
Calls for AI regulation are growing louder, from an increasingly diverse range of voices including world leaders, technology executives, and overseas regulators.
However, there is very little consensus on what effective AI regulation should look like. Governments have responded in different ways, making it difficult to keep track of the divergent approaches: some prescriptive and comprehensive, others light-touch and principles-based.
New Zealand currently has no AI-specific legislation, relying instead on existing laws. However, the extraterritorial reach of overseas frameworks means that New Zealand businesses with international operations or customers may already be subject to foreign AI regulation.
In this article, we provide a snapshot of what is happening overseas to help New Zealand businesses identify which frameworks may apply to their international operations and to inform their own AI governance decisions.
Jurisdictions with detailed AI-specific legislation
Some jurisdictions have enacted detailed AI-specific legislation with prescriptive requirements. This provides an element of certainty, although there is also a concern that detailed rules may struggle to keep pace with rapid technological changes. For example:
- The EU AI Act came into force in August 2024 and is the world's first comprehensive AI law. We have explored the AI Act in our previous article here. In brief summary, it imposes tiered categories of obligations, including an outright ban on systems that pose an “unacceptable” risk (already in force), detailed obligations for “high risk” AI systems, with more general transparency obligations for lower risk systems. As part of an “Omnibus” of recent amendments, adopted by the Council on 29 June 2026, the compliance deadline for standalone high-risk AI systems has been deferred to 2 December 2027, and the deadline for high-risk AI systems embedded in regulated products has been deferred to 2 August 2028.
- The AI Act has extraterritorial reach. It applies to providers placing AI systems on the EU market “irrespective of... establishment” and to providers and deployers (i.e. users) in non-EU countries where the AI system's output is used in the EU. This means that, for example, an NZ company whose generative AI tool is used by EU-based customers would likely be a “provider” under the AI Act and subject to its obligations. Similarly, an NZ e-commerce platform using a third-party AI system to generate product recommendations for EU consumers could potentially also be subject to the regime.
- China regulates AI through a series of targeted measures, including the Algorithmic Recommendation Provisions (regulating recommendation algorithms used by online platforms), the Deep Synthesis Provisions (governing synthetic content such as deepfakes, through labelling and transparency requirements), and the Generative AI Measures (imposing obligations on generative AI providers, including preventing discriminatory and unlawful outputs, labelling AI-generated content, and conducting security assessments where required).
- Most recently, the “Interim Measures for the Administration of AI Anthropomorphic Interactive Services”, jointly issued by various agencies, take effect on 15 July 2026 and regulate AI products designed to simulate human interaction. The measures prohibit designs that encourage addiction, require anti-addiction safeguards, and impose emergency intervention obligations in high-risk scenarios. China's State Council has separately announced plans for a comprehensive, standalone AI law in its 2026 legislative work plan, and its “AI+” initiative under the Five-Year Plan for 2026–2030 signals a broader push to integrate AI across the economy.
- Although China's AI measures are not expressly extraterritorial, they apply to AI services provided to the public within China regardless of where the provider is established. Overseas providers offering or targeting AI services in the Chinese market may therefore be required to comply with the relevant measures.
- Brazil's Artificial Intelligence Bill (PL 2338/2023) was approved by the Senate in December 2024 and is currently pending before a Special Committee. If enacted, Brazil's framework is likely to become one of the most significant AI regulatory models in Latin America. It would establish a risk-based framework broadly inspired by the EU AI Act, classifying AI systems according to their level of risk and imposing enhanced obligations on high-risk systems. These obligations include impact assessments, transparency measures, governance requirements and human oversight. The Bill also establishes administrative penalties that may reach up to 2% of a company's revenue in Brazil.
- The Bill does not contain an express extraterritorial provision comparable to the EU AI Act. However, foreign businesses supplying or deploying AI systems in Brazil, or otherwise offering AI-enabled products or services into the Brazilian market, are likely to fall within its scope.
Principles-based or sector-specific frameworks
Some jurisdictions have adopted principles-based or sector-specific frameworks rather than comprehensive legislation. For example:
- Australia has not adopted standalone AI legislation and currently regulates AI through existing legal frameworks, targeted reforms, regulator guidance and voluntary standards. The Australian Government released its National AI Plan on 2 December 2025, confirming this approach while supporting responsible AI adoption and stronger institutional capability. In addition, the Privacy and Other Legislation Amendment Act 2024 introduces automated decision-making transparency obligations for APP entities from 10 December 2026, requiring privacy policies to disclose certain uses of personal information in automated decisions that may significantly affect individuals’ rights or interests.
