Use the Lexology Getting the Deal Through tool to compare the answers in this article with those from other jurisdictions.

Market overview

Kinds of transaction

What kinds of cloud computing transactions take place in your jurisdiction?

A range of cloud computing transactions take place in New Zealand.

Surveys conducted among IT professionals show a slight preference among New Zealand businesses towards hybrid models. For example, a survey of 100 NZ IT professionals by Microsoft New Zealand in March 2017 showed that 42 per cent of respondents said they already leveraged, or planned to leverage, hybrid cloud solutions. Microsoft said it expected the percentage to increase to 47 per cent in the next 12 to 18 months; 46 per cent use the private cloud and 12 percent use a public cloud solution alone.

Recent publicised cloud transactions of note include:

  • the June 2018 merger between IT companies The Instillery and Vo2 Group, designed to drive wider adoption of cloud technologies across the New Zealand;
  • the appointment of Dynamo6, a Waikato-based cloud computing, mobile, web and app development company being appointed as a New Zealand Google Cloud partner in March 2018;
  • the New Zealand government announcing its all-of-government agreement with Amazon Web Services (one of the first whole-of-government contracts that AWS has signed globally) in May 2017; and
  • Genesis Energy (New Zealand’s largest electricity and gas retailer and power generator) in March 2017 completing a large-scale migration of its IT infrastructure to Spark’s Revera cloud platform.

Active global providers

Who are the global international cloud providers active in your jurisdiction?

There are various international cloud providers active in New Zealand including Google’s Cloud Platform, Amazon Web Services, Microsoft Azure, IBM Cloud Computing, Salesforce.com, Infor Cloudsuite and Dimension Data.

Active local providers

Name the local cloud providers established and active in your jurisdiction. What cloud services do they provide?

It is not possible to create an exhaustive list but the following is a guide of some local cloud providers that we have encountered.

The major cloud providers established in New Zealand include:

  • Revera Limited, which offers cloud migration and in-country and global cloud platforms; and
  • Datacom Group Limited, which provides a range of cloud services including an infrastructure-as-a-service platform, cloud migration, private cloud, shared private cloud and hybrid cloud solutions.

Cloud providers offering specialist solutions include:

  • Xero, a cloud-based software-as-a-service accounting system;
  • PeopleSafe Limited, creators of a health and safety software application;
  • Promapp Solutions Limited, an Auckland-based company that developed a process management software for creating and storing business processes online called Promapp; and
  • Silkroad, provider of cloud-based, end-to-end human resources solutions.

In addition, New Zealand has a range of smaller cloud providers, including:

  • Batten Services, which provides cloud-hosted Voice over Internet Protocol solutions, off-site live data backup facilities and mail consultation;
  • Catalyst IT Limited, which specialises in developing, designing and supporting enterprise grade systems using open-source technologies;
  • Onenet Limited, which delivers cloud services of hosted Microsoft Exchange email, customer relationship management, SharePoint, desktops-as-a-service, infrastructure-as-a-service, online PC and server data;
  • Umbrellar, New Zealand’s largest web-hosting company; and
  • XIT Cloud Solutions, a Christchurch-based company providing Voice over Internet Protocol, hosted mail and online offsite backup solutions.

Market size

How well established is cloud computing? What is the size of the cloud computing market in your jurisdiction?

Cloud computing is well established in New Zealand, with an estimated 85 per cent of the New Zealand market now leveraging some form of cloud-based service (IDC 2017 New Zealand Ecosystem study).

New Zealand businesses are increasingly taking advantage of cloud computing as a flexible and cost-efficient alternative to traditional data storage options. According to a PricewaterhouseCoopers report published in 2015, New Zealand and Australia are leading cloud adoption globally (PricewaterhouseCoopers New Zealand Managing the Shadow Cloud: Perspectives from New Zealand and Australia (August 2015)).

Impact studies

Are data and studies on the impact of cloud computing in your jurisdiction publicly available?

Data and studies on the impact of cloud computing in New Zealand are not widely publicly available. Most studies or surveys on the impact of cloud computing are undertaken by independent researchers, such as IDC Research, Inc, Gartner, Inc or by cloud providers themselves.

Policy

Encouragement of cloud computing

Does government policy encourage the development of your jurisdiction as a cloud computing centre for the domestic market or to provide cloud services to foreign customers?

