GUEST BLOG: Seeby Woodhouse – NZ joins the Budapest Convention

I run several companies involved in technology and telecommunications in New Zealand. I am therefore subject to certain lawful intercept powers on our network – which have continually expanded over the years

NZ joining the Budapest Convention seems to further extend a lot of those powers, and I’ve been trying to understand exactly what that means for Kiwis and myself, however not being a lawyer, it gave me a headache.

What’s happening?

On 1 December 2025 New Zealand will formally accede to the Council of Europe’s Convention on Cybercrime (the “Budapest Convention”) — a treaty supposedly designed to make cross-border cooperation on online crime faster and more predictable. That sounds sensible: cybercrime is real, harms are real, and international cooperation can help catch serious offenders. But as with most trade-offs, the real question is what we give up to gain that capability, who gets access to what data, and whether the public had enough time to properly weigh the risks.

Below I’ll briefly explain what changed in New Zealand law to make accession possible, what the most significant risks are, which parts of sovereignty and civil liberties are most exposed, and whether the public had adequate time and tools to scrutinise this change.

What the government actually changed (the legal headlines)

To meet the Convention’s requirements, Parliament passed the Budapest Convention and Related Matters Legislation Amendment Act 2025, which amends four key statutes so New Zealand can exchange evidence, assist foreign investigations, and align cybercrime offences with other parties.

The practical amendments of note are:

• Search and Surveillance Act 2012 — a new regime of Preservation Directions was added so police (and foreign partners) can require providers to preserve records and data that are likely to be lost or altered; some Preservation Directions can be renewed and foreign-requested directions are possible. There are new offences for failing to comply and rules that prohibit revealing that a preservation direction was issued. The Act does allow for judicial review in some circumstances, but the emphasis is on secrecy to avoid tipping off suspects. New Zealand Legislation
• Mutual Assistance in Criminal Matters Act 1992 (MACMA) — broadened so NZ can supply assistance (and receive requests) for a wider range of investigative powers, including production orders and surveillance device warrants in support of overseas investigations. Bills
• Telecommunications (Interception Capability and Security) Act 2013 — terminology and definitions updated (e.g., ‘call associated data’ replaced by the broader term ‘traffic data’) to align with the Convention’s language and powers. New Zealand Legislation
• Crimes Act 1961 — new offences were added targeting the design, creation and possession of certain cyber tools (code that facilitates cybercrime), and some older provisions (like s.251) were repealed to make the statute consistent with the Convention’s offence framework. New Zealand Legislation

The government’s stated aim — and the most visible argument for accession — is improved operational cooperation with partners to tackle transnational cybercrime. Ministers and officials point to better information-sharing, faster preservation of evidence, and stronger mutual legal assistance as net positives for public safety. The Beehive

The headline risks (short version)

1. Secrecy and “gag” powers — Preservation Directions explicitly prohibit disclosure, which is intended to prevent tipping off suspects. But that same secrecy means affected providers and potentially affected New Zealanders may have little ability to challenge or even know about actions taken that touch their data. New Zealand Legislation
2. Foreign-driven requests — tougher obligations to assist foreign law enforcement can mean NZ agencies must act on requests from jurisdictions with very different human-rights records or standards of due process. The treaty simplifies requests; the worry is it can also accelerate foreign access to NZ data. Portal
3. Expansion of police powers at home — the new preservation and production tools strengthen prosecutorial reach; critics argue the changes could expand surveillance in subtle ways beyond what Parliament intended. Transparency International New Zealand
4. Data sovereignty and private-sector burden — ISPs, cloud providers and platform hosts face new obligations to preserve and hand over data on demand; for smaller Kiwi businesses this is extra legal/operational cost and potentially a reputational hit. The Beehive

Sovereignty concerns — are we handing powers to foreign states?

Accession creates faster, more routinised channels for overseas investigators to ask New Zealand for help and for NZ to ask others for help. That’s the whole point of the Budapest Convention: to make cross-border digital evidence exchange practical.

But “practical” has consequences:

• The Mutual Assistance changes mean foreign agencies can ask for production orders or surveillance evidence using streamlined processes. New Zealand must implement those requests into domestic law to comply. In effect, NZ accepts a legal framework that makes it easier for foreign law enforcement to obtain NZ data — even if the requesting country’s standards for surveillance, trial rights, or privacy protections are lower than New Zealand’s. The practical risk: NZ could become a conduit for foreign interests to access locally held data with less robust protections than we’d prefer. Bills
• The preservation direction tool lets authorities require providers to keep, and in some cases produce, data that could otherwise be volatile or ephemeral (metadata, logs, ephemeral messages). Because the process is secret and can be foreign-initiated and renewed, it hands authorities — not courts or public scrutiny — the initial leverage, which changes the balance between sovereign control and international cooperation. New Zealand Legislation

All of which adds up to a type of shared operational sovereignty: you remain sovereign, but you agree to let partner states press domestic actors to preserve and produce evidence under a shared rulebook. For many investigators that’s exactly what they want; for many civil liberties advocates that’s exactly what worries them. Portal

Civil liberties and due-process concerns (the nitty-gritty)

• Gagging and non-disclosure (s.79Q) prevents providers from telling customers they have been the subject of a preservation direction. That’s operationally useful to preserve evidence — but it means people often do not learn their data was involved in an investigation unless charges are laid and material is disclosed later. This affects rights of defence and can interfere with transparency. New Zealand Legislation
• Criminal liability for non-complying providers (s.79O) raises the stakes for intermediaries, who might otherwise refuse or question a direction. For smaller providers with limited legal teams, the choice is stark: comply and preserve, or refuse and risk prosecution. That dynamic incentivises rapid compliance — which, in a world of aggressive foreign demands, can become a “rubber stamp” risk. New Zealand Legislation
• Broadened offences under the Crimes Act mean that possessing or producing particular kinds of software could be criminalised. While aimed at malware authors and cybercriminal toolmakers, drafting can be blunt: code has legitimate uses (research, security testing), and offences with wide wording can chill defensive security research. The Law Society and others urged careful drafting and safeguards. New Zealand Law Society

Was there enough public debate?

