The new Privacy Act 2020, which entered into force in December 2020, creates a conditional flow regime. Information Privacy Principle 12 in Section 22 of the Act governs cross-border data transfer. A business or organisation may only disclose personal information to another organisation outside New Zealand if the receiving organisation:
- is subject to the Privacy Act because they do business in New Zealand;
- is subject to privacy laws that provide comparable safeguards to the Privacy Act - or they agree to protect the information in such a way (e.g., by using model contract clauses), or
- is covered by a binding scheme or is subject to the privacy laws of a country prescribed by the New Zealand Government.
If none of these conditions is satisfied, a business may only make a cross-border disclosure with the permission of the data subject.
This regime does not apply to an overseas organisation that holds or processes on the business's behalf (e.g., cloud service providers).
Still, despite the IPP 12, a business may make a cross-border disclosure in urgent circumstances where it is necessary to maintain public health or safety or for the maintenance of the law.
This regime does not affect or limit other New Zealand law that regulates the availability of personal information (Section 24).

Since its enactment in 2018, Section 354 of the Customs and Excise Act 2018 has required businesses importing and exporting from New Zealand to keep specific records in New Zealand for at least 7 years unless an exemption applies. However, the Act exempts companies from this requirement for certain records of companies importing or exporting if they apply to and are authorised by the Chief Executive of the New Zealand Customs Service to keep the prescribed records with a specific person outside New Zealand (Section 355).
Section 354 states that (1) Every specified person must (a) keep at a specified place, or cause to be kept at a specified place, any prescribed records for the prescribed period; and (...); (2) The period prescribed for subsection (1)(a) must not exceed 7 years; (3) (...) specified place means (a) a place in New Zealand; or (b) a place outside New Zealand if, (i) after making an application under section 355(1), the specified person is authorised to keep the prescribed records, or to cause the prescribed records to be kept, at that place; or (ii) after making an application under section 355(2), another person is authorised to keep the prescribed records for the specified person at that place.

New Zealand has joined agreements with binding commitments to open transfers of data across borders: the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP, Art. 14.11), the Digital Economy Partnership Agreement Between Singapore, Chile and New Zealand (DEPA, Art. 4.3), the Free Trade Agreement between the United Kingdom of Great Britain and Northern Ireland and New Zealand [Art.15.4(2)], and the EU-New Zealand Free Trade Agreement (Chapter 12, Art. 12.4)

The Privacy Act 2020 provides a comprehensive regime of data protection in New Zealand. It repeals and replaces the Privacy Act 1993 and contains 13 Information Privacy Principles (IPP) that govern the use of personal information in the country. The Act requires agencies to appoint at least one privacy officer, report data breaches that cause or are likely to cause serious harm, and provide data subjects with both the right to access and the right to request correction of their personal information. In addition, the new IPP 12 provides that an organisation or business may only disclose personal information to an agency outside of New Zealand if the receiving agency is subject to similar safeguards to those in the Act. Furthermore, the Act introduces new criminal penalties, punishable with fines of up to NZD 10,000 (approx. USD 6,000) and allows the Office of the Privacy Commissioner of New Zealand to issue compliance notices and enforceable access directions.

The Privacy Act 2020 provides that "[a]n agency must appoint as privacy officers for the agency one or more individuals" (Section 201).

Under the Copyright (New Technologies) Amendment Act 2008, Internet service providers (ISPs) are not liable simply because a user infringes a copyright (Section 92B). However, ISPs may possibly face liability for copyright infringement as a result of storing infringing material if an ISP has specific knowledge of the infringement or caching if the ISP does not immediately delete or make unavailable the infringement material upon notice (Sections 92C and 92E).
The decision by the Supreme Court of New Zealand in Ortmann, van der Kolk, Batato, Dotcom v. USA and Anor (2020) NZSC 120 extends civil liability into a criminal penalty against ISPs. The decision ruled that Section 131 of the Copyright Act, which sets out criminal offences in relation to copyright works, encompasses online dissemination of digital copies. As a result, it has been opined that Internet service providers are now potentially exposed to criminal sanctions when carrying out their day-to-day activities. New Zealand Law Society states that "ISPs in New Zealand, and overseas ISPs providing services to New Zealanders, will obviously be concerned as to the extent of their potential criminal liability in this country for users infringing copyright online. It is not unrealistic to imagine this could have an impact on the availability of online services for New Zealanders."
An "ISP" under the Copyright Act means an entity which (a) offers the transmission, routing, or providing of connections for digital online communications, between or among points specified by a user, of material of the user’s choosing, or (b) hosts material on websites or other electronic retrieval systems that can be accessed by a user (Section 4).

