The Economic Development, Science and Innovation Committee (the Committee) recently released the Select Committee report (Report) on the Customer and Product Data Bill (the Bill). The Report sets out key recommendations and amendments that the Committee considers should be made to the Bill prior to the Bill advancing to the second reading stage. 

Background to the Bill 

The Bill seeks to introduce a framework to enable customers to have more control over their data, allowing them to safely and securely access, and share their data with, and between, businesses. The Bill will establish what is commonly referred to as a ‘consumer data right’ in New Zealand. You can read our previous alert on the Bill here. 

What does the Bill do? 

The overarching purpose of the Bill is to allow customers to consent to their data to be shared across businesses and to trusted third parties. The Bill provides a baseline framework for how this regime will broadly apply but will be subject to sector-specific regulations and standards once implemented.

Some of the key features of the Bill include: 

• A robust consent mechanism to ensure customers clearly understand and agree to the use of their information by data holders and accredited requestors. 
• The ability for data holders to share information about a customer at the customer’s request, or the request of an accredited requestor if authorised by the customer. 
• The ability for accredited requestors to perform “action initiation” for customers, including the ability to apply for new products or services. 
• A requirement to operate an electronic system for providing regulated data services with reasonable reliability. 
• A requirement for data holders and accredited requestors to have a complaints process in place for their regulated data services. 

The Bill aims to improve customers’ access to, and control over their data. It allows data holders and accredited requestors to work together to safely and securely share customer and product data. Customers will be able to access the data held about them, and authorise trusted third parties to use it on their behalf.  

What’s new? 

In December 2024, the Committee released the Report on the Bill following completion of the Select Committee stage. The Report outlines various suggested changes to the Bill reflecting feedback received by interested parties, including the need to provide adequate privacy protections while ensuring strong adoption of the framework, safeguarding data holders from potential liability, and streamlining the development of sector-specific standards. The Report provides explanations for these changes, as well as an amended version of the Bill. 

The Report recommends: 

• A new defence should be added for claims against data holders when the data holder provides data to any other person. The defence protects data holders when they have provided data for an accredited requestor in good faith, or when the data holder took reasonable precautions or completed due diligence when providing the data. This will be a welcome addition for data holders.
• Accredited requestors no longer need to comply with regulations or standards for the use, modification, or disclosure of derived data, on the basis that this would increase costs for uptake. Accredited requestors will still need to comply with regulations and standards when making derived data available. 
• The Chief Executive should have the power to approve a non-public service person to develop and maintain specific-sector standards. 
• Any interference with privacy is managed through the procedures and remedies contained in the Privacy Act 2020. This will help mitigate the concerns raised by some submitters about the risk of forum-shopping and potential double-dipping if claims in relation to breaches of privacy were able to be made under various regimes. 
• Data holders may refuse a request for data if they reasonably believe that the action would likely cause serious financial harm, or if the request was made as a consequence of deception. Additionally, an accredited requestor should be prohibited from accepting an authorisation or instruction if it believed that the authorisation or instruction was given under threat of physical or mental harm. This change will effectively establish a joint duty of care for both data holders and accredited requestors in protecting customers where there is a risk of harm. 
• Those applying for accreditation should be of good character and able to demonstrate that they can comply with the provisions of the law and maintain adequate security safeguards to protect data received under the law. These additional requirements will impose higher standards of care on accredited requestors to ensure only responsible and competent service providers are able to attain accreditation under the law. 
• Simplifying some of the other administrative compliance requirements imposed on data holders and accredited requestors to minimise unnecessary compliance costs, such as removing the need for these parties to develop, publish, implement, and maintain policies relating to customer data, product data, and actions performed under the legislation. 

The full Report from the Committee can be accessed here. 

Next steps

The Customer and Product Data Bill will impact a range of organisations operating in key sectors such banking, energy, and telecommunications, and may require technological upgrades and the development of new compliance processes. It will be crucial for organisations operating in these sectors to appropriately prepare for the impending implications of the Bill, specifically in the banking and FinTech space, where the new law will need to be carefully considered alongside the work that has already been undertaken in connection with ‘Open Banking’. Organisations already in the planning stages of implementing systems and processes to give effect to the Bill will need to ensure that they understand these latest proposed changes and action any changes needed to align with these new amendments.   

It is now also an opportune time for offshore service providers operating in the global open data eco-system to consider the regulatory requirements needed to be met to enter the New Zealand market. We consider there is a real value proposition here for offshore service providers to leverage vital market share by being ‘first to market’ with new service offerings for New Zealand customers - who will be looking to take advantage to the broader data access rights under the Bill.

The Bill is scheduled to have its second reading in early 2025 where the changes posed in the Report will be debated in Parliament. 

If you have any questions regarding the Bill and would like assistance in preparing for its implementation, please feel free to get in touch with one of our experts. 

This article was co-authored by Summer Clerk Connor Turton in our Corporate and Commercial team.