Since its enactment in 1993 as amended in 1994, Section 189 of the Companies Act 1993 has required registered companies to store specified internal records at the company's registered office (which must be an address in New Zealand) or another place in New Zealand at least for seven years after giving notice to the Registrar of Companies. These records include minutes of all meetings and resolutions of shareholders, minutes of all meetings and resolutions of directors and directors' committees, certificates given by directors under the Act, and copies of all written communications to all shareholders or all holders of the same class of shares.
Furthermore, under the same provision, the following records are subject to a minimum retention period of seven completed accounting periods of the company: copies of all financial statements and group financial statements required to be completed under the Act and accounting records.
Despite this local storage requirement, Section 456 of the Financial Markets Conduct Act allows reporting entities to keep accounting records outside New Zealand if specific documents are kept in New Zealand, such as the financial statements of any reporting entity and registered scheme it manages and any document annexed to those financial statements that gives legally required information. The Act does not otherwise prohibit cross-border data transfers.

The new Privacy Act 2020, which entered into force in December 2020, creates a conditional flow regime. Information Privacy Principle 12 in Section 22 of the Act governs cross-border data transfer. A business or organisation may only disclose personal information to another organisation outside New Zealand if the receiving organisation:
- is subject to the Privacy Act because they do business in New Zealand;
- is subject to privacy laws that provide comparable safeguards to the Privacy Act - or they agree to protect the information in such a way (e.g., by using model contract clauses), or
- is covered by a binding scheme or is subject to the privacy laws of a country prescribed by the New Zealand Government.
If none of these conditions is satisfied, a business may only make a cross-border disclosure with the permission of the data subject.
This regime does not apply to an overseas organisation that holds or processes on the business's behalf (e.g., cloud service providers).
Still, despite the IPP 12, a business may make a cross-border disclosure in urgent circumstances where it is necessary to maintain public health or safety or for the maintenance of the law.
This regime does not affect or limit other New Zealand law that regulates the availability of personal information (Section 24).

Since its enactment in 2018, Section 354 of the Customs and Excise Act 2018 has required businesses importing and exporting from New Zealand to keep specific records in New Zealand for at least 7 years unless an exemption applies. However, the Act exempts companies from this requirement for certain records of companies importing or exporting if they apply to and are authorised by the Chief Executive of the New Zealand Customs Service to keep the prescribed records with a specific person outside New Zealand (Section 355).
Section 354 states that (1) Every specified person must (a) keep at a specified place, or cause to be kept at a specified place, any prescribed records for the prescribed period; and (...); (2) The period prescribed for subsection (1)(a) must not exceed 7 years; (3) (...) specified place means (a) a place in New Zealand; or (b) a place outside New Zealand if, (i) after making an application under section 355(1), the specified person is authorised to keep the prescribed records, or to cause the prescribed records to be kept, at that place; or (ii) after making an application under section 355(2), another person is authorised to keep the prescribed records for the specified person at that place.

New Zealand has joined agreements with binding commitments to open transfers of data across borders: the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP, Art. 14.11), the Digital Economy Partnership Agreement Between Singapore, Chile and New Zealand (DEPA, Art. 4.3), the Free Trade Agreement between the United Kingdom of Great Britain and Northern Ireland and New Zealand [Art.15.4(2)], and the EU-New Zealand Free Trade Agreement (Chapter 12, Art. 12.4)

The Privacy Act 2020 provides a comprehensive regime of data protection in New Zealand. It repeals and replaces the Privacy Act 1993 and contains 13 Information Privacy Principles (IPP) that govern the use of personal information in the country. The Act requires agencies to appoint at least one privacy officer, report data breaches that cause or are likely to cause serious harm, and provide data subjects with both the right to access and the right to request correction of their personal information. In addition, the new IPP 12 provides that an organisation or business may only disclose personal information to an agency outside of New Zealand if the receiving agency is subject to similar safeguards to those in the Act. Furthermore, the Act introduces new criminal penalties, punishable with fines of up to NZD 10,000 (approx. USD 6,000) and allows the Office of the Privacy Commissioner of New Zealand to issue compliance notices and enforceable access directions.

New Zealand has ratified the World Intellectual Property Organization (WIPO) Performances and Phonograms Treaty.

Trade secrets are not statutorily protected under New Zealand civil law, but they may be protected by contract and through a common law breach of confidence action. Under Section 230 of the Crimes Act 1961, misappropriation of a trade secret, with the intent to obtain a financial or economic advantage or to cause loss to another, is a crime punishable by up to five years in prison. In addition, the crime of accessing a computer system for a dishonest purpose to obtain property may apply to digital files, which is punishable by up to seven years in prison (Section 249).

It is reported that there is no obligation for passive infrastructure sharing in New Zealand to deliver telecom services to end users. However, it is practised in both the mobile and fixed sectors based on commercial agreements.

