Under the Harmful Digital Communications Act 2015, an online content host is not per se liable for illegal content posted by its user and consequently hosted on the platform. Section 24 provides a process that an Internet service provider should take to obtain protection against liability for specific content. However, the lack of the process specified in Section 24 does not itself create any civil or criminal liability for hosting the illegal content (Section 23).

The Privacy Act 2020 provides that "[a]n agency must appoint as privacy officers for the agency one or more individuals" (Section 201).

The Privacy Act 2020 provides a comprehensive regime of data protection in New Zealand. It repeals and replaces the Privacy Act 1993 and contains 13 Information Privacy Principles (IPP) that govern the use of personal information in the country. The Act requires agencies to appoint at least one privacy officer, report data breaches that cause, or are likely to cause, serious harm, and provides data subjects with both the right to access and the right to request correction of their personal information. In addition, the new IPP 12 provides that an organisation or business may only disclose personal information to an agency outside of New Zealand if the receiving agency is subject to similar safeguards to those in the Act. Furthermore, the Act introduces new criminal penalties, punishable with fines of up to NZD 10,000 (approx. USD 6,000) and allows the Office of the Privacy Commissioner of New Zealand to issue compliance notices and enforceable access directions.

New Zealand has joined agreements with binding commitments to open transfers of data across borders: the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP, Art. 14.11), and the Free Trade Agreement between the United Kingdom of Great Britain and Northern Ireland and New Zealand [Art.15.4(2)].

The new Privacy Act 2020 which entered into force in December 2020 creates a conditional flow regime. Information Privacy Principle 12 in Section 22 of the Act governs cross-border data transfer. A business or organization may only disclose personal information to another organization outside New Zealand if the receiving organization:
- is subject to the Privacy Act because they do business in New Zealand;
- is subject to privacy laws that provide comparable safeguards to the Privacy Act - or they agree to protect the information in such a way (e.g., by using model contract clauses), or
- is covered by a binding scheme or is subject to the privacy laws of a country prescribed by the New Zealand Government.
If none of these conditions is satisfied, a business may only make a cross-border disclosure with the permission of the data subject.
This regime does not apply to an overseas organization to hold or process on the business's behalf (e.g., cloud service providers).
Still, despite the IPP 12, a business may make a cross-border disclosure in urgent circumstances where it is necessary to maintain public health or safety or for the maintenance of the law.
This regime does not affect or limit other New Zealand law that regulates the availability of personal information (Section 24).

Since its enactment in 2018, Section 354 of the Customs and Excise Act 2018 has required businesses importing and exporting from New Zealand to keep specified records in New Zealand at least for seven years unless an exemption applies. However, the Act exempts companies from this requirement for certain records of companies importing or exporting if they apply to and are authorized by the Chief Executive of the New Zealand Customs Service to keep the prescribed records with a specific person outside New Zealand (Section 355).

Section 354 states that (1) Every specified person must: (a) keep at a specified place, or cause to be kept at a specified place, any prescribed records for the prescribed period; and (...); (2) The period prescribed for the purposes of subsection (1)(a) must not exceed 7 years; (3) (...) specified place means (a) a place in New Zealand; or (b) a place outside New Zealand if, (i) after making an application under section 355(1), the specified person is authorised to keep the prescribed records, or to cause the prescribed records to be kept, at that place; or (ii) after making an application under section 355(2), another person is authorised to keep the prescribed records for the specified person at that place.

Since its enactment in 2013, Sections 215 and 216 of the Financial Markets Conduct Act 2013 has required issuers of financial products to keep a register of their regulated products in New Zealand. Furthermore, Sections 455 and 456 require reporting entities such as issuers of financial products, registered banks, building societies, and credit unions to keep certain accounting-related records in New Zealand.
Under Section 458 of the Financial Conduct Market Act 2013, accounting records, or copies of them, must be retained by the financial market conduct reporting entity for a period of at least 7 years after the later of (a) the date the records are made; and (b) the date of completion of the transaction to which the records relate.
Despite this local storage requirement, the Act allows reporting entities to keep accounting records outside New Zealand if specific documents are kept in New Zealand such as the financial statements of any reporting entity and registered scheme it manages and any document annexed to those financial statements that gives legally required information (Section 456). The Act does not otherwise prohibit cross-border data transfers.

