This country-specific Q&A provides an overview to technology, media and telecom laws and regulations that may occur in New Zealand.
This Q&A is part of the global guide to TMT. For a full list of jurisdictional Q&As visit http://www.inhouselawyer.co.uk/practice-areas/tmt-3rd-edition/
What is the regulatory regime for technology?
Telecommunications networks and services are subject to access and network security regulation – but no licences or authorisations are required to provide telecommunications services in New Zealand.
The Telecommunications Act 2001 ("Telecommunications Act") regulates telecommunications services. Certain designated services (such as the unbundled local loop and unbundled bitstream access) are subject to access regulation, under which the Commerce Commission ("Commission") can set standard terms of supply – including prices. The regime covers copper network and mobile telecommunications services.
Following recent amendments to the Telecommunications Act, the Commission is working to establish a new regulatory regime for ultra-fast broadband ("UFB") fibre networks, modelled on "building blocks" regulation used for other utilities. Chorus (the owner of the majority of the UFB fibre network infrastructure in New Zealand) will be subject to price-quality regulation for its regulated fibre services, and other local fibre companies will be subject to information disclosure regulation. The regime is expected to be implemented by 1 January 2022. In the meantime, UFB services (including prices) are governed by contracts between the Crown and service providers.
Telecommunications network operators have obligations to maintain interception capability and network security under the Telecommunications (Interception Capability and Security) Act 2013 ("TICSA"). Under TICSA, network operators are required to notify the Government Communications Security Bureau ("GCSB") of any changes that could present a security risk, and the GCSB and Ministers have powers to prevent proposed changes if they believe there is a significant security risk.
Radiocommunications are regulated separately under the Radiocommunications Act 1989 ("Radiocommunications Act") and the Radiocommunications Regulations 2001 ("Radiocommunications Regulations"), whereby it is unlawful to transmit radio waves without an appropriate licence. Licensing is managed by Radio Spectrum Management ("RSM").
Are communications networks or services regulated?
Is there any specific regulator for the provisions of communications-related services?
The Commission regulates the competition and consumer aspects of the telecommunications industry. The two primary functions of the Commission are:
- to regulate the supply of certain fixed-line and mobile services through determining price and minimum terms of access (as above); and
- monitoring competition and consumer quality.
The Telecommunications Commissioner is appointed to have specific responsibility for the Telecommunications sector. The Commission is an Independent Crown Entity under the Crown Entities Act 2004 – the class of entity that is most independent from Government. The Commission is required to have regard to government policy directions when exercising its powers, but is statutorily required to exercise its functions and powers independently. Commissioners are appointed by the Governor-General of New Zealand on advice of the responsible Minister of Government.
Radio Spectrum Management ("RSM") is the division of the Ministry of Business, Innovation and Employment ("MBIE") responsible for managing non-competition aspects of radio spectrum in New Zealand. As RSM is a branch of MBIE, it is subject to policy direction from and decision-making by the relevant Minister, but its day-to-day operational functions are exercised independently.
Are they independent of the government control?
See question above.
Are platform providers (social media, content sharing, information search engines) regulated?
There is no specific regulation of platform providers. General consumer protection and privacy laws apply (e.g. Fair Trading Act 1986 ("Fair Trading Act"), Consumer Guarantees Act 1993 ("Consumer Guarantees Act"), and the Privacy Act 1993 ("Privacy Act")).
New Zealand consumer law applies to goods or services provided to people in, or business carried on in, New Zealand. The Commission can regulate such activities, and in doing so can initiate enforcement action against residents of other countries. The Privacy Act is discussed below.
The Harmful Digital Communications Act 2013 applies to online content hosts (including any organisation that hosts websites or social media platforms in New Zealand). Online content hosts may be civilly or criminally liable for the content that is on their website unless they follow a prescribed process, which requires complaints to be received and dealt with in a prescribed way.
If so, does the reach of the regulator extend outside your jurisdiction?
Does a telecoms operator need to be domiciled in the country?
There is no requirement for a telecommunications operator to be domiciled in New Zealand.
Are there any restrictions on foreign ownership of telecoms operators?
While there are no foreign ownership restrictions specific to the telecommunications sector, the Overseas Investment regime may restrict the ability of foreign persons to control telecommunications network operators. Overseas persons wishing to invest in significant business assets or sensitive land in New Zealand may have to obtain consent from the Overseas Investment Office to do so.
Are there any regulations covering interconnection between operators?
Certain interconnection services (such as mobile termination access and PSTN interconnection) are regulated under the access regime described above. Regulation applies equally to all providers of the regulated service.
Generally, interconnection is governed by commercial arrangements and industry-led regulation, which is based on codes drafted by the New Zealand Telecommunications Forum ("TCF"). Existing codes addressing operator interconnection include end-user transfer between retailers, IP interconnection, co-siting, premises wiring, interconnection of mobile phone services, public services (such as emergency calling and interception capability) and consumer-related services.
If so are these different for operators with market power?
What are the principal consumer protection regulations that apply specifically to telecoms services?