Government policy does not specifically encourage the development of New Zealand as a cloud computing centre for the domestic market, or to provide cloud services to foreign customers.

However, the New Zealand government recognises that the digital technology sector in general is ‘an important driver of innovation and increases in jobs and export growth, and the application of technology across all sectors of the economy can make our businesses more resilient, productive, and internationally competitive’ (Business Growth Agenda: Building a Digital Nation, March 2017). The technology sector is New Zealand’s third-largest exporting sector, contributing NZ$16 billion to New Zealand’s GDP. The Ministry of Business, Innovation and Employment, together with the Technology Investment Network, produces a guide to New Zealand technology investment in order to drive investment in the sector.

Incentives

Are there fiscal or customs incentives, development grants or other government incentives to promote cloud computing operations in your jurisdiction?

No. However, locally, the New Zealand government operates a ‘Cloud First’ policy, which requires government agencies to adopt cloud services in preference to traditional IT systems. According to the New Zealand government, this is because cloud services are more cost-effective, agile, generally more secure and provide greater choice.

Legislation and regulation

Recognition of concept

Is cloud computing specifically recognised and provided for in your legal system? If so, how?

Cloud computing is not specifically recognised or regulated under New Zealand law. As such, cloud computing is subject to the range of laws of general application, including the Privacy Act 1993 (which is likely to undergo significant reform soon - see discussion below), the Fair Trading Act 1986 and the Copyright Act 1994.

A number of New Zealand government agencies have released guidance material covering either their own, or their recommended, approach to cloud computing.

For example, the Office of the Privacy Commissioner (an independent Crown Entity that administers the Privacy Act 1993) released guidance material for small and medium-sized businesses to help them protect personal information when using cloud computing in February 2013 entitled Cloud Computing: a guide to making the right choices. In addition, in April 2017, the Ministry of Health released its policy on cloud computing (in conjunction with the Department of Internal Affairs’ Government Chief Information Office).

Governing legislation

Does legislation or regulation directly and specifically prohibit, restrict or otherwise govern cloud computing, in or outside your jurisdiction?

Cloud computing is not directly regulated or specifically prohibited or restricted by New Zealand legislation.

What legislation or regulation may indirectly prohibit, restrict or otherwise govern cloud computing, in or outside your jurisdiction?

Cloud computing itself is not indirectly prohibited, restricted or otherwise governed by New Zealand legislation or regulation.

However, businesses using cloud computing will be subject to the range of laws of general application, including the Privacy Act 1993, Fair Trading Act 1986 and Copyright Act 1994, and Telecommunications (Interception Capability and Security) Act 2013 (TICSA), which contain a number of provisions that indirectly govern cloud computing.

For example, the Privacy Act 1993 applies to ‘agencies’ (including cloud computing businesses to the extent they handle personal information) and sets out rules in relation to the collection, use, storage and disclosure of such personal information. The Act provides that an organisation that holds personal information must ensure that it is protected using reasonable security safeguards against loss, access, use, modification, unauthorised disclosure and misuse. A business remains legally responsible for those obligations when personal information is stored in the cloud.

The TICSA applies to cloud computing in New Zealand indirectly, and sets out obligations for New Zealand’s telecommunications network operators and service providers in relation to interception capability and network security.

Breach of laws

What are the consequences for breach of the laws directly or indirectly prohibiting, restricting or otherwise governing cloud computing?

Not applicable.

Consumer protection measures

What consumer protection measures apply to cloud computing in your jurisdiction?

Certain rights and remedies are implied into contracts with consumers (defined in the Consumer Guarantees Act 1993 (CGA)), in summary, as a person who acquires from a supplier goods or services of a kind ordinarily acquired for personal, domestic, or household use or consumption and who does not acquire the goods or services, for various specified business purposes) that would apply to consumers obtaining cloud services.

In addition, the Fair Trading Act 1986 (FTA) would apply to protect consumers where they obtain cloud services, and the Privacy Act 1993 (discussed above) will apply whenever a business collects personal information about a consumer and stores it in the cloud.

In summary, the CGA implies certain warranties and remedies into sales transactions with consumers, relating to the quality and standard of goods and services supplied.