You tell me: the government agreed in principle years ago (2020), consulted in 2020, and only in 2024–25 moved to finalise legislation and assent. The consultation materials and select-committee processes are available, and many legal and civil society groups made submissions (Law Society, Transparency NZ, privacy groups). But there are two honest critiques:

1. Timing and technical density — the subject is deeply technical and legal. A lot of the substantive change was tucked into a technical amendment bill and debated in the usual parliamentary timetable. For the average Kiwi the details of preservation directions and mutual assistance are not easy reading, and many people only learned about them once the media or advocacy groups highlighted risks. The select committee hearings included submissions, but the wider public arguably did not have an accessible, national conversation about the trade-offs. Citizen Space
2. Speed to adoption — accession on 1 December 2025 comes after a long policy process, but the final legislative window between assent (mid-2025) and accession (Dec 2025) is short. That compressed period leaves little time for newly elected or engaged citizens to influence detail or demand stronger safeguards before the treaty takes effect. Critics (including Transparency NZ) have said the government should have “made haste slowly” and ensured stronger public scrutiny. Transparency International New Zealand

So: yes there was formal consultation and parliamentary scrutiny, and submissions from Law Society and other bodies are on record — but was it enough in democratic terms? Many privacy and civil-liberties advocates say no. New Zealand Law Society

Where the safeguards are — and where I’d like better ones

Safeguards included in the new law and governance notes:

• Judicial and administrative review routes exist in places: people subject to a preservation direction can apply for review in limited circumstances. That’s not nothing — but in practice review happens after preservation and in secrecy regimes, so remedies can be delayed. New Zealand Legislation
• Parliamentary oversight and reporting — the select-committee reports and official documents provide a paper trail. That transparency is valuable for accountability, but it relies on activists and journalists to keep this in public view. Select Committees

What I’d like to see strengthened (and what civil-society groups recommended):

1. Sunset and review clauses — make the new powers subject to scheduled independent review (e.g., 24 months) with public reporting.
2. Stronger judicial oversight — require shorter timeframes for judicial review and consider warrant-level authorisation before some preservation actions.
3. Clearer limits for foreign requests — stronger tests before NZ acts on foreign requests (human-rights filters, notice thresholds, express prohibition if requesting jurisdiction lacks basic safeguards).
4. Safe harbour for legitimate security research — carve-outs so defensive security researchers and incident responders aren’t at risk for possessing dual-use code.
5. Robust transparency reporting — public, regular statistics about foreign requests, preservation directions issued, refusals, and prosecutions (with anonymity protections where justified). New Zealand Law Society

So — should we panic?

The Budapest Convention is, by design, a cooperative mechanism for nations to fight serious crime. There may be benefits: faster investigations, shared expertise, and a normative framework that aligns laws and helps evidence move across borders. New Zealand’s justice system, courts and institutions are strong, and the stated intention is to use these powers against serious offending. Portal

But it would be naive to pretend there are no trade-offs. The new preservation powers, non-disclosure requirements, and the streamlined mutual assistance channel are tools that can be used well — or misused. The protection of privacy, due process and free expression depends on how those tools are governed in practice, not just on whether Parliament nodded the bill through.

What you can do (if you care)

• Ask your MP what transparency and review mechanisms they will insist on after accession. Demand statistics on foreign preservation requests and outcomes.
• Support calls for independent review (civil-society groups like the Law Society and Transparency NZ made substantive submissions; amplify them). New Zealand Law Society
• If you’re in tech: lobby for explicit carve-outs for incident responders and security researchers.
• Stay informed: read the Justice Ministry and select-committee papers (they’re public) and follow reporting on how the powers are used.

Selected sources & documents I used

• Budapest Convention and Related Matters Legislation Amendment Act 2025 (full text). New Zealand Legislation
• Search and Surveillance Act 2012 — new Preservation Directions provisions (subparts inserted 1 Oct 2025). New Zealand Legislation
• NZ Ministry of Justice: Cybercrime policy and implementation materials. Ministry of Justice
• Beehive (Ministerial) release: New Zealand joins fight against cybercrime (24 Jul 2025). The Beehive
• Law Society submission on the Budapest Convention (November 2024). New Zealand Law Society
• Transparency International NZ commentary — Make haste slowly: the Budapest Convention (Aug 2025). Transparency International New Zealand
• Select committee / Cabinet papers on accession and consultation (DPMC / Cabinet papers 2020–2025)

   

**Usually I try and write all my blog posts myself, without any help from A.I, however in this case I needed much help to analyse the various pieces of legislation and summarise the findings, sorry.

Seeby Woodhouse is a NZ tech entrepreneur, CEO of Voyager and posts on Substack.