It is reported that New Zealand does not mandate accounting separation for operators with significant market power (SMP) in the telecom market. However, Under the Telecommunications Act, functional separation is mandated for operators with significant market power.

Interconnection with and pricing to networks are regulated under Schedule 1 of the Telecommunications Act 2001. The 2011 amendments to the Telecommunications Act introduced information disclosure requirements for the companies building the ultrafast broadband fibre network and Chorus. The companies are required to meet annual reporting requirements, assurance requirements, certificates and statutory declarations, and data retention requirements.

The Telecommunications (Interception Capability and Security) Act 2013 creates upon a network operator 1) a duty to implement full interception capability (Section 9) and 2) a duty to assist a surveillance agency upon an inception warrant or any other lawful interception authority (Section 24). In order to comply with the assistance duty, a network operator must decrypt telecommunication on that operator’s public telecommunications network or telecommunications service "if (a) the content of that telecommunication has been encrypted; and (b) the network operator intercepting the telecommunication has provided that encryption."
However, this does not require a network operator to "(a) decrypt any telecommunication on that operator’s public telecommunications network or telecommunications service if the encryption has been provided by means of a product that is (i) supplied by a person other than the operator and is available to the public or (ii) supplied by the operator as an agent for that product; and (b) ensure that a surveillance agency has the ability to decrypt any telecommunication.
Nevertheless, the existence of these duties together practically means that network operators cannot design and implement end-to-end encryption. A joint communique called International Statement - End-to-End Encryption and Public Safety - expressed concern about the challenges that end-to-end encryption will pose to law enforcement but at the same time acknowledged privacy, cybersecurity, and intellectual property protection. The government' stated that it is committed to collaborating with the industry to develop "reasonable proposals" on this issue.

New Zealand has appended the World Trade Organization (WTO) Telecom Reference Paper to its schedule of commitments.

It has been reported that New Zealand lacks a telecommunications authority whose decision-making process is entirely independent of government influence. The Ministry of Business, Innovation and Employment (MBIE) is responsible for shaping the telecommunications regulatory framework, which includes establishing the rules governing the operations of telecommunications companies and ensuring product compliance. In addition, the New Zealand Commerce Commission plays a key role in overseeing competition within the telecommunications sector and regulating certain services. It holds the authority to recommend whether services should be regulated or deregulated. As an independent statutory body, the Commission is tasked with enforcing the Commerce Act and is primarily accountable to the Minister of Commerce and Consumer Affairs for its operational performance and outcomes. The Commission may also set terms and conditions, including pricing, for regulated services through Standard Terms Determinations. Furthermore, it possesses the power to mandate the availability of industry-wide services, such as number portability, impose information disclosure obligations, and implement structural remedies, including the separation of services. Although the Commerce Commission operates independently, the Minister for Communications retains the authority to accept or reject the Commission's recommendations on regulating or deregulating services. Additionally, the Minister may issue a "statement of economic policy," which the Commission is required to consider in its decision-making process.

Since its enactment in 1994, Section 22.2 of the Tax Administration Act 1994 has required certain classes of taxpayers to keep and retain specified records related to their tax liability in New Zealand for at least seven years unless an exception applies so that the Commissioner of Inland Revenue may assess the taxpayer's tax liability. Under Section 22.5, the Commissioner of Inland Revenue may extend three additional years for an additional audit or investigation. Taxpayers are exempt from the local storage requirements under Section 22(8)-(9) if authorised by the Commissioner of Inland Revenue. This requirement has been in place since its enactment in 1994.
Pursuant to this section, Revenue Alert 10/02, which was issued in 2010 by the Commissioner of Inland Revenue but did not reflect its final position, provides that "[t]taxpayers are responsible for ensuring they comply with their record-keeping obligations. Therefore, taxpayers using a cloud computing service will need to be satisfied that all their business records will be [also] stored in data centres located in New Zealand."

Since its enactment in 1985, Section 75 of the Goods and Services Tax Act 1985 has required registered entities to keep and retain specified tax-related records for at least seven years in New Zealand unless an exemption applies so that the Commissioner of Inland Revenue may assess the entity's goods and services tax liability. Under Section 75.5, which was inserted in 1992, the Commissioner of Inland Revenue may require taxpayers to retain such data for an additional period of 3 years in cases of a further audit or investigation. Taxpayers are also exempt from the local storage requirement if authorised by the Commissioner as long as the Commissioner imposes reasonable conditions under Section 75(6)-(7). This requirement has been in place since its enactment in 1985.
Pursuant to this section, Revenue Alert 10/02, which was issued in 2010 by the Commissioner of Inland Revenue but did not reflect its final position, provides that "[t]taxpayers are responsible for ensuring they comply with their record-keeping obligations. Therefore, taxpayers using a cloud computing service will need to be satisfied that all their business records will be [also] stored in data centres located in New Zealand."