- New Zealand businesses may be affected where they are APP entities under the Australian Privacy Act, including where they carry on business in Australia or handle personal information in connection with Australian operations, services or customers. Businesses using AI or automated decision-making in trans-Tasman services should carefully assess whether the ADM transparency obligations apply.
- The UK regulates AI primarily through existing legal frameworks, sector-specific regulators and targeted legislation. The Labour Government has continued the UK's context-based, “pro-innovation” approach, maintaining that AI should generally be regulated at the point of use by existing expert regulators, while signalling its intention to introduce targeted legislation for “the handful of companies developing the most powerful AI models.” To date, no such legislation has been enacted.
- As such, existing regulators apply AI oversight within their existing statutory remits and AI is regulated through existing regimes such as data protection, financial services, consumer protection, competition and the Online Safety Act 2023, rather than through AI-specific legislation. New Zealand businesses operating in the UK or targeting UK customers should assess compliance with the relevant sector-specific legal regimes rather than expecting a standalone AI compliance framework.
- Canada has not enacted comprehensive AI legislation. An “Artificial Intelligence and Data Act” was proposed but did not proceed before Parliament was prorogued in January 2025. The Canadian Government has indicated that AI legislation remains a priority but has not yet introduced replacement legislation. Canada currently regulates AI through existing privacy, human rights, consumer protection, competition and sector-specific laws, supported by regulatory guidance. In related developments, on 10 June 2026, the Government introduced Bill C-34, the “Safe Social Media Act”, which would impose safety duties on regulated social media services, AI chatbot services and certain other online services, including child-safety, risk mitigation, transparency and digital safety plan obligations.
- As above, New Zealand businesses should consider the potential application of these laws if they offer AI-enabled services, social media services or AI chatbot services to persons in Canada, process Canadians’ personal information, or operate in regulated Canadian sectors.
- In the United States, AI regulation remains fragmented, relying on existing federal laws, agency enforcement and a rapidly developing patchwork of state legislation. For example, Colorado recently enacted a new “Automated Decision-Making Technology Act”, effective from 1 January 2027. This replaced a broader framework introduced in 2024 (the effect of which is stayed pending a challenge brought by xAI, in which the US Department of Justice has also intervened - the first instance of the federal government seeking to invalidate a state AI law).
- California is similarly developing automated decision-making regulations under the California Consumer Privacy Act (CCPA), while also enacting the "AI Training Data Transparency Act," requiring specified generative AI developers to disclose information about training datasets, and the "Transparency in Frontier AI Act," imposing safety, security and transparency obligations on developers of the largest general-purpose (“frontier”) AI models.
Considerations for New Zealand businesses
The above summaries offer only a brief snapshot of selected jurisdictions, and New Zealand businesses with international operations should remain alert to the range of other frameworks and consider each market carefully.
In relation to local compliance, as noted above, New Zealand currently has no AI-specific legislation and instead relies on existing legal frameworks. However, various initiatives are underway exploring potential AI-related reforms. For example:
- The Ministry for Regulation published its Responsible AI in Action guidance in May 2026, setting out principles of strong foundations, human oversight, transparency and fairness for regulatory agencies.
- The Law Commission has commenced a review of automated decision-making, examining whether existing administrative law frameworks adequately address algorithmic decisions by public bodies.
- The Office of the Privacy Commissioner has issued guidance on the application of the information privacy principles to AI and automated decision-making.
Alongside monitoring these developing reforms, NZ businesses should carefully consider how their current statutory obligations apply in contexts where they use AI systems. For example, where legislation requires decision-makers to exercise judgment or consider contextual matters (e.g., the risk of harm to consumers), full delegation to AI may create compliance challenges. Proactive focus on mapping AI use cases against existing legal obligations should help businesses to capitalise on the opportunities AI presents while minimising the risk of unintended regulatory issues in future.
If you have any questions about this article, please get in touch with the contacts listed or your usual Bell Gully adviser.
Disclaimer: This publication is necessarily brief and general in nature. You should seek professional advice before taking any action in relation to the matters dealt with in this publication.