The TCF has established a number of codes for the protection of consumers, in areas such as:
- broadband product disclosure;
- customer complaints;
- customer transfer; and
- disconnection policies.
Recent amendments to the Telecommunications Act have enhanced the duties of the Commission to monitor and report on retail service quality in telecommunications markets.
Otherwise, general consumer protection laws apply.
What legal protections are offered in relation to the creators of computer software?
Computer software can be legally protected in two key ways:
Copyright: Copyright protects original works and arises automatically. The underlying source code or machine-readable translation of the object code of original software may be protected by copyright, under the Copyright Act 1994. The duration of protection depends on the category of the work the copyright subsists in.
Patents: Following successful application, patents allow the creator of a new invention exclusive use of that invention for up to 20 years and the ability to bring an action against anyone who infringes on that right. Software "as such" is excluded from protection under the Patents Act 2013 if the actual contribution made by the alleged invention lies solely in it being a computer program. However, if the "actual contribution" of the software is part of a redevelopment or improvement of the qualities or features of a machine, the software may be patentable. For example, software which enables a washing machine to use less water or electricity while achieving the same or better performance could be patentable.
Do you recognise specific intellectual property rights in respect of data/databases?
There are no specific intellectual property rights which apply to data/databases. However, provided a database is original, it is eligible for copyright protection as a literary work.
What key protections exist for personal data?
The Privacy Act regulates the collection and processing of personal information. The Privacy Act currently contains twelve Information Privacy Principles (the "Principles") which apply to "personal information" (being information about an identifiable individual). The Principles relate to the manner and purpose of collection, storage, access, use, retention, disclosure and deletion of personal information. The consent of the individual concerned is not always required for the collection and processing of personal information, but it must always be lawfully obtained and managed in accordance with the terms of the Privacy Act.
The Privacy Act applies to "agencies", which is defined very broadly and would capture government agencies as well as private organisations.
In addition to the above, agencies providing personal or public health or disability services are also subject to the Health Information Privacy Code 1994, which includes specific rules regarding the processing of health information.
A Bill to amend the Privacy Act is currently before Parliament. Key proposed changes include:
- the introduction of a mandatory breach notification regime for certain privacy breaches;
- specific reference to overseas agencies, bringing them within the coverage of the Privacy Act to the extent they undertake regulated activities in the course of carrying on business in New Zealand; and
- clarification that the Privacy Act will apply to all actions by a New Zealand agency, whether inside or outside of New Zealand.
Europe's GDPR may also be applicable to organisations operating in New Zealand where their activities fall within its jurisdiction.
Are there restrictions on the transfer of personal data overseas?
The Privacy Commissioner may prohibit a transfer of personal information from New Zealand to another state if the Commissioner is satisfied, on reasonable grounds, that the information has been, or will be, received in New Zealand from another state and is likely to be transferred to a third state where it will not be subject to a law providing comparable safeguards to the Privacy Act, and the transfer would be likely to lead to a contravention of the relevant OECD Guidelines.
The Privacy Bill, once enacted, will further restrict international transfers of personal information, such that international transfers shall only be permitted in circumstances where the agency is satisfied that either the destination jurisdiction has similar levels of protection for that personal information as New Zealand, or that the individual concerned has otherwise consented to the export after being informed that their personal information may not be as strongly protected as it would be under New Zealand law. The export of data to cloud service providers is expressly excluded from this clause of the Privacy Bill.
What is the maximum fine that can be applied for breach of data protection laws?
The maximum fine under the Privacy Act is NZ$10,000 for failure to comply with a transfer prohibition notice, or NZ$2,000 for a range of other offences. The Privacy Bill proposes to increase the maximum penalty for a broader range of offences to NZ$10,000.
What additional protections have been implemented, over and above the GDPR requirements?
Privacy law in New Zealand is currently under review. It is likely to be brought up to a similar standard as the GDPR in some areas, and in other areas a more permissive standard than the GDPR's prescriptive requirements will continue to apply.
Are there any regulatory guidelines or legal restrictions applicable to cloud-based services?
New Zealand has not enacted any cloud-specific legislation. However, general laws will nonetheless apply (for example, the Privacy Act).
Are there specific requirements for the validity of an electronic signature?
The Contract and Commercial Law Act 2017 sets out specific rules regarding the validity of electronic signatures in instances where the signature is required by law. In these circumstances, the law generally recognises an electronic signature as valid if it adequately identifies the signatory, adequately indicates the signatory's approval of the information to which the signature relates and is appropriately reliable given the purpose for which, and the circumstances in which, the signature is required. If the legal requirement for a signature relates to information legally required to be given to a person, the recipient of that information must consent to receiving an electronic signature for such signature to be valid. The Act also contains a presumption as to the reliability of an electronic signature, essentially being a description of an effective digital signature.
There are some signatures required under law for which an electronic signature will be not valid, such as affidavits, statutory declarations, wills or other testamentary instruments.
Where the signature is not required by law, there are no specific requirements for a valid electronic signature, however it is good practice to nonetheless apply the statutory standard described above.
In the event of an outsourcing of IT services, would any employees, assets or third party contracts transfer automatically to the outsourcing supplier?