Since its enactment in 1993 as amended in 1994, Section 189 of the Companies Act 1993 has required registered companies to store specified internal records at the company's registered office (which must be an address in New Zealand) or another place in New Zealand at least for seven years after giving notice to the Registrar of Companies. These records include: minutes of all meetings and resolutions of shareholders, minutes of all meetings and resolutions of directors and directors' committees, certificates given by directors under the Act, copies of all written communications to all shareholders or all holders of the same class of shares.
Furthermore, under the same provision, following records are subject to a minimum retention period of seven completed accounting periods of the company: copies of all financial statements and group financial statements required to be completed under the Act and accounting records.
Despite this local storage requirement, Section 456 of the Financial Markets Conduct Act allows reporting entities to keep accounting records outside New Zealand if specific documents are kept in New Zealand such as the financial statements of any reporting entity and registered scheme it manages and any document annexed to those financial statements that gives legally required information. The Act does not otherwise prohibit cross-border data transfers.

Since its enactment in 1994, Section 22(2) of the Tax Administration Act 1994 has required certain classes of taxpayers to keep and retain specified records related to their tax liability in New Zealand at least for seven years unless an exception applies, so that the Commissioner of Inland Revenue may assess the taxpayer's tax liability. Under Section 22(5), the Commissioner of Inland Revenue may extend three additional years for an additional audit or investigation. Taxpayers are exempt from the local storage requirements under Section 22(8)-(9) if authorized by the Commissioner of Inland Revenue. This requirement has been in place since its enactment in 1994.
Pursuant to this section, Revenue Alert 10/02, which was issued in 2010 by the Commissioner of Inland Revenue but does not reflect its final position, provides that "[t]taxpayers are responsible for ensuring they comply with their record keeping obligations. Therefore, taxpayers using a cloud computing service will need to be satisfied that all their business records will be [also] stored in data centres located in New Zealand."

Since its enactment 1985, Section 75 of the Goods and Services Tax Act 1985 has required registered entities to keep and retain specified tax-related records at least for seven years in New Zealand unless an exemption applies so that the Commissioner of Inland Revenue may assess the entity's goods and services tax liability. Under Section 75(5), which was inserted in 1992, the Commissioner of Inland Revenue may require taxpayers to retain such data for an additional period of 3 year in cases of a further audit or investigation. Taxpayers are also exempt from the local storage requirement if authorized by the Commissioner as long as the Commissioner imposes reasonable conditions under Section 75(6)-(7). This requirement has been in place since its enactment in 1985.
Pursuant to this section, Revenue Alert 10/02, which was issued in 2010 by the Commissioner of Inland Revenue but does not reflect its final position, provides that "[t]taxpayers are responsible for ensuring they comply with their record keeping obligations. Therefore, taxpayers using a cloud computing service will need to be satisfied that all their business records will be [also] stored in data centres located in New Zealand."

According to Commerce Act 1986 and Telecommunications Act 2001, the Commerce Commission, the executive authority for the supervision and administration of services in the telecommunications sector, is independent from the government in the decision-making process.

New Zealand has appended the World Trade Organization (WTO) Telecom Reference Paper to its schedule of commitments.

The Telecommunications (Interception Capability and Security) Act 2013 creates upon a network operator 1) a duty to implement full interception capability (Section 9) and 2) a duty to assist a surveillance agency upon an inception warrant or any other lawful interception authority (Section 24). In order to comply with the assistance duty, a network operator must decrypt a telecommunication on that operator’s public telecommunications network or telecommunications service "if (a) the content of that telecommunication has been encrypted; and (b) the network operator intercepting the telecommunication has provided that encryption."
However, this does not require a network operator to "(a) decrypt any telecommunication on that operator’s public telecommunications network or telecommunications service if the encryption has been provided by means of a product that is (i) supplied by a person other than the operator and is available to the public or (ii) supplied by the operator as an agent for that product; and (b) ensure that a surveillance agency has the ability to decrypt any telecommunication.
Nevertheless, the existence of these duties together practically mean that network operators cannot design and implement end-to-end encryption. A joint communique called International Statement - End-to-End Encryption and Public Safety - expressed concern on challenges that end-to-end encryption will pose to law enforcement but at the same time acknowledge privacy, cybersecurity, and intellectual property protection. The government's stated that they are committed to collaborate with industry to develop "reasonable proposals" on this issue.

If an entity needs special rights of access to land to access the road reserve or construct telecommunications or broadcasting lines, it must seek a network operator license. Under Section 102-105 of the Act, an entity must have either telecommunication facilities that enable 10 or more people to communication with each other or broadcasting facilities able to reach 500 or more people, to have the license. However, a telecommunications or broadcasting service provider does not need to be a network operator to run mobile or broadcasting services.

Interconnection with, and pricing to, networks are regulated under Schedule 1 of the Telecommunications Act 2001.
The 2011 amendments to the Telecommunications Act introduced information disclosure requirements for the companies building the ultrafast broadband fibre network and Chorus. The companies are required to meet annual reporting requirements, assurance requirements, certificates and statutory declarations, and data retention requirements.