In this episode, Special Counsel Sonya Forbes and Senior Associate Suzy McMillan delve into consumer data rights in New Zealand, providing an insightful overview of the recently released Customer and Product Data Bill (the Bill).
[1:26] Sonya and Suzy start by explaining what a consumer data right (CDR) is and why it is important to both consumers and businesses in New Zealand. Sonya illustrates the concept further by providing tangible examples of how customer data can be used, with Suzy observing that use of the CDR may create opportunities for innovation and encourage competition that benefit consumers.
[5:01] They discuss the current status of the Bill which was introduced to Parliament in May this year. The Bill intends to create a statutory CDR, noting it is still subject to change as it moves through the Parliamentary process and requires a range of details to be prescribed in regulations and standards, which are yet to be developed.
[6:30] Sonya outlines one of the Bill’s main purposes; establishing a statutory right for consumers to require data holders to share their customer data with third party providers known as accredited requestors. Suzy notes that consent (or authorisation) will be at the heart of this proposed regime and essential to its functioning. She then highlights several specific issues relating to authorisation under the proposed regime.
[10:11] Sonya then considers the other main actions proposed by the Bill; firstly, the establishment of a statutory obligation for businesses to release certain information about their products (product data), and secondly the ability of certain classes of accredited requestors to make decisions and take steps on the customers behalf when directed by the customer (known as action initiation).
[12:20] Suzy and Sonya discuss the potential offences and penalties for non-compliance under the Bill, outlining where legal risk in the regime lies. Suzy also highlights the potential crossover between this new law and the Privacy Act 2020 in relation to non-compliance.
[14:21] They then canvas which type of data holders might be captured under the Bill. Sonya notes that the regime is intended to be introduced on a sector-by-sector basis using designation regulations.
[16:50] Sonya explains who accredited requestors might be and what responsibilities they might have within the CDR ecosystem under the Bill.
[19:37] They discuss the role of designation regulations and technical standards within the regime and the particular role that standardised Application Programming Interfaces (APIs) will play.
[24:07] Suzy then considers in-depth, the interplay between the Bill and the Privacy Act 2020, noting how for the most part the Bill relies on the existing protections already established by that Act.
[29:04] They close off the interview by considering what industries and businesses can do to best prepare for and navigate these changes which lie ahead should the Bill come into force as a new law.
Information in this episode is accurate as at the date of recording, 18 June 2024.
Please contact Sonya Forbes or our Technology team if you need legal advice and guidance on any of the topics discussed in the episode.
Please get in touch to receive an episode transcript. Please don’t forget to rate, review or follow MinterEllisonRuddWatts wherever you get your podcasts. You can also sign up to receive technology updates via your inbox here.