The FTA prohibits conduct that is likely to be misleading or deceptive. This veto is extremely broad and includes not only the making of untrue claims or statements, but also omitting to give all relevant details and failing to correct mistaken impressions. The FTA also contains prohibitions on unfair selling practices.

The FTA also contains a regime on the use of unfair contract terms in standard form consumer contracts (UCT regime), which was introduced in 2015. The UCT regime prohibits the use of terms that may be ‘unfair’ in standard form ‘consumer contracts’ - that is, where one party is acquiring goods or services of a kind ‘ordinarily acquired for personal, domestic, or household use or consumption’ and does not resupply them in trade.

Sector-specific legislation

Describe any sector-specific legislation or regulation that applies to cloud computing transactions in your jurisdiction.

There is no sector-specific legislation or regulation that specifically applies to cloud computing transactions in New Zealand.

However, as mentioned above, a number of government departments have released guidance on cloud computing.

In April 2017, the Ministry of Health released its policy on cloud computing (in conjunction with the Department of Internal Affairs’ Government Chief Information Office). Specific privacy rules for agencies in the health sector are set out in the Health Information Privacy Code.

According to the Ministry of Health, the use of cloud or hosted services is a viable option for funders and providers of health and disability support services (health agencies) because of its cost and convenience. The Ministry requires District Health Boards to:

  • satisfy themselves via certain prescribed cloud risk assessment processes that the product or service meets the requirements of HISO 10029:2015 Health Information Security Framework - section 18 Cloud Computing and Outsourced Processing;
  • forward a copy of completed risk assessments to the Department of Internal Affairs’ Government Chief Information Office. A copy must also be provided to the Ministry of Health prior to the commencement of the cloud service use; and
  • record each individual public cloud service utilised within its application portfolio management system.

Insolvency laws

Outline the insolvency laws that apply generally or specifically in relation to cloud computing.

In New Zealand, when a company becomes insolvent, a liquidator can be appointed by the shareholders, directors or the court on the application of a creditor. The liquidator is then entitled to take possession of, protect, realise and distribute the assets of the company to the company’s creditors and shareholders in accordance with the Companies Act 1993. The liquidator acts as the agent of the company.

In the context of company insolvency, a receiver can also be appointed by a secured creditor. The receiver will take control of the company assets and trade on the company or sell the company as a going concern or sell the company’s assets, as the case may be.

Because there are no insolvency laws in New Zealand specifically relating to a cloud computing supplier, the rights to the stored data will largely depend on the nature of the contractual arrangement between the service provider and the customer. The terms of cloud contracts can vary significantly between service providers and, if not negotiated properly at the outset, can include terms that allow insolvency practitioners to access and sell off customer data.

Data protection/privacy legislation and regulation

Principal applicable legislation

Identify the principal data protection or privacy legislation applicable to cloud computing in your jurisdiction.

New Zealand’s principal data protection and privacy provisions are contained in the Privacy Act 1993.

In summary, the Privacy Act 1993 controls how ‘agencies’ collect, use, disclose, store and give access to ‘personal information’. It also contains a set of information privacy principles that cover:

  • the collection, storage and security, and accuracy of personal information;
  • requests for access to and correction of personal information;
  • retention, use and disclosure of personal information; and
  • using unique identifiers.

The Privacy Commissioner has the power to issue privacy Codes of Practice. To date, codes exist in the specific areas of the justice sector, health, superannuation schemes, telecommunications, credit reporting and national emergencies. As discussed, the Privacy Bill is likely to change the privacy law landscape in New Zealand.

Cloud computing contracts

Types of contract

What forms of cloud computing contract are usually adopted in your jurisdiction, including cloud provider supply chains (if applicable)?

There is no standard form of cloud computing contract that is adopted but standard methods of contracting for cloud-based solutions that are adopted in other jurisdictions, in particular, England and Australia, would be recognised and accepted in New Zealand.

Typical terms for governing law

What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering governing law, jurisdiction, enforceability and cross-border issues, and dispute resolution?

Where possible, New Zealand businesses will try to ensure that New Zealand law is the governing law, and that the parties submit to the jurisdiction of New Zealand courts. However, many global international cloud providers insist on including governing law and jurisdiction clauses from the countries of their own head offices.

