This page is about a bill. That means that it's not the law yet, but some people want it to be the law. It could change quickly, and some of the information is just a draft.

Customer and Product Data Bill

Introduction

You could also call this:

“A simple explanation of how this law wants to make it easier for you to control and share your information”

This bill wants to make it easier for you to use and share your information with different businesses. It’s called a “consumer data right” and it will change how companies handle your data.

The bill aims to give you more control over your information. This means you can more easily switch between companies for things like banking, electricity, and phone services. You’ll know your data is safe and only shared when you say it’s okay.

The bill will help create new products and services by allowing companies to share customer and product information. This might make it easier for new companies to compete with big ones. It will also make it simpler and cheaper for companies to work together with your data.

If this bill becomes law, companies that have your information will have to give it to you when you ask. They’ll also have to share it with other companies if you say it’s okay. These companies will need to be approved first to make sure they’re trustworthy and can keep your information safe.

The bill will also make companies share information about their products and services when asked. This could help you compare different options more easily.

To keep your information private, the bill includes safety measures. These will work alongside existing privacy laws to protect you.

The government will check that companies are following the new rules. If they’re not, they could get in trouble.

The new rules won’t apply to all businesses at once. They’ll start with one type of business, like banks, and then add others over time. This will help make sure the system works well before it’s used everywhere.

The bill is based on ideas from other countries and feedback from people in New Zealand. It’s meant to work alongside any plans that businesses are already making to share data better.

This text is automatically generated. It might be out of date or be missing some parts. Find out more about how we do this.

This page was last updated on

View the original legislation for this page at https://legislation.govt.nz/act/public/1986/0120/latest/link.aspx?id=LMS700097-general-policy-statement.



Next

Departmental disclosure statement, or

“Government explains how they made this new law”

General policy statement

The purpose of the Bill is to establish an economy-wide framework to enable greater access to, and sharing of, customer and product data between businesses. This is commonly referred to as a consumer data right. The intention is to give customers (including both individuals and entities) in designated sectors greater control over how their customer data is accessed and used, promote innovation and facilitate competition, and facilitate secure, standardised, and efficient data services. The Bill will—

  • give customers greater control over their data. This will make it easier for them to shop around and switch providers for services such as banking, electricity, and telecommunications, and allow them to have greater trust that their data is secure and only shared for their benefit, and with their knowledge and authorisation; and

  • enable innovation as it will facilitate the introduction of new products and services that are only viable when customer data and product data is shared; and

  • facilitate competition by creating new opportunities for new entrants to break into established markets, and remove barriers that are preventing customers from being able to access and share their data, including a lack of incentives for data holders to transfer data to third parties; and

  • enable efficient data services, through accreditation of data recipients that removes the need for separate due diligence and high costs in negotiating bilateral agreements; and

  • provide a standardised and secure way for customers to access and use their customer data, to access product data, and for actions to be performed on their behalf, which removes the need for bespoke interfaces or workarounds.

The Bill aims to achieve this by requiring businesses that hold designated customer data (data holders) to provide that data to the customer and, with the customer’s authorisation, to accredited third parties. The Bill will require data holders to perform actions in response to electronic requests from customers and accredited third parties (with customer authorisation), such as opening accounts, making payments, or changing customer plans. The Bill will also require product data, which is data about a data holder’s goods and services, to be made available electronically on request.

To protect the privacy of individuals and confidentiality of customer information, the Bill provides privacy safeguards. The privacy safeguards in the Bill will complement existing protections in the Privacy Act 2020, which will continue to apply except where the Bill says otherwise. This will allow customers to derive value from their data without compromising their privacy or data security. The Bill sets out a framework for the accreditation of third parties. Only accredited third parties with the authorisation of customers will be able to request customer data from data holders or request actions on a customer’s behalf. The chief executive of the Ministry of Business, Innovation, and Employment (the chief executive) will be responsible for the accreditation of third parties. Accreditation is intended to check and certify that accredited third parties are trustworthy, competent, and secure. Once accredited, third parties will be able to request and receive data from data holders electronically, securely, and in a standard machine-readable format.

The Bill provides for a full range of compliance and enforcement powers, from powers aimed at supporting willing compliance to powers aimed at detecting and penalising non-compliance. The Bill provides that the chief executive enforces the Bill, alongside the Privacy Commissioner who will continue to have investigation, guidance, enforcement, and redress powers over obligations in the Privacy Act 2020.

The Bill will be applied to 1 sector at a time via a designation process. Applying the same legislative framework to different sectors will improve certainty and predictability for businesses operating in multiple markets. The interoperability among different sectors enabled by a consistent framework is intended to support further innovation.

The Minister of Commerce and Consumer Affairs is responsible for recommending the designation of individual markets, industries, and sectors to which the Bill will apply. The designation will specify the type of data and functionality that is required to be made available to accredited requestors, customers, or both, and will be accompanied by rules and standards that govern the transfer of that data. To achieve this, the Bill delegates a significant amount of detail to secondary legislation, which enables flexibility to adjust to different sectors of the economy. The first sector to be designated will be the banking sector.

The Bill has been designed in response to submissions on the Ministry of Business, Innovation, and Employment’s 2020 discussion document on establishing a consumer data right in New Zealand, which identified issues with current data portability settings. Australia, the United Kingdom, and Europe have introduced open banking or consumer data right regimes. Australia takes a similar sector-based approach and has applied its consumer data right to the banking and energy sectors.

It is intended that the Bill should not prevent industry-led options from being progressed in parallel to regulatory intervention and where possible, should seek to leverage that work, for example by making use of existing industry standards, technologies, and expertise.