The bill that changes everything
New Zealand’s Deepfake Digital Harm and Exploitation Bill, introduced in October 2025, amends the Crimes Act and the Harmful Digital Communications Act to explicitly criminalise the creation, distribution and threatened sharing of AI-generated intimate images without consent. It passed its first reading with cross-party support. It comes into force the day after Royal assent.
The practical consequence for employers is immediate. Once this law takes effect, an employee who uses a workplace AI tool, or a personal tool on a work device, to generate a sexualised image of a colleague, client or any identifiable person without consent is committing a criminal offence. The maximum penalty under existing law for the underlying offence is two years’ imprisonment and a $50,000 fine.
This is not hypothetical. NZ’s first deepfake porn prosecution was brought in October 2025. The victim described losing a career opportunity because the images appeared when her name was searched. That reputational harm attaches to organisations as readily as to individuals.
Voluntary guidance meets hard law
In July 2025, MBIE published its Responsible AI Guidance for Businesses. It is explicitly voluntary. It creates no enforceable obligations. But it confirms that businesses deploying AI must comply with all existing NZ legislation, including the Privacy Act 2020. Once the deepfake bill passes, the list of existing legislation businesses must navigate gets longer and sharper.
The MBIE guidance references the EU AI Act as the international benchmark and notes that Australia, Singapore, the UK and the US are all developing binding frameworks. New Zealand’s current “proportionate, risk-based approach” is the government’s preferred framing, but the gap between voluntary guidance and criminal liability is exactly where businesses get caught. Having a policy matters less than having the right policy, and right now most employers have neither.
The scale of harm driving faster regulation
The Classification Office’s nationally representative survey, published in January 2026, found that 66% of New Zealand adults have encountered extreme or illegal content online. Among those exposed in the past year, 27% reported experiencing harm, with 44% of that group describing the impact as very or extremely harmful. Only 7% reported to Netsafe and 1% to Police, suggesting massive under-reporting.
In January 2026, Newsroom reported that at the height of the deepfake crisis on X, two non-consensual sexual images were being generated every second. The Internet Watch Foundation found Grok was being used to generate nude images of children aged 11 to 13. Internal Affairs Minister Brooke van Velden stated that “AI-generated non-consensual deepfakes are degrading and deeply harmful” and indicated officials would monitor developments. For businesses, “monitoring” means more regulatory action is coming.
Prosecution just got easier
Before the bill, police could only prosecute deepfake offences by proving intent to cause harm, a standard legal experts described as notoriously difficult to meet. The result was hundreds of Netsafe complaints and one prosecution. Police did not even have an offence code to track deepfake cases.
The bill mirrors the 2022 revenge porn amendments, which shifted the burden of proof to the perpetrator. That model worked. Once this bill passes, prosecutions become materially easier, and any employer without an AI use policy, training programme and documented guardrails will find themselves exposed.
Five things to do before the bill passes
The compliance clock started in October 2025. Businesses should act now.
First, audit which generative AI tools employees are using, on what devices, and whether any have image generation capability. Second, draft or update an AI use policy that explicitly covers what employees can and cannot generate, with consent requirements for using real people’s images. Third, document consent for any AI-generated imagery of real people used in marketing or internal communications. Fourth, conduct and record a risk assessment of deployed AI tools, even though MBIE’s guidance is voluntary, because the paper trail matters when things go wrong. Fifth, brief HR and legal teams, because employee misuse of AI image tools is about to become a criminal matter and investigation processes need to reflect that reality.
Act MP Laura McClure, who introduced the bill, reported growing concern from schools, with principals and parents flagging a rise in deepfake incidents. Any business that operates education programmes, employs young people, or sits on a school board has a governance obligation that is about to sharpen considerably.
The businesses that treat this as someone else’s problem will discover, after the first employee complaint or prosecution, that governance failures become legal exposure faster than any crisis management plan can contain.
Sources
- 1News: NZ makes first deepfake porn prosecution, but are we equipped for AI onslaught? (2025-10-16)
- Newsroom: Political parties respond to spread of sexual deepfakes on X (2026-01-14)
- Classification Office: Online Exposure survey (2026-01-27)
- RNZ: How would a move to criminalise pornographic deepfakes in New Zealand work?