OPC<\/strong>) is expected to release a final version of the Biometrics Code mid-2025. Refer to our comments at item 23.<\/li>\n<li><strong>AI roadmap\/risk management: <\/strong>As part of the National AI Strategy, the New Zealand Government released the &#8220;Responsible AI Guidance for the Public Service: GenAI&#8221; to assist public sector agencies in using AI in a safe and responsible way, as discussed at item 23. The Government also released private sector guidance in July 2025 (as discussed at item 23). While non-binding, both sets of guidance are likely to be influential on industry standards in the public and private sectors. Both sets of guidance reflect a low appetite for regulating AI in New Zealand, encourage the adoption and use of AI by New Zealand organisations, and clarify the Government&#8217;s expectations in terms of key considerations when using and implementing AI systems.<\/li>\n<\/ol>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">General \u2013 Do technology contracts in your country commonly include provisions to address sustainability \/ net-zero obligations or similar environmental commitments?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Yes. Organisations that are subject to net-zero obligations or environmental commitments under law or internal policies may request their suppliers to comply with certain environmental, social and governance (ESG) requirements.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\r\n<div class=\"word-count-hidden\" style=\"display:none;\">Estimated word count: <span class=\"word-count\">6511<\/span><\/div>\r\n\r\n\t\t\t<\/ol>\r\n\r\n<script type=\"text\/javascript\" src=\"\/wp-content\/themes\/twentyseventeen\/src\/jquery\/components\/filter-guides.js\" async><\/script><\/div>"}},"_links":{"self":[{"href":"https:\/\/my.legal500.com\/guides\/wp-json\/wp\/v2\/comparative_guide\/109882","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/my.legal500.com\/guides\/wp-json\/wp\/v2\/comparative_guide"}],"about":[{"href":"https:\/\/my.legal500.com\/guides\/wp-json\/wp\/v2\/types\/comparative_guide"}],"wp:attachment":[{"href":"https:\/\/my.legal500.com\/guides\/wp-json\/wp\/v2\/media?parent=109882"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}