Plain language law

New Zealand law explained for everyone

This page is about a bill. That means that it's not the law yet, but some people want it to be the law. It could change quickly, and some of the information is just a draft.

Customer and Product Data Bill

Regulatory and enforcement matters - Civil liability - Pecuniary penalty order

75: Maximum penalty (Tier 2)

You could also call this:

“The biggest fines for breaking customer data rules”

The bill proposes penalties for people or companies who don’t follow certain rules about customer and product data. These rules cover things like giving customers their data when asked, using proper computer systems, and being part of a dispute resolution scheme.

If you’re an individual who breaks these rules, you might have to pay up to $200,000. If it’s a company or another type of organisation that breaks the rules, they might have to pay up to $600,000.

The bill lists many specific sections that these penalties apply to. These sections talk about how data holders and accredited requestors should handle customer data, product data, and customer requests. They also cover rules about getting customer permission, dealing with complaints, and reporting information to the government.

Remember, this is just a proposed law, not the current law. If it passes, it will set out these penalties for not following the new rules about customer and product data.

This text is automatically generated. It might be out of date or be missing some parts. Find out more about how we do this.

This page was last updated on

View the original legislation for this page at https://legislation.govt.nz/act/public/1986/0120/latest/link.aspx?id=LMS911702.

Previous

74: Maximum penalty (Tier 1), or

“The biggest fine for breaking some important data rules”

Next

76: Considerations for court in determining pecuniary penalty, or

“How courts decide fines for breaking data rules”

Part 4 Regulatory and enforcement matters
Civil liability: Pecuniary penalty order

75Maximum penalty (Tier 2)

  1. This section applies to a contravention, an attempted contravention, or an involvement in a contravention of any of the following:

  2. section 14 (data holder must provide customer data to customer):
    1. section 15 (data holder must provide customer data to accredited requestor if authorisation is confirmed):
      1. section 18 (data holder must perform certain actions on customer’s request):
        1. section 19 (data holder must perform certain actions on accredited requestor’s request if authorisation is confirmed):
          1. section 21 (how data holders and accredited requestors must deal with joint customers):
            1. section 22 (data holder must provide product data to any person):
              1. section 24 (how data holders and accredited requestors must deal with secondary users):
                1. section 28 (electronic system must comply with prescribed technical or performance requirements):
                  1. section 31 (data holders must comply with requirements for requests, providing services, and making information available):
                    1. section 33 (accredited requestors must comply with requirements for dealing with data and making information available):
                      1. section 38 (customer’s authorisation must be confirmed):
                        1. section 39 (customer or secondary user must be able to control authorisation):
                          1. section 40 (accredited requestor must comply with prescribed duties in respect of authorisation):
                            1. section 41 (authorisation must not be required as condition of providing product):
                              1. section 47 (data holders and accredited requestors must have customer data, product data, and action performance policies):
                                1. section 49 (data holders and accredited requestors must have customer complaints process):
                                  1. section 50 (data holder or accredited requestor must be member of dispute resolution scheme (if scheme has been prescribed)):
                                    1. section 59 (data holder or accredited requestor must take prescribed steps to avoid, mitigate, or remedy loss or damage caused by contravention):
                                      1. section 64 (prohibition against holding out):
                                        1. section 112 (annual reporting by data holders):
                                          1. section 113 (annual reporting by accredited requestors):
                                            1. section 119 (persons that will become data holders when designation comes into force must provide information to chief executive):
                                              1. section 120 (other data holders must provide information to chief executive).

                                                1. The maximum amount of a pecuniary penalty is—

                                                2. $200,000 for a contravention, an attempted contravention, or an involvement in a contravention by an individual; or
                                                  1. $600,000 in any other case.