General policy statement
The purpose of the Bill is to establish an economy-wide framework to enable greater access to, and sharing of, customer and product data between businesses. This is commonly referred to as a consumer data right
. The intention is to give customers (including both individuals and entities) in designated sectors greater control over how their customer data is accessed and used, promote innovation and facilitate competition, and facilitate secure, standardised, and efficient data services. The Bill will—
give customers greater control over their data. This will make it easier for them to shop around and switch providers for services such as banking, electricity, and telecommunications, and allow them to have greater trust that their data is secure and only shared for their benefit, and with their knowledge and authorisation; and
enable innovation as it will facilitate the introduction of new products and services that are only viable when customer data and product data is shared; and
facilitate competition by creating new opportunities for new entrants to break into established markets, and remove barriers that are preventing customers from being able to access and share their data, including a lack of incentives for data holders to transfer data to third parties; and
enable efficient data services, through accreditation of data recipients that removes the need for separate due diligence and high costs in negotiating bilateral agreements; and
provide a standardised and secure way for customers to access and use their customer data, to access product data, and for actions to be performed on their behalf, which removes the need for bespoke interfaces or workarounds.
The Bill aims to achieve this by requiring businesses that hold designated customer data (data holders) to provide that data to the customer and, with the customer’s authorisation, to accredited third parties. The Bill will require data holders to perform actions in response to electronic requests from customers and accredited third parties (with customer authorisation), such as opening accounts, making payments, or changing customer plans. The Bill will also require product data, which is data about a data holder’s goods and services, to be made available electronically on request.
To protect the privacy of individuals and confidentiality of customer information, the Bill provides privacy safeguards. The privacy safeguards in the Bill will complement existing protections in the Privacy Act 2020, which will continue to apply except where the Bill says otherwise. This will allow customers to derive value from their data without compromising their privacy or data security. The Bill sets out a framework for the accreditation of third parties. Only accredited third parties with the authorisation of customers will be able to request customer data from data holders or request actions on a customer’s behalf. The chief executive of the Ministry of Business, Innovation, and Employment (the chief executive) will be responsible for the accreditation of third parties. Accreditation is intended to check and certify that accredited third parties are trustworthy, competent, and secure. Once accredited, third parties will be able to request and receive data from data holders electronically, securely, and in a standard machine-readable format.
The Bill provides for a full range of compliance and enforcement powers, from powers aimed at supporting willing compliance to powers aimed at detecting and penalising non-compliance. The Bill provides that the chief executive enforces the Bill, alongside the Privacy Commissioner who will continue to have investigation, guidance, enforcement, and redress powers over obligations in the Privacy Act 2020.
The Bill will be applied to 1 sector at a time via a designation process. Applying the same legislative framework to different sectors will improve certainty and predictability for businesses operating in multiple markets. The interoperability among different sectors enabled by a consistent framework is intended to support further innovation.
The Minister of Commerce and Consumer Affairs is responsible for recommending the designation of individual markets, industries, and sectors to which the Bill will apply. The designation will specify the type of data and functionality that is required to be made available to accredited requestors, customers, or both, and will be accompanied by rules and standards that govern the transfer of that data. To achieve this, the Bill delegates a significant amount of detail to secondary legislation, which enables flexibility to adjust to different sectors of the economy. The first sector to be designated will be the banking sector.
The Bill has been designed in response to submissions on the Ministry of Business, Innovation, and Employment’s 2020 discussion document on establishing a consumer data right in New Zealand, which identified issues with current data portability settings. Australia, the United Kingdom, and Europe have introduced open banking or consumer data right regimes. Australia takes a similar sector-based approach and has applied its consumer data right to the banking and energy sectors.
It is intended that the Bill should not prevent industry-led options from being progressed in parallel to regulatory intervention and where possible, should seek to leverage that work, for example by making use of existing industry standards, technologies, and expertise.