This page is about a bill. That means that it's not the law yet, but some people want it to be the law. It could change quickly, and some of the information is just a draft.

Customer and Product Data Bill

Introduction

You could also call this:

"Understanding the Big Picture: The Main Ideas Behind the Rules"

This text is automatically generated. It might be out of date or be missing some parts. Find out more about how we do this.

This page was last updated on

View the original legislation for this page at https://legislation.govt.nz/act/public/1986/0120/latest/link.aspx?id=LMS700097.



General policy statement

The purpose of the Bill is to establish an economy-wide framework to enable greater access to, and sharing of, customer and product data between businesses. This is commonly referred to as a consumer data right. The intention is to give customers (including both individuals and entities) in designated sectors greater control over how their customer data is accessed and used, promote innovation and facilitate competition, and facilitate secure, standardised, and efficient data services. The Bill will—

  • give customers greater control over their data. This will make it easier for them to shop around and switch providers for services such as banking, electricity, and telecommunications, and allow them to have greater trust that their data is secure and only shared for their benefit, and with their knowledge and authorisation; and

  • enable innovation as it will facilitate the introduction of new products and services that are only viable when customer data and product data is shared; and

  • facilitate competition by creating new opportunities for new entrants to break into established markets, and remove barriers that are preventing customers from being able to access and share their data, including a lack of incentives for data holders to transfer data to third parties; and

  • enable efficient data services, through accreditation of data recipients that removes the need for separate due diligence and high costs in negotiating bilateral agreements; and

  • provide a standardised and secure way for customers to access and use their customer data, to access product data, and for actions to be performed on their behalf, which removes the need for bespoke interfaces or workarounds.

The Bill aims to achieve this by requiring businesses that hold designated customer data (data holders) to provide that data to the customer and, with the customer’s authorisation, to accredited third parties. The Bill will require data holders to perform actions in response to electronic requests from customers and accredited third parties (with customer authorisation), such as opening accounts, making payments, or changing customer plans. The Bill will also require product data, which is data about a data holder’s goods and services, to be made available electronically on request.

To protect the privacy of individuals and confidentiality of customer information, the Bill provides privacy safeguards. The privacy safeguards in the Bill will complement existing protections in the Privacy Act 2020, which will continue to apply except where the Bill says otherwise. This will allow customers to derive value from their data without compromising their privacy or data security. The Bill sets out a framework for the accreditation of third parties. Only accredited third parties with the authorisation of customers will be able to request customer data from data holders or request actions on a customer’s behalf. The chief executive of the Ministry of Business, Innovation, and Employment (the chief executive) will be responsible for the accreditation of third parties. Accreditation is intended to check and certify that accredited third parties are trustworthy, competent, and secure. Once accredited, third parties will be able to request and receive data from data holders electronically, securely, and in a standard machine-readable format.

The Bill provides for a full range of compliance and enforcement powers, from powers aimed at supporting willing compliance to powers aimed at detecting and penalising non-compliance. The Bill provides that the chief executive enforces the Bill, alongside the Privacy Commissioner who will continue to have investigation, guidance, enforcement, and redress powers over obligations in the Privacy Act 2020.

The Bill will be applied to 1 sector at a time via a designation process. Applying the same legislative framework to different sectors will improve certainty and predictability for businesses operating in multiple markets. The interoperability among different sectors enabled by a consistent framework is intended to support further innovation.

The Minister of Commerce and Consumer Affairs is responsible for recommending the designation of individual markets, industries, and sectors to which the Bill will apply. The designation will specify the type of data and functionality that is required to be made available to accredited requestors, customers, or both, and will be accompanied by rules and standards that govern the transfer of that data. To achieve this, the Bill delegates a significant amount of detail to secondary legislation, which enables flexibility to adjust to different sectors of the economy. The first sector to be designated will be the banking sector.

The Bill has been designed in response to submissions on the Ministry of Business, Innovation, and Employment’s 2020 discussion document on establishing a consumer data right in New Zealand, which identified issues with current data portability settings. Australia, the United Kingdom, and Europe have introduced open banking or consumer data right regimes. Australia takes a similar sector-based approach and has applied its consumer data right to the banking and energy sectors.

It is intended that the Bill should not prevent industry-led options from being progressed in parallel to regulatory intervention and where possible, should seek to leverage that work, for example by making use of existing industry standards, technologies, and expertise.

Departmental disclosure statement

The Ministry of Business, Innovation, and Employment is required to prepare a disclosure statement to assist with the scrutiny of this Bill. The disclosure statement provides access to information about the policy development of the Bill and identifies any significant or unusual legislative features of the Bill.

A copy of the statement can be found at http://legislation.govt.nz/disclosure.aspx?type=bill&subtype=government&year=2024&no=44

Regulatory impact statements

The Ministry of Business, Innovation, and Employment produced regulatory impact statements on 23 June 2021 and 4 May 2022 to help inform the main policy decisions taken by the Government relating to the contents of this Bill.

