Every time a New Zealand enterprise uses GPT-4, the data travels to a Microsoft data centre in the United States. Every prompt, every document, every query. For many use cases, this is fine. For health, government, and sensitive enterprise data, it raises questions we should be taking seriously.
The Current State
The dominant AI models - GPT-4, Claude, PaLM - are operated by American companies on American infrastructure. When a New Zealand organisation uses these models, the data processing happens offshore. This is the default, and for most commercial applications, the default works.
But New Zealand has specific circumstances that make data sovereignty more than an abstract concern.
John: From a technical perspective, the issue is straightforward. API calls to OpenAI, Anthropic, or Google transmit your data to their servers for processing. The data may be cached, logged, or used for model improvement depending on the vendor's terms and your service agreement. Even with contractual protections, the data has left New Zealand's jurisdiction and is subject to US law, including potential government access under legislation like the CLOUD Act.
For many enterprise use cases - internal productivity, general-purpose writing assistance, code generation - this is an acceptable trade-off. The data isn't sensitive, and the convenience and capability outweigh the jurisdictional risk.
For other use cases, it's not acceptable at all.
Where Sovereignty Matters
Health Data
New Zealand's health system is publicly funded and holds some of the most sensitive personal data in the country. Health records, mental health notes, genetic information, addiction histories. The potential for AI in health is enormous - clinical decision support, administrative automation, population health analysis. But sending NZ health data to US servers for AI processing raises significant concerns under the Health Information Privacy Code and the Privacy Act 2020.
Isaac: This isn't theoretical. We're already seeing health organisations explore AI for clinical applications. The question of where data is processed isn't a technical footnote - it's a governance requirement. And right now, there aren't many options for processing health data through AI systems within New Zealand's jurisdiction.
Government Data
Government agencies hold data about citizens, communities, and national infrastructure. AI applications in government - policy analysis, service delivery, compliance monitoring - require that data be handled within frameworks that respect both the Privacy Act and Te Tiriti o Waitangi obligations, including Māori data sovereignty principles.
The US CLOUD Act allows American authorities to compel US-based companies to produce data stored on their servers, regardless of where the data originated. For New Zealand government data processed through US-hosted AI services, this creates a legal exposure that most agencies haven't fully assessed.
Sensitive Commercial Data
Trade secrets, M&A analysis, competitive intelligence, regulatory submissions. Enterprises routinely process commercially sensitive information, and AI is increasingly part of that processing. The question isn't whether the vendor will intentionally misuse your data. The question is: who else might access it, under what legal frameworks, and would you know?
0
major AI model providers operating data centres in New Zealand as of mid-2023
Source: Industry assessment, 2023
What Sovereign AI Looks Like
Sovereign AI doesn't mean building our own GPT-4. New Zealand doesn't have the compute, the talent, or the budget to train foundation models from scratch. It means building the infrastructure to run AI workloads within our jurisdiction.
Self-Hosted Models
Open-source models (LLaMA, Falcon, Mistral) can be deployed on local or regional infrastructure. They're not as capable as GPT-4 for general tasks, but for specific enterprise applications, fine-tuned open-source models can match or exceed commercial models.
John: The practical architecture is: use open-source models on NZ-hosted infrastructure for sensitive workloads. Use commercial API models for non-sensitive workloads. Build a routing layer that directs queries to the appropriate model based on data classification. This isn't simple, but it's well within the capability of a competent engineering team.
Regional Data Centres
Microsoft and AWS both have data centres in Australia. While not in New Zealand, Australian hosting brings the data closer and under a more aligned legal framework (the Five Eyes arrangement notwithstanding). For some use cases, Australian hosting may be an acceptable middle ground.
NZ-Based AI Infrastructure
This is the longer-term play. New Zealand needs compute infrastructure capable of running AI workloads at enterprise scale. This requires investment from government and private sector, and it requires a strategic decision that AI sovereignty matters enough to fund.
What Enterprises Should Do Now
- Classify your data. Not everything is sensitive. Identify which data categories require sovereign processing and which don't.
- Assess your vendors. Understand where your AI vendors process data, what they do with it, and what legal jurisdictions apply.
- Build hybrid architectures. Don't choose between cloud AI and sovereign AI. Use both, with clear routing based on data sensitivity.
- Advocate for NZ AI infrastructure. This is a collective action problem. Individual enterprises can't build national AI infrastructure, but they can signal demand.
- Watch the open-source space. The capability of open-source models is improving rapidly. Models that were uncompetitive six months ago are now viable for specific enterprise tasks.
Isaac: Data sovereignty isn't the most exciting AI conversation. It doesn't demo well and it doesn't make headlines. But the decisions we make now about where NZ data gets processed will have implications for decades. Getting this right matters.