The export of goods in the New Zealand Strategic Goods List is prohibited unless an exporter has approval from the Ministry of Foreign Affairs and Trade. The goods on the list are derived from the control lists produced by the four export control regimes New Zealand belongs to - the Wassenaar Arrangement, the Australia Group, the Nuclear Suppliers Group and the Missile Technology Control Regime. The Strategic Goods List includes technology as well as military and dual-use goods. The list was promulgated in 2019.

Under the Copyright (New Technologies) Amendment Act 2008, Internet service providers (ISPs) are not liable simply because a user infringes a copyright (Section 92B). However, ISPs may possibly face liability for copyright infringement as a result of storing an infringing material if an ISP has specific knowledge of the infringement, or caching if the ISP does not immediately delete or make unavailable the infringement material upon notice (Sections 92C and 92E).
The decision by the Supreme Court of New Zealand in Ortmann, van der Kolk, Batato, Dotcom v. USA and Anor (2020) NZSC 120 extends civil liability into criminal penalty against ISPs. The decision ruled that Section 131 of the Copyright Act, which sets out criminal offenses in relation to copyright works, encompasses online dissemination of digital copies. As a result, it has been opined that Internet service providers are now potentially exposed to criminal sanctions in carrying out their day-to-day activities. New Zealand Law Society states that "ISPs in New Zealand, and overseas ISPs providing services to New Zealanders, will obviously be concerned as to the extent of their own potential criminal liability in this country for users infringing copyright online. It is not unrealistic to imagine this could have an impact on availability of online services for New Zealanders."
An "ISP" under the Copyright Act means an entity which (a) offers the transmission, routing, or providing of connections for digital online communications, between or among points specified by a user, of material of the user’s choosing, or (b) hosts material on websites or other electronic retrieval systems that can be accessed by a user (Section 4).

Under the Harmful Digital Communications Act 2015, an online content host is not per se liable for illegal content posted by its user and consequently hosted on the platform. Section 24 provides a process that an Internet service provider should take to obtain protection against liability for specific content. However, the lack of the process specified in Section 24 does not itself create any civil or criminal liability for hosting the illegal content (Section 23).

The Privacy Act 2020 provides that "[a]n agency must appoint as privacy officers for the agency one or more individuals" (Section 201).

The Privacy Act 2020 provides a comprehensive regime of data protection in New Zealand. It repeals and replaces the Privacy Act 1993 and contains 13 Information Privacy Principles (IPP) that govern the use of personal information in the country. The Act requires agencies to appoint at least one privacy officer, report data breaches that cause, or are likely to cause, serious harm, and provides data subjects with both the right to access and the right to request correction of their personal information. In addition, the new IPP 12 provides that an organisation or business may only disclose personal information to an agency outside of New Zealand if the receiving agency is subject to similar safeguards to those in the Act. Furthermore, the Act introduces new criminal penalties, punishable with fines of up to NZD 10,000 (approx. USD 6,000) and allows the Office of the Privacy Commissioner of New Zealand to issue compliance notices and enforceable access directions.

New Zealand has joined agreements with binding commitments to open transfers of data across borders: the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP, Art. 14.11), and the Free Trade Agreement between the United Kingdom of Great Britain and Northern Ireland and New Zealand [Art.15.4(2)].

The new Privacy Act 2020 which entered into force in December 2020 creates a conditional flow regime. Information Privacy Principle 12 in Section 22 of the Act governs cross-border data transfer. A business or organization may only disclose personal information to another organization outside New Zealand if the receiving organization:
- is subject to the Privacy Act because they do business in New Zealand;
- is subject to privacy laws that provide comparable safeguards to the Privacy Act - or they agree to protect the information in such a way (e.g., by using model contract clauses), or
- is covered by a binding scheme or is subject to the privacy laws of a country prescribed by the New Zealand Government.
If none of these conditions is satisfied, a business may only make a cross-border disclosure with the permission of the data subject.
This regime does not apply to an overseas organization to hold or process on the business's behalf (e.g., cloud service providers).
Still, despite the IPP 12, a business may make a cross-border disclosure in urgent circumstances where it is necessary to maintain public health or safety or for the maintenance of the law.
This regime does not affect or limit other New Zealand law that regulates the availability of personal information (Section 24).

Since its enactment in 2018, Section 354 of the Customs and Excise Act 2018 has required businesses importing and exporting from New Zealand to keep specified records in New Zealand at least for seven years unless an exemption applies. However, the Act exempts companies from this requirement for certain records of companies importing or exporting if they apply to and are authorized by the Chief Executive of the New Zealand Customs Service to keep the prescribed records with a specific person outside New Zealand (Section 355).