The Harmful Digital Communications Act 2015 establishes a safe harbour regime for intermediaries beyond copyright infringement. Section 24 provides a process that an Internet service provider should take to obtain protection against liability for specific content. However, the lack of the process specified in Section 24 does not itself create any civil or criminal liability for hosting the illegal content (Section 23).

New Zealand has appended the World Trade Organization (WTO) Telecom Reference Paper to its schedule of commitments.

It has been reported that New Zealand lacks a telecommunications authority whose decision-making process is entirely independent of government influence. The Ministry of Business, Innovation and Employment (MBIE) is responsible for shaping the telecommunications regulatory framework, which includes establishing the rules governing the operations of telecommunications companies and ensuring product compliance. In addition, the New Zealand Commerce Commission plays a key role in overseeing competition within the telecommunications sector and regulating certain services. It holds the authority to recommend whether services should be regulated or deregulated. As an independent statutory body, the Commission is tasked with enforcing the Commerce Act and is primarily accountable to the Minister of Commerce and Consumer Affairs for its operational performance and outcomes. The Commission may also set terms and conditions, including pricing, for regulated services through Standard Terms Determinations. Furthermore, it possesses the power to mandate the availability of industry-wide services, such as number portability, impose information disclosure obligations, and implement structural remedies, including the separation of services. Although the Commerce Commission operates independently, the Minister for Communications retains the authority to accept or reject the Commission's recommendations on regulating or deregulating services. Additionally, the Minister may issue a "statement of economic policy," which the Commission is required to consider in its decision-making process.

Since its enactment in 1994, Section 22.2 of the Tax Administration Act 1994 has required certain classes of taxpayers to keep and retain specified records related to their tax liability in New Zealand for at least seven years unless an exception applies so that the Commissioner of Inland Revenue may assess the taxpayer's tax liability. Under Section 22.5, the Commissioner of Inland Revenue may extend three additional years for an additional audit or investigation. Taxpayers are exempt from the local storage requirements under Section 22(8)-(9) if authorised by the Commissioner of Inland Revenue. This requirement has been in place since its enactment in 1994.
Pursuant to this section, Revenue Alert 10/02, which was issued in 2010 by the Commissioner of Inland Revenue but did not reflect its final position, provides that "[t]taxpayers are responsible for ensuring they comply with their record-keeping obligations. Therefore, taxpayers using a cloud computing service will need to be satisfied that all their business records will be [also] stored in data centres located in New Zealand."

Since its enactment in 1985, Section 75 of the Goods and Services Tax Act 1985 has required registered entities to keep and retain specified tax-related records for at least seven years in New Zealand unless an exemption applies so that the Commissioner of Inland Revenue may assess the entity's goods and services tax liability. Under Section 75.5, which was inserted in 1992, the Commissioner of Inland Revenue may require taxpayers to retain such data for an additional period of 3 years in cases of a further audit or investigation. Taxpayers are also exempt from the local storage requirement if authorised by the Commissioner as long as the Commissioner imposes reasonable conditions under Section 75(6)-(7). This requirement has been in place since its enactment in 1985.
Pursuant to this section, Revenue Alert 10/02, which was issued in 2010 by the Commissioner of Inland Revenue but did not reflect its final position, provides that "[t]taxpayers are responsible for ensuring they comply with their record-keeping obligations. Therefore, taxpayers using a cloud computing service will need to be satisfied that all their business records will be [also] stored in data centres located in New Zealand."

New Zealand maintains specific limitations on foreign investment in key state-owned companies, including the telecommunications sector. In 2011, Chorus, a major telecommunication infrastructure company, was demerged from a network provider, Spark New Zealand Limited (Spark). Chorus’s constitution states that foreign investments exceeding 49.9% in national telecommunication companies require approval.

To file a patent application in New Zealand, an address for service in New Zealand or Australia and a communication address (email address) are required under the Patents Regulations 2014 (Sections 3, 34). The address for service can be a business or residential address, post office box or document exchange box located in New Zealand or Australia. Any applicant may be represented by a patent attorney authorised to practice before the Office, and the address for service should normally be that of a registered patent attorney (Subpart 4).

New Zealand is a party to the Patent Cooperation Treaty (PCT).

The country has a clear regime under the Copyright Act 1994 of copyright exceptions that follows the fair dealing model, which enables the lawful use of copyrighted work by others without obtaining permission. Sections 40-92 list the exceptions which include the use for purposes of criticism, review and news reporting (Section 42), the purposes of research or private study (Section 43), educational purposes (Sections 44 to 48), copying by librarians or archivists (Sections 51 to 56), public administration (Sections 58-66), literary, dramatic, musical, or artistic works (Sections 67 to 78), computer programs, sound recordings, and films (Sections 79 to 81A), communication works (Sections 82 to 91), and adaptations (Sections 92-93).