Clouded Judgement? AWS in New Zealand and the Cost of Digital Growth

BY SIMRiN MAHABIR

Introduction

In September 2025, Amazon Web Services (AWS) unveiled its eagerly awaited cloud infrastructure region in Auckland. Prime Minister Christopher Luxon praised the news, citing its economic potential. The $7.5 billion investment by AWS was portrayed as a sign of support for the tech industry in New Zealand. This is a significant milestone for New Zealand, resulting from the government’s cloud-first initiatives and new investment agency. However, critics caution that the headlines obscure the negative impacts. This article will examine the impact of the AWS deal on New Zealand’s economy and legal sphere, after first explaining what AWS is.

What is AWS?

For a great number of readers the idea of “cloud infrastructure” may be  unfamiliar. In basic terms, cloud computing offers governments, businesses and individuals the opportunity to place their data and operate software on distant servers as opposed to on individual computer systems and/or in-house server environments. AWS is one of the world’s largest providers of this infrastructure, offering cloud-based storage, processing capability and other forms of digital service to companies large and small, as well as government entities and others.

Economic Promises and Legal Oversight

The government and AWS highlight the financial benefits, and many local business executives applaud the investment. According to a news statement from AWS, the project would “create 1,000 new jobs annually” and “contribute NZD $10.8 billion to New Zealand’s gross domestic product GDP”. Prime Minister Luxon underlined that AWS is the “lifeblood of New Zealand business” and indicated  that the investment would supercharge growth and assist more productive enterprises. The money was also hailed by industry group NZTech as an “exciting moment” that will aid in the growth of information and computer technology (ICT) companies. Additionally, AWS signed a Memorandum of Understanding to train 100,000 New Zealanders in cloud capabilities, noting that over half that number have already received this training. 

However, several analysts believe that these advantages may be exaggerated. The GDP and employment figures are based on optimistic economic multipliers and are Çfrom the initial 2021 announcement. Tech sector analyst Peter Griffin therefore cautioned that one should take AWS’s statements with a “pinch of salt”. For instance, Amazon’s 1000 job figure will include people in supply-chain positions like telecoms engineers and maintenance personnel in addition to data centre operators. Therefore, it is not certain that hundreds of jobs will flow to Kiwis. Catalyst IT’s Managing Director Don Christie, a competitor in the cloud sector, notes that AWS has mostly rented space in others’ facilities rather than building its own, therefore meaning there’s likely to be only a few dozen jobs, as it is not difficult to “drop a few racks in a data centre” owned by another company.

The issue of who benefits in the end is related to regulatory environments. AWS needed clearance as a foreign investor under the Overseas Investment Act 2005 (OIA). In 2021–2022, Amazon had requested that former Prime Minister Jacinda Ardern designate officials to help accelerate consent and labour visas, as well as “fine-tune” New Zealand policies on cloud and data storage, according to the letters made public under an Official Information Act request.. The Overseas Investment Office granted the consent in March 2022 after concluding that the AWS satisfied the requirements for national interest.

On the planning end, there have already been reports of construction delays. AWS spent years digging a site in West Auckland, including draining a small wetland (removing a dabchick nesting habitat), but the project was stopped mid-stream. Luxon stated that data-centred consents under the previous Resource Management Act (RMA) procedure were more expensive and took a lot longer than in some other countries. The resource management system is currently being redesigned by his government to expedite renewable energy and infrastructure projects. Faster processes are also supported by industry: Spark NZ argues that New Zealand should expedite permitting “without compromising our equitable environmental standards”, pointing out that its own new data-centre facilities were granted through the COVID-19 Recovery (Fast Track Consenting) 2020 legislation. 

According to experts, current planning and procurement regulations serve as the primary means of control. The government’s Cloud First policy, which was revised in 2023, mandates that agencies use cloud services whenever feasible and permits the gradual hosting of “RESTRICTED” data at New Zealand based facilities. Under the New Zealand Government Protective Security Requirements, “RESTRICTED” information refers to material that could cause serious harm if compromised. The updated Cloud First settings allow certain “RESTRICTED” workloads to be stored in NZ-based cloud data centres, subject to accreditation and security controls. All government organisations can now purchase AWS (and other) services under consistent terms according to a standard cloud-services agreement issued by the Department of Internal Affairs.

Data Sovereignty Concerns

Although onshore data centre construction increases local control over data location, it also brings up other issues related to digital sovereignty. Data held in New Zealand is subject to the Privacy Act 2020, which includesInformation Privacy Principle 12 that regulates disclosures made outside of the country. It also implies that Aotearoa jurisdiction can be used to hold Māori data, which is regarded as taonga (treasured possession). Anthony Grasso and other information security experts point out that by keeping data in-country, having a local area enables agencies to comply with government obligations, particularly new Māori data standards. Prime Minister Luxon has praised this - a local AWS region is “a vote of confidence” that speeds up digital services and lessens dependency on foreign servers. 