Section 354 states that (1) Every specified person must: (a) keep at a specified place, or cause to be kept at a specified place, any prescribed records for the prescribed period; and (...); (2) The period prescribed for the purposes of subsection (1)(a) must not exceed 7 years; (3) (...) specified place means (a) a place in New Zealand; or (b) a place outside New Zealand if, (i) after making an application under section 355(1), the specified person is authorised to keep the prescribed records, or to cause the prescribed records to be kept, at that place; or (ii) after making an application under section 355(2), another person is authorised to keep the prescribed records for the specified person at that place.

Since its enactment in 2013, Sections 215 and 216 of the Financial Markets Conduct Act 2013 has required issuers of financial products to keep a register of their regulated products in New Zealand. Furthermore, Sections 455 and 456 require reporting entities such as issuers of financial products, registered banks, building societies, and credit unions to keep certain accounting-related records in New Zealand.
Under Section 458 of the Financial Conduct Market Act 2013, accounting records, or copies of them, must be retained by the financial market conduct reporting entity for a period of at least 7 years after the later of (a) the date the records are made; and (b) the date of completion of the transaction to which the records relate.
Despite this local storage requirement, the Act allows reporting entities to keep accounting records outside New Zealand if specific documents are kept in New Zealand such as the financial statements of any reporting entity and registered scheme it manages and any document annexed to those financial statements that gives legally required information (Section 456). The Act does not otherwise prohibit cross-border data transfers.

Since its enactment in 1993 as amended in 1994, Section 189 of the Companies Act 1993 has required registered companies to store specified internal records at the company's registered office (which must be an address in New Zealand) or another place in New Zealand at least for seven years after giving notice to the Registrar of Companies. These records include: minutes of all meetings and resolutions of shareholders, minutes of all meetings and resolutions of directors and directors' committees, certificates given by directors under the Act, copies of all written communications to all shareholders or all holders of the same class of shares.
Furthermore, under the same provision, following records are subject to a minimum retention period of seven completed accounting periods of the company: copies of all financial statements and group financial statements required to be completed under the Act and accounting records.
Despite this local storage requirement, Section 456 of the Financial Markets Conduct Act allows reporting entities to keep accounting records outside New Zealand if specific documents are kept in New Zealand such as the financial statements of any reporting entity and registered scheme it manages and any document annexed to those financial statements that gives legally required information. The Act does not otherwise prohibit cross-border data transfers.

Since its enactment in 1994, Section 22(2) of the Tax Administration Act 1994 has required certain classes of taxpayers to keep and retain specified records related to their tax liability in New Zealand at least for seven years unless an exception applies, so that the Commissioner of Inland Revenue may assess the taxpayer's tax liability. Under Section 22(5), the Commissioner of Inland Revenue may extend three additional years for an additional audit or investigation. Taxpayers are exempt from the local storage requirements under Section 22(8)-(9) if authorized by the Commissioner of Inland Revenue. This requirement has been in place since its enactment in 1994.
Pursuant to this section, Revenue Alert 10/02, which was issued in 2010 by the Commissioner of Inland Revenue but does not reflect its final position, provides that "[t]taxpayers are responsible for ensuring they comply with their record keeping obligations. Therefore, taxpayers using a cloud computing service will need to be satisfied that all their business records will be [also] stored in data centres located in New Zealand."

Since its enactment 1985, Section 75 of the Goods and Services Tax Act 1985 has required registered entities to keep and retain specified tax-related records at least for seven years in New Zealand unless an exemption applies so that the Commissioner of Inland Revenue may assess the entity's goods and services tax liability. Under Section 75(5), which was inserted in 1992, the Commissioner of Inland Revenue may require taxpayers to retain such data for an additional period of 3 year in cases of a further audit or investigation. Taxpayers are also exempt from the local storage requirement if authorized by the Commissioner as long as the Commissioner imposes reasonable conditions under Section 75(6)-(7). This requirement has been in place since its enactment in 1985.
Pursuant to this section, Revenue Alert 10/02, which was issued in 2010 by the Commissioner of Inland Revenue but does not reflect its final position, provides that "[t]taxpayers are responsible for ensuring they comply with their record keeping obligations. Therefore, taxpayers using a cloud computing service will need to be satisfied that all their business records will be [also] stored in data centres located in New Zealand."

According to Commerce Act 1986 and Telecommunications Act 2001, the Commerce Commission, the executive authority for the supervision and administration of services in the telecommunications sector, is independent from the government in the decision-making process.

New Zealand has appended the World Trade Organization (WTO) Telecom Reference Paper to its schedule of commitments.

If an entity needs special rights of access to land to access the road reserve or construct telecommunications or broadcasting lines, it must seek a network operator license. Under Section 102-105 of the Act, an entity must have either telecommunication facilities that enable 10 or more people to communication with each other or broadcasting facilities able to reach 500 or more people, to have the license. However, a telecommunications or broadcasting service provider does not need to be a network operator to run mobile or broadcasting services.