The Customer and Product Data Bill (the Bill) has been introduced to Parliament and can be read here.

The Bill seeks to introduce a framework to enable customers to have more control over their data, allowing them to safely and securely access, manage, and share their data with others. The Bill will establish what is commonly referred to as a ‘consumer data right’ in New Zealand. 

What does the Bill do?

The overarching purpose of the Bill is to allow customers to consent for their data to be shared across businesses and to trusted third parties. The Bill provides the baseline framework for how this regime will broadly apply but will be subject to sector-specific regulations and standards once implemented. 

Some of the key features of the Bill include: 

• A robust consent mechanism to ensure customers clearly understand and agree to the use of their information by data holders and accredited requestors. 
• The ability for data holders to share information about a customer at the customer’s request, or the request of an accredited requestor. 
• The ability for accredited requestors to perform “action initiation” for customers, including the ability to apply for new products or services. 
• A requirement to operate an electronic system for providing regulated data services with reasonable reliability. 
• A requirement for data holders and accredited requestors to have a complaints process in place for their regulated data services. 
• A requirement that joint customers and secondary users of customer data are dealt with in accordance with the regulations.

Overall, the Bill aims to improve customers access to, and control over their data, by allowing data holders and accredited requestors to work together to share customer and product data. Customers will be able to access data held about them, and allow trusted third parties to access it on their behalf.

What’s new?

In June 2023, the Ministry of Business, Innovation and Employment (MBIE) released an exposure draft of the CPD Bill and sought public submissions. You can read our alert on the consultation draft here.

Following a large number of submissions, the Bill introduced into Parliament has undergone a number of changes, including:

• Data holders are now able to refuse requests for data in limited circumstances, where previously the Bill did not allow this on the basis of Information Privacy Principle 6 of the Privacy Act 2020.
• Data holders no longer have to share all product data on request. The Bill now allows for product data which is not publicly available, or is commercially sensitive, to be withheld. 
• The concept of outsourced providers has been removed. Outsourcing is now going to be addressed by preexisting legal principles and participants in the system. 
• The amount of compensation available to customers for a breach of the law has been removed from the Bill and will instead be addressed in the regulations. 
• There is now an option for the regulations to require data holders and accredited requestors to join a dispute resolution scheme. The Bill also now confirms that customers can use the Disputes Tribunal to resolves disputes if a data holder or accredited requestor is not a member of an industry dispute resolution scheme. 
• Secondary users (such as parents of those under 18) are now able to be the only prescribed decision maker for a customer. 
• The Bill also includes a penalties and offences regime where the exposure draft did not. The lowest penalty, such as for a failure to meet disclosure requirements, is an infringement notice of $2,000. The highest penalty, where a person knowingly makes a request for regulated data services they are not permitted to make, can net a fine of up to $5 million for body corporates or $1 million for individuals, or imprisonment of up to five years. 

A full summary of the changes to the Bill from the exposure draft has been provided by MBIE and can be accessed here.

Next Steps 

The CPD Bill will impact a range of organisations operating in key sectors such as banking, energy and telecommunications, and may require significant technological upgrades and the development of new compliance processes. 

The implications of the Bill will also need to be carefully considered by those banks and FinTechs already operating in the ‘Open Banking’ space to ensure that the new law appropriately leverages the work that has already been undertaken in the industry and creates a cohesive and workable framework for industry participants.

If you have any questions regarding the Bill or would like assistance in drafting a submission to the Select Committee in due course, please feel free to get in touch with one of our subject matter experts. 

This article was co-authored by Rosie Park (Senior Solicitor) and Thomas Anderson (Solicitor) in our Corporate and Commercial team.