Sovereignty, however, is not absolute. Amazon owns all of its cloud infrastructure in the United States. Legal experts point out that the US CLOUD Act allows US authorities to demand that Amazon turn over data housed on AWS servers, including those in New Zealand. “Only providers that operate entirely with[in] New Zealand cannot be forced to hand over data to other countries…” says David Zanetti, CTO of Catalyst Cloud. In actuality, this means that even if an AWS NZ region maintains data in New Zealand, sensitive personal or governmental data is nonetheless governed by the policies of AWS’s parent business. Although agencies’ use of the cloud is still subject to NZ law (IPP 12), compliance is contingent upon contractual protections and supplier confidence. For this reason, the government continues to promote taking into account local options: AWS and Microsoft now have a “Cloud First” framework agreement with NZ, however Catalyst Cloud, a 100% New Zealand-owned service, was only recently approved in 2024 as a third alternative for agencies. 

The framework’s increased efficiency, however, leaves many high-risk decisions at the discretion of each agency. Following AWS’s entry into NZ, there was no additional scrutiny other than the normal foreign-investment and procurement processes. This is significant given the unique nature of cloud infrastructure; while most commercial investments can host general data, AWS data centres can provide an abundance of sensitive, public, commercial and personal information, and their  operation intersects laws that exceed traditional corporate investment laws. For example, foreign-based cloud companies remain susceptible to U.S. law extraterritorial jurisdictional claims; therefore, wherever the physical location of the server(s) is located, the data hosted on them remains susceptible to foreign legal influence.

Critics have indicated that cloud-based services should be treated differently from ordinary commercial investments, and therefore, may warrant higher levels of regulatory scrutiny. As noted above, digital sovereignty has emerged as a key area of discussion in today's technology policy landscape, with countries around the world evaluating how to strike a balance between openness and strategic independence. Concentrating all of the country's most important digital infrastructure into the possession of a single foreign-owned company, raises several questions regarding the systemic risk associated with the loss of the country's digital infrastructure, national resiliency, and reliance on foreign companies for long term digital services. While physical infrastructure may only exist within one jurisdiction, digital infrastructure may be susceptible to multiple overlapping jurisdictions and various forms of geopolitical pressure. Therefore, countries who are serious about achieving digital sovereignty, typically implement frameworks that exceed the traditional review process used by investment agencies. The lack of enhanced review and/or sector-specific safeguards may be indicative of a regulatory gap, rather than sufficient regulatory protection.

Security and Privacy Concerns

Additionally, there are cybersecurity and privacy concerns. Theoretically, hosting financial or health data in New Zealand enhances data governance and response times. However, it also centralises enormous caches of private data which is a part of AWS’s security justification for maintaining geographical secrecy.

Any breach would have a significant impact because, as one defence analyst put it, “data centres are an aggregation of [...] your company’s or your government’s or your community’s most important information.” Amazon responds by pointing to its global security credentials and compliance with frameworks such as the United States’ FedRAMP and the European Union’s General Data Protection Regulation (GDPR), and by emphasising its “shared responsibility model”, under which customers are responsible for configuring their own security controls. However, critics argue that this model places unrealistic expectations on users, particularly small businesses and public sector agencies that may lack the technical expertise or resources to implement robust cybersecurity configurations. While AWS may provide secure infrastructure, misconfigurations by users have been a leading cause of serious cloud data breaches globally.

Independent reports suggest that the vast majority of cloud security failures are due to customer misconfiguration or error rather than provider faults, reinforcing the limits of the “shared responsibility model”. Misconfigured IAM roles, overly permissive access policies and exposed storage buckets have been linked to high profile breaches including incidents where attackers exploited these implementation gaps to access sensitive data. Moreover, although AWS has historically complied with strict regulatory obligations, there is no guarantee that these standards will remain consistent particularly given geopolitical and legislative sifts such as the US CLOUD Act, which can compel US cloud providers to disclose data they control even when stored overseas. In this case, reliance on corporate assurances alone may be insufficient to protect New Zealand consumers and public data from significant risk. 

Therefore, New Zealand only gets more digital “control” on paper; strong legislation and regional competitiveness are still necessary for actual sovereignty. Chris Cormack of Catalyst Cloud contends that New Zealanders must make sure their data, even if it is in NZ, is protected by NZ law by being “stored in New Zealand legal jurisdiction only”.  The government’s current strategy has been to update privacy regulations and encourage cloud adoption, but some privacy activists argue that authorities shouldn’t overlook the wider picture of threats associated with international supply chains. 

Conclusion

With the promise of quicker services, new tech employment and skill training, and integration into international digital markets, it is still obvious that New Zealand stands to gain from AWS’s investment. It is portrayed by officials as a watershed moment for the economy of New Zealand. However, this is hardly an easy victory. Many details are still unclear behind the hype, like the locations of the centres, what this means for New Zealand’s digital sovereignty, and the ultimate cost to New Zealand taxpayers, if any. Without strict control, local experts caution that the project may violate New Zealand’s cultural and environmental values. Kiwis must consider whether we want to shape our future, or let big tech do it for us. It will be difficult for the government to achieve the promised benefits of jobs, innovation and productivity whilst upholding the protections (in planning, and data legislation) that preserve New Zealand’s image,digital independence, and taonga. Whether AWS’s entrance is a true blessing for the 21st century, or a warning for the future of the nation, will depend on this balancing act.

The views expressed in the posts and comments of this blog do not necessarily reflect those of the Equal Justice Project. They should be understood as the personal opinions of the author. No information on this blog will be understood as official. The Equal Justice Project makes no representations as to the accuracy or completeness of any information on this site or found by following any link on this site. The Equal Justice Project will not be liable for any errors or omissions in this information nor for the availability of this information.