Dispute resolution clauses in New Zealand cloud computing contracts typically provide for an escalation procedure (often including a notice of dispute, mediation and, in some cases, arbitration), which must be followed before a party may start court proceedings, except where a party seeks urgent interlocutory relief.

Typical terms of service

What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering material terms, such as commercial terms of service and acceptable use, and variation?

The commercial terms of service operate as a subscription model, usually for a minimum term and then on a rolling basis (either one or three months). Payment is usually made in advance and subject to usual provisions around interest for late payment and suspension of services if fees remain unpaid for a period of time (usually no more than five business days unless there is a genuine dispute).

Generally, acceptable use policies (AUPs) require the customer to be solely responsible for the content stored on the public cloud and impose usage limits and apply the ability to ‘throttle’ bandwidth. Content and use of the services must always comply with law (including privacy, SPAM and intellectual property law). We are seeing increased use of provisions noting cybersecurity requirements and specifically prohibiting conduct that uses the services to gain unauthorised access to third-party computer systems or sites.

In most AUPs, the cloud provider reserves its rights to block access to the client content if it believes that the AUP is being breached or circumvented. In some cases, continued or flagrant abuse of the AUP gives rise to a termination right.

Typical terms covering data protection

What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering data and confidentiality considerations?

Cloud computing contracts in New Zealand generally include detailed data security and confidentiality provisions.

Customers typically require suppliers to comply at all times with relevant privacy law in respect of the data, process data in accordance with the customer’s instructions and any relevant policies, and, in some cases, not to transfer data outside of certain jurisdictions. These clauses also provide for the prevention of unauthorised access, disclosure or misuse of data.

Data clauses often set out a process that must be followed in the case of any data breach, generally including notification, cooperation, mitigation and providing regular updates while resolving the breach.

Confidentiality provisions tend to allow the parties, notwithstanding their confidentiality obligations, to use and disclose information required by law, a competent authority or listing rules.

Typical terms covering liability

What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering liability, warranties and provision of service?

It is standard practice to exclude liability for indirect or consequential loss or damage in New Zealand cloud computing contracts. Force majeure clauses typically provide that a party is not liable for any failure or delay arising directly from a force majeure event (provided that the party in default uses its best endeavours to mitigate the effects of the force majeure).

In addition, a limitation of liability is generally included. Loss arising out of wilful default or breach, or a breach of confidentiality provisions, is often excluded from the limitation of liability.

Typical terms covering IP rights

What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering intellectual property rights (IPR) ownership in content and the consequences of infringement of third-party rights?

Intellectual property clauses typically provide for ownership of intellectual property as follows:

  • each party’s pre-existing intellectual property remains the property of the original party;
  • the parties must agree on the ownership of any intellectual property rights in intellectual property developed during the course of the contract; and
  • each party grants a licence to the other to use each party’s intellectual property for the purposes of fulfilling its obligations under the agreement.

It is typical to see IP indemnities in cloud computing contracts, whereby one party indemnifies the other against any loss suffered in relation to third-party claims of IP infringement.

Typical terms covering termination

What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering termination?

Cloud computing contracts generally provide for termination:

  • by either party on default (including material breach of obligations under the contract, insolvency, receivership or force majeure); and
  • by either party (or one) for convenience.

In addition, some customers require termination rights where the supplier comes under the control of another entity, or where a significant breach or crisis affects the customer’s business (which is the fault of, or arises out of the actions of, the supplier).

Following termination, each party is generally required to destroy or deliver to the other party, any property and confidential information. In some instances, suppliers are required to novate to the customer any third-party licence agreements required for the continuation of the contract.

Many customers require suppliers to provide transition assistance if the agreement is terminated, as well as step-in rights for the customer if the supplier becomes insolvent.

Employment law considerations

Identify any labour and employment law considerations that apply specifically to cloud computing in your jurisdiction.

There are no labour or employment law considerations in New Zealand that specifically relate to cloud computing. However, a business customer entering into a cloud computing contract may wish to consider the key pieces of employment legislation in New Zealand, including: Employment Relations Act 2000, Holidays Act 2003, Health and Safety at Work Act 2015 and the Privacy Act 1993.

Taxation

Applicable tax rules

Outline the taxation rules that apply to the establishment and operation of cloud computing companies in your jurisdiction.