Copies of these regulatory impact statements can be found at—

Clause by clause analysis

Clause 1 is the Title clause.

Clause 2 provides for the Bill to come into force on the day after Royal assent.

1Preliminary provisions

Clause 3 sets out the overall purpose of the Bill, which is to establish a framework to—

  • realise the value of certain data; and

  • promote competition and innovation; and

  • facilitate secure, standardised, and efficient data services in certain sectors.

The Bill achieves this purpose by improving the ability of customers to access and use data held about them by participants in those sectors, improving access to data about products, and standardising safeguards, controls, standards, and functionality in connection with data services.

Clause 4 sets out an overview of the Bill.

Clauses 5 to 10 define various key terms used in the Bill, including—

  • data holder. This is a person of a class specified in regulations made under the Bill that holds customer data or product data of a kind that is designated in those regulations (designation regulations):

  • accredited requestor. This is a person that is accredited under subpart 3 of Part 5:

  • customer. This is a person who acquires, or is seeking to acquire, goods or services from a data holder. Customer data is data that is about an identifiable customer that is held by a data holder:

  • regulated data service. This is the service of providing data, or performing an action, under Part 2:

  • standards. Standards are made under clause 132.

Clause 11 provides that the Bill applies to—

  • New Zealand agencies; and

  • overseas agencies in relation to conduct in the course of carrying on business in New Zealand.

Clause 11 is based on section 4 of the Privacy Act 2020.

Clause 12 relates to the transitional, savings, and related provisions set out in Schedule 1.

Clause 13 provides for the Bill to bind the Crown. See also clause 115, which relates to Crown organisations being customers, data holders, or accredited requestors.

2Regulated data services

3Protections

Clauses 36 to 41 provide for matters relating to a customer (or secondary user) giving an authorisation to another person. In summary,—

  • an authorisation is given if the customer (or secondary user) is reasonably informed about the matter, it is given expressly in the manner prescribed by the regulations and the standards, and it has not ended:

  • before providing a regulated data service on the request of an accredited requestor, the data holder must check that the service is within the scope of the authorisation given by the customer (or secondary user):

  • a data holder must have systems in place to enable an authorisation to be changed:

  • an accredited requestor must comply with the duties in respect of authorisation that are prescribed by the regulations or standards. For example, duties relating to ensuring that the customer (or secondary user) is reasonably informed and how an authorisation may be obtained:

  • a person must not require a customer to authorise a regulated data service as a condition for providing some other goods or service unless the data service is reasonably necessary to enable the person to provide the other goods or service.

Clause 42 provides that only customers, secondary users, and accredited requestors may request, or purport to request, regulated data services.

Clause 43 creates an offence for a person to knowingly make a request that they are not permitted to make. A person that commits the offence is liable,—

  • in the case of an individual, to imprisonment for a term not exceeding 5 years or to a fine not exceeding $1 million (or both):

  • in any other case, to a fine not exceeding $5 million.

Clause 44 requires a data holder to verify the identity of a person who makes a request for a regulated data service.

Clauses 45 and 46 require data holders and accredited requestors to maintain certain records.

Clause 47 requires a data holder or an accredited requestor to maintain policies relating to customer data, product data, and action performance.

Clause 48 provides for a contravention of certain policy requirements to be an infringement offence. Those requirements will be specified by the regulations or standards for the purposes of this clause.

A person who contravenes other, more significant policy requirements may be liable to a pecuniary penalty and other civil liability consequences under subpart 6 of Part 4.

Clauses 49 to 51

  • require a data holder or an accredited requestor to have a complaints process relating to its conduct in connection with regulated data services; and

  • require a data holder or an accredited requestor to be a member of a dispute resolution scheme if a scheme has been prescribed by the regulations; and

  • allow dispute resolution scheme rules to be modified to cover complaints about regulated data services.

Clause 52 provides that a request for data under the Bill (that involves personal information) is not a request under information privacy principle 6 (access to personal information) set out in section 22 of the Privacy Act 2020. This means that requirements under subpart 1 of Part 4 of that Act do not apply to the request. However, certain contraventions under this Bill are treated as an interference with the privacy of an individual for the purposes of Parts 5 and 6 of the Privacy Act 2020 (which relate to complaints, investigations, proceedings, notifiable privacy breaches, and compliance notices).

Clause 53 relates to various data storage and security requirements imposed under this Bill. Contraventions of those requirements under this Bill must be treated as breaching information privacy principle 5 (storage and security of personal information) set out in section 22 of the Privacy Act 2020. This means that the contraventions may involve an interference with the privacy of an individual for the purposes of Parts 5 and 6 of the Privacy Act 2020.

4Regulatory and enforcement matters

5Administrative matters