Plain language law

New Zealand law explained for everyone

This page is about a bill. That means that it's not the law yet, but some people want it to be the law. It could change quickly, and some of the information is just a draft.

Customer and Product Data Bill

Introduction

You could also call this:

“Explaining the bill's parts and what they mean”

This bill proposes to create a new law called the Customer and Product Data Bill. Here’s what it aims to do:

The law would set up a system to make certain data more valuable, encourage competition and new ideas, and make data services in some areas more secure, standardised, and efficient.

It would do this by making it easier for you to access and use information that companies have about you. It would also improve access to information about products and set up rules for how data services should work.

The law would define important terms like ‘data holder’ (a person or company that has information about customers or products) and ‘customer’ (someone who buys or wants to buy goods or services).

You would be able to give permission for your data to be shared, but there would be rules to make sure you understand what you’re agreeing to. Companies would need to check that they’re only sharing what you’ve allowed.

The law would create new offences. For example, if someone knowingly asks for data they’re not allowed to have, they could be fined or even go to prison.

Companies would need to have ways to handle complaints about data services. They might also need to join a dispute resolution scheme.

The law would work alongside existing privacy laws, with some special rules about how they interact.

Overall, this law aims to give you more control over your data and make it easier for you to use it in ways that benefit you.

This text is automatically generated. It might be out of date or be missing some parts. Find out more about how we do this.

This page was last updated on

View the original legislation for this page at https://legislation.govt.nz/act/public/1986/0120/latest/link.aspx?id=LMS700097-clause-by-clause-analysis.

Previous

Regulatory impact statements, or

“Documents explaining the main ideas behind the bill”

Next

1: Title, or

“The name of this new law if it gets approved”

Clause by clause analysis

Clause 1 is the Title clause.

Clause 2 provides for the Bill to come into force on the day after Royal assent.

1Preliminary provisions

Clause 3 sets out the overall purpose of the Bill, which is to establish a framework to—

  • realise the value of certain data; and

  • promote competition and innovation; and

  • facilitate secure, standardised, and efficient data services in certain sectors.

The Bill achieves this purpose by improving the ability of customers to access and use data held about them by participants in those sectors, improving access to data about products, and standardising safeguards, controls, standards, and functionality in connection with data services.

Clause 4 sets out an overview of the Bill.

Clauses 5 to 10 define various key terms used in the Bill, including—

  • data holder. This is a person of a class specified in regulations made under the Bill that holds customer data or product data of a kind that is designated in those regulations (designation regulations):

  • accredited requestor. This is a person that is accredited under subpart 3 of Part 5:

  • customer. This is a person who acquires, or is seeking to acquire, goods or services from a data holder. Customer data is data that is about an identifiable customer that is held by a data holder:

  • regulated data service. This is the service of providing data, or performing an action, under Part 2:

  • standards. Standards are made under clause 132.

Clause 11 provides that the Bill applies to—

  • New Zealand agencies; and

  • overseas agencies in relation to conduct in the course of carrying on business in New Zealand.

Clause 11 is based on section 4 of the Privacy Act 2020.

Clause 12 relates to the transitional, savings, and related provisions set out in Schedule 1.

Clause 13 provides for the Bill to bind the Crown. See also clause 115, which relates to Crown organisations being customers, data holders, or accredited requestors.

2Regulated data services

3Protections

Clauses 36 to 41 provide for matters relating to a customer (or secondary user) giving an authorisation to another person. In summary,—

  • an authorisation is given if the customer (or secondary user) is reasonably informed about the matter, it is given expressly in the manner prescribed by the regulations and the standards, and it has not ended:

  • before providing a regulated data service on the request of an accredited requestor, the data holder must check that the service is within the scope of the authorisation given by the customer (or secondary user):

  • a data holder must have systems in place to enable an authorisation to be changed:

  • an accredited requestor must comply with the duties in respect of authorisation that are prescribed by the regulations or standards. For example, duties relating to ensuring that the customer (or secondary user) is reasonably informed and how an authorisation may be obtained:

  • a person must not require a customer to authorise a regulated data service as a condition for providing some other goods or service unless the data service is reasonably necessary to enable the person to provide the other goods or service.

Clause 42 provides that only customers, secondary users, and accredited requestors may request, or purport to request, regulated data services.

Clause 43 creates an offence for a person to knowingly make a request that they are not permitted to make. A person that commits the offence is liable,—

  • in the case of an individual, to imprisonment for a term not exceeding 5 years or to a fine not exceeding $1 million (or both):

  • in any other case, to a fine not exceeding $5 million.

Clause 44 requires a data holder to verify the identity of a person who makes a request for a regulated data service.

Clauses 45 and 46 require data holders and accredited requestors to maintain certain records.

Clause 47 requires a data holder or an accredited requestor to maintain policies relating to customer data, product data, and action performance.

Clause 48 provides for a contravention of certain policy requirements to be an infringement offence. Those requirements will be specified by the regulations or standards for the purposes of this clause.

A person who contravenes other, more significant policy requirements may be liable to a pecuniary penalty and other civil liability consequences under subpart 6 of Part 4.

Clauses 49 to 51

  • require a data holder or an accredited requestor to have a complaints process relating to its conduct in connection with regulated data services; and

  • require a data holder or an accredited requestor to be a member of a dispute resolution scheme if a scheme has been prescribed by the regulations; and

  • allow dispute resolution scheme rules to be modified to cover complaints about regulated data services.

Clause 52 provides that a request for data under the Bill (that involves personal information) is not a request under information privacy principle 6 (access to personal information) set out in section 22 of the Privacy Act 2020. This means that requirements under subpart 1 of Part 4 of that Act do not apply to the request. However, certain contraventions under this Bill are treated as an interference with the privacy of an individual for the purposes of Parts 5 and 6 of the Privacy Act 2020 (which relate to complaints, investigations, proceedings, notifiable privacy breaches, and compliance notices).

Clause 53 relates to various data storage and security requirements imposed under this Bill. Contraventions of those requirements under this Bill must be treated as breaching information privacy principle 5 (storage and security of personal information) set out in section 22 of the Privacy Act 2020. This means that the contraventions may involve an interference with the privacy of an individual for the purposes of Parts 5 and 6 of the Privacy Act 2020.

4Regulatory and enforcement matters

5Administrative matters