New Zealand does not have specific legislation relating to transfers of employees, assets or third party contracts if an organisation outsources its IT services. Where necessary, this issue would be dealt with through contract.
If a software program which purports to be a form of A.I. malfunctions, who is liable?
To the extent that that malfunctioning causes personal injury, there is unlikely to be any liability due to the existence of New Zealand's no-fault accident compensation scheme (known as "ACC").
Where AI is part of products or services which are sold to consumers, liability for malfunction will be subject to New Zealand consumer law, such as the Consumer Guarantees Act and the Fair Trading Act. The obligations these Acts impose are discussed above.
Given the extent to which AI often relies on the processing of data (including personal information) liability under the Privacy Act is also possible in circumstances where AI malfunctions. In that scenario, the relevant agency holding or processing the personal information would be liable where a privacy breach occurred, and may also be subject to mandatory breach notification obligations (if that part of the Privacy Bill is enacted).
Outside of obligations at law, liability for defects would ordinarily be negotiated between contractual counterparties and managed through the terms of the applicable contract.
What key laws exist in terms of: (a) obligations as to the maintenance of cybersecurity; (b) and the criminality of hacking/DDOS attacks?
a) obligations as to the maintenance of cybersecurity; and
There are no specific laws relating to the maintenance of cybersecurity.
Under the Privacy Act, an agency holding personal information must ensure that it is protected by security safeguards which are reasonable in the circumstances to take against loss, unauthorised access, use, modification or disclosure or other misuse.
Other more general obligations may also be relevant, for example the Companies Act 1993 obliges directors of companies to exercise due care, skill and diligence in undertaking their role. For most companies, reliance on technology and data is business critical, meaning that the management of cyber risk is likely to form part of a director's obligations under this duty.
b) the criminality of hacking/DDOS attacks?
Under New Zealand criminal law, it is an offence to:
- intend to access, or to access, a computer system dishonestly or by deception;
- intentionally or recklessly destroy, damage or alter a computer system knowing, or where one ought to know, that danger to life is likely to result;
- intentionally or recklessly and without authorisation
- damage, delete or otherwise interfere or impair with any data or software in a computer system;
- cause any of the above to occur; or
- cause any computer system to fail, or to deny service to any authorised users; or
- access a computer system without authorisation.
These sections are drafted very widely and cover hacking and distributed denial of service. The maximum penalties under these offences include a prison term not exceeding 10 years.
What technology development will create the most legal change in your jurisdiction?
In New Zealand, the most legal change is unlikely to be caused by a single technological development, but rather by the combined general trend toward the digitalisation and automation of previously manual processes, the increasingly connected nature of the world around us and the increasing prevalence of intelligent algorithms. This combined wave of development inevitably involves a tension between efficiency gains, utility and innovation on the one hand and the protection of individuals' safety, privacy and basic human rights on the other. This is, in our view, likely to cumulatively result in the most significant legal changes in New Zealand in this area.
Which current legal provision/regime creates the greatest impediment to economic development/ commerce?
From a TMT perspective, there is not one particular provision or regime that specifically hinders economic development and commerce in New Zealand. It is more often the case that innovators feel they have a lack of certainty as to accepted practices and guidelines in relation to the development and implementation of new or emerging technologies, with such uncertainty acting as, in some cases, an impediment to innovation and development.
Do you believe your legal system specifically encourages or hinders digital services?
New Zealand has cultivated a fairly permissive regime in its approach to digital services, which is likely to encourage use and development. Laws are often drafted in a way that is technology-neutral and regulators tend to be conscious of encouraging, rather than hindering, digital services. Having said that, as noted above, many innovators are demanding more certainty around a legal framework specifically designed to deal with the unique issues arising in the digital arena.
To what extent is your legal system ready to deal with the legal issues associated with artificial intelligence?
Traditional legal doctrines have coped fairly well with technological developments historically and it is likely that the New Zealand judiciary will remain flexible and responsive when interpreting the law in relation to new technologies. Regulators and legislators tend to opt for technology-neutral responses to issues, to avoid new laws and regulations becoming quickly outdated or being likely to cause unanticipated issues.
Some new issues which may arise as a result of AI could already be dealt with through existing practices and legal principles. For example, if artificial intelligence which were to cause personal injury (such as accidents involving autonomous vehicles), this could be dealt with under New Zealand's existing no-fault ACC regime.
However, as noted above, there are very few instances where the legal system has sought to specifically legislate or regulate AI, meaning that we are unlikely to be well-placed to deal with issues arising from artificial intelligence which are unique and not readily able to be resolved by reference to traditional laws and legal principles. For example, legal responsibility has historically rested with persons or organisations, determined by reference to principles such as causation and remoteness. This approach has limits in the context of AI because, as artificial intelligence continues to develop, it is foreseeable that there could be circumstances where a loss has been caused with minimal and/or remote human or organisational involvement. Continuing to attribute liability in the way we currently do could therefore eventually lead to unfair or unexpected outcomes, which, although currently untested, the law does not appear to yet be well-placed to deal with.