New Zealand’s income tax rules operate on the principles of source and residency.

A cloud computing company that is tax-resident in New Zealand (on the basis that it is incorporated in New Zealand, has its head office or centre of management in New Zealand or is controlled by its directors from New Zealand) will be subject to tax on its worldwide income (at the corporate tax rate of 28 per cent).

A cloud computing company that is not tax-resident in New Zealand may only be taxed on New Zealand-sourced income, unless a double tax agreement (DTA) applies to alter this treatment.

A DTA is an agreement between nations that aims to prevent double taxation of the same income. Most of New Zealand’s DTAs prevent New Zealand from taxing the business profits of non-resident companies unless those profits are attributable to a permanent establishment that the company has in New Zealand.

Indirect taxes

Outline the indirect taxes imposed in your jurisdiction that apply to the provision from within, or importing of cloud computing services from outside, your jurisdiction.

A supplier of goods and services is required to register for and charge goods and services tax (GST) at a rate of 15 per cent if they make supplies of goods and services in New Zealand that exceed NZ$60,000 per annum.

A cloud computing company making supplies will be deemed to be making supplies in New Zealand if the company is tax-resident in New Zealand. A company will be tax-resident in New Zealand if it meets one of the residency tests outlined in question 24, or if the company has a fixed or permanent place of business in New Zealand.

In contrast to the position for tax residents, supplies made by a non-resident company will generally be treated as being made outside of New Zealand. However, a non-resident company will be deemed to supply services in New Zealand if they provide ‘remote services’ to customers that are not GST-registered. Services will be ‘remote services’ when there is no necessary connection between the physical location of the service recipient and the place where the service is performed.

Recent cases

Notable cases

Identify and give details of any notable cases, or commercial, private, administrative or regulatory determinations within the past three years in your jurisdiction that have directly involved cloud computing as a business model.

In Cloud House Ltd v Bulletproof Group Ltd [2018] NZHC 1450, the High Court granted the defendant security for costs over a dispute concerning the ‘earn out’ provisions contained in a deed for the sale of a New Zealand cloud computing services business by an established cloud services provider in Australia. Cloud alleged that its prospects of earning the earn-out payments had been compromised by Bulletproof’s alleged pre-contractual misrepresentations and breach of warranties. In particular, Cloud pointed to a decision by Bulletproof to alter the business model by entering into a partnership with Microsoft Azure as damaging the business relationship with a major supplier, AWS. This, together with a number of other administrative and staffing decisions, amounted to Bulletproof intentionally taking action that would reduce the amount of the earn-out payment in breach of the warranty. Bulletproof claimed that the earn-out was not achieved due to Cloud’s financial forecasting not being prepared with due care or based on assumptions that were reasonable.

At the time of writing, filings are being made for the substantive hearing.

Update and trends

Update and trends

What are the main challenges facing cloud computing within, from or to your jurisdiction? Are there any draft laws or legislative initiatives specific to cloud computing that are being developed or are contemplated?

The European Union’s General Data Protection Regulation (GDPR) came into force earlier this year, and will impact New Zealand because of its extra-territorial reach. Two key principles from the regulation, ‘data portability’ and the ‘right of erasure’, are not yet reflected in the Privacy Bill. These principles may, however, feature in the next round of drafting of the Bill and are likely to have significance for New Zealand cloud computing businesses and customers. For those New Zealand businesses that process EU data subjects, it is still unclear how the EU regulators will enforce the GDPR against a New Zealand company. Importantly, however, many of the principles of the GDPR are (or are likely to be, when the Bill is passed) replicated in New Zealand’s own privacy law.

While there are no draft laws or legislative initiatives specific to cloud computing that are being developed or contemplated, New Zealand’s privacy law will undergo significant reform with the recent introduction of the Privacy Bill. Now at the Parliamentary Select Committee stage, the Bill aims to restore individuals’ confidence that agencies will keep their personal information secure; and provide the Privacy Commissioner with greater powers to address agencies’ failure to handle personal information appropriately.

The changes that are proposed by the Bill seek to enforce this in two ways. First, to impose compliance on agencies by greater regulations, and second to increase fines against agencies for breaches of the Bill. If passed, the changes will be particularly relevant to companies dealing with vast volumes of data, such as cloud computing businesses.