MBIE has opened consultation on the exposure draft of the highly anticipated Customer and Product Data Bill. The Bill establishes what has been referred to as a ‘Consumer Data Right’ (CDR).

In practical terms the CDR aims to bolster the rights of customers in respect of their data by allowing customers to instruct businesses in designated sectors to share their customer data with the customer and/or other trusted businesses (called “accredited requestors”). As an example, a customer could request its bank to share its data with an accredited requestor, who could in turn share the data with third parties the customer approves (such as its accountant, financial adviser or mortgage broker).

The Bill also requires businesses to make information about their products available in formats that can be automatically read and processed.

The CDR is initially expected to apply to the banking sector (with the energy, finance, insurance and health sectors to follow), but is intended to expand gradually over time to capture most if not all sectors of the economy. Access to data from these sectors should facilitate the development and growth of new data-driven products and services, with customers benefiting from increased competition and choice. These might include new products or services which run analytics on the data to support decision-making (e.g. in relation to extending finance or credit, improving energy efficiency or reducing carbon footprints).

Submissions on the Bill close by 5pm on Monday 24 July 2023. The Government will then aim to introduce the Bill to the House of Representatives before the end of 2023.

We have broken down some of the core elements of the Bill below:

Who does the Customer and Product Data Bill apply to?

The Bill applies to customers, data holders and accredited requestors.

The term customer refers to any person that acquires, or is seeking to acquire, goods and/or services from a data holder. This will include businesses and individuals.

Data holders are persons to be specified in regulations who hold designated customer data and/or designated product data of the kind specified in the regulations. It is intended that the Bill will eventually apply to the entire economy, but will be turned on gradually through designation regulations identifying particular data holders, product data and customer data. The Government has proposed that the banking sector will be the first sector to be caught by the regime. In the future it is expected that industries such as energy, finance, insurance, and health will follow. The Bill could have a significant impact on these sectors, as well as the technology suppliers who provide systems and services to support these sectors.

Accredited requestors are persons who have been granted accreditation under the regime and have been authorised by a customer to request that a data holder perform an action, or provide customer data pertaining to that customer. Initially accredited requestors might include fintechs wishing to have access to bank data to enable or facilitate the provision of their services.

The Bill will apply to both New Zealand agencies as well as overseas agencies in the course of them carrying on business in New Zealand in the designated sectors. For this purpose it will not matter where data is collected or held, or where the customer or product is located.

What data does the Customer and Product Data Bill apply to?

The Bill applies to designated data. This includes customer data and product data.

Customer data refers to data about an identifiable customer. Currently the Privacy Act only captures personal information about identifiable individuals, whereas the Bill is broader capturing data relating to customers, which could include companies and trusts.

The Bill also applies to product data, being data about a data holder in a designated sector’s products.

Under the proposed regime both customers and accredited requestors are able to make requests to data holders in respect of customer and product data.

How are privacy interests affected?

The Bill proposes to standardise privacy protections for the exchange of data and provide pathways for redress for breaches.

Data holders and accredited requestors are expected to have a complaints process in place which will enable customers to make complaints in respect of the conduct of data holders and accredited requestors.

The proposed regime has been constructed to provide similar (but in some case enhanced) protections as the IPPs under the Privacy Act. For example, although customer data requests under the regime are to be treated as IPP 6 requests under the Privacy Act, the process under the Bill is expected to be more streamlined to allow for easier access to customer data.

Under the proposed regime the Privacy Commissioner and Human Rights Review Tribunal will still have their existing functions and powers in relation to personal information. The Privacy Commissioner will also have powers in relation to matters in the Bill which relate to Privacy Act safeguards. MBIE will be monitoring compliance and enforcement beyond what is captured by the Privacy Commissioner under the Privacy Act.

How does the Customer and Product Data Bill protect Māori data?

It is expected that some of the data captured by the bill will be Māori data, which may include taonga (treasure). Before recommending that designation regulations be made the Minister must have regard to the interests of Māori customers and must also consult with hapū, iwi, Māori organisations and tikanga experts who have knowledge of te ao Māori approaches to data governance where Māori are substantially affected by the proposed designation regulations.

The discussion document released along with the Bill suggests the overall purpose of the regime could be consistent with some aspects of tikanga due to the value placed on safeguarding and protecting data, while also ensuring it is used to advance collective and individual wellbeing. However MBIE is interested in exploring this further and has specifically asked for feedback in respect of:

• how a Te Tiriti/Treaty and te ao Māori lens could strengthen the processes and decisions required in the draft law; and
• the opportunities or risks that the implementation of the draft law could present for iwi, hapū and Māori individuals, businesses and organisations.

What are the penalties under the proposed regime?

The Bill will include a range of enforcement options, including infringement offences, compensation orders, pecuniary penalties and criminal offences. MBIE proposes to take a liability tier based approach to the enforcement of penalties. There will be four tiers of penalties of up to $50,000 at the lower end (tier 1) and upwards of $5,000,000 at the higher end (tier 4). Tier 4 penalties relate to body corporates who knowingly, intentionally and/or recklessly mislead or deceive.

What’s next?

Interested stakeholders should consider making submissions on the Bill. Our team is happy to assist with any submissions and/or advice regarding how your organisation may be affected by the proposed regime. For confidential discussion on customer data rights, get in touch with one of our specialists Matt Smith, Mark Gavin, Sam Wilson and Nick Summerfield.