The Government has released an exposure draft of the Customer and Product Data Bill (Bill) - New Zealand's regulatory framework for a consumer data right (CDR) for consultation. The Ministry of Business Innovation and Employment (MBIE) is seeking submissions on the Bill and accompanying Discussion Document by 5pm on Monday 24 July 2023. The Government is aiming to introduce legislation to Parliament by the end of 2023.
A summary of the key aspects of the Bill are set out below. For further background on the CDR, including the journey leading up to the release of the Bill, please see our related Insights here. The Bill, Discussion Document and accompanying documentation can be viewed here.
Legislative design of the CDR
-
Structure of the Bill: The Bill acts as a high-level framework establishing the CDR regime at law and providing for more detailed rules such as Regulations, Standards and Designation Rules to be established separately on a sector-by-sector basis. The Government has confirmed that the banking sector will be the first sector to be designated as in-scope of the CDR and that Standards for the banking sector will build on industry-led work already underway, such as through the Payments New Zealand API Centre.
-
Scope of CDR: The proposed CDR framework supports both data sharing and action initiation (such as making a payment or switching service providers). The regime contemplates both customers themselves, and their authorised third-party accredited requestors, making requests of data holders under the CDR for data sharing or action initiation. Unlike the Australian regime, the proposed New Zealand CDR does not prohibit participants sharing CDR data outside of the CDR ecosystem.
-
Accreditation Process: The Bill establishes two classes of accreditation for requestors - action initiation and read-only access. MBIE has proposed that accreditation criteria will include, at a minimum, a 'fit and proper' person test and certain data protection and security safeguard requirements. MBIE is seeking submissions on the inclusion of minimum insurance requirements.
-
Data Safeguards: The Bill proposes that existing Privacy Act 2020 (Privacy Act) protections will apply to CDR data that is personal information (subject to certain modifications). These safeguards only apply to read access data and it is unclear what safeguards will apply to write access. The Bill does not yet include protections for CDR data that is not personal information, but MBIE has indicated it intends to include additional safeguards for ethical use of data which would apply in these circumstances.
-
Consent: Customer consent is a fundamental pillar of any CDR. The Bill requires that all requests made under the CDR be subject to customer consent that is express and informed. However, detailed consent requirements have not yet been confirmed.
-
Regulators: The CDR regime will be regulated by MBIE and the Office of the Privacy Commissioner. MBIE will be given a full range of compliance and enforcement powers under the Bill and the Privacy Commissioner will exercise its existing functions and powers under the Privacy Act with respect to CDR data that is personal information.
-
Penalties for breach of the CDR regime: The applicable liability regime as between participants remains somewhat unclear, but MBIE has proposed a range of enforcement actions and significant penalties for breaches of the CDR regime. The most egregious breaches (involving deliberate or reckless behaviour) are proposed to constitute criminal offences and carry fines of up to $5 million for corporate entities and $1 million for individuals.
-
Accreditation fees: The Government acknowledges that designing, implementing and enforcing the CDR regime will come at significant cost. MBIE has proposed that some of these costs may be met via CDR levies and accreditation fees. No policy decisions have yet been made regarding the extent or timing of cost recovery and this area remains subject to further consultation.
-
Reciprocity: The principle of reciprocity is a key pillar of the Australian CDR, broadly requiring accredited requestors who hold in-scope CDR data to share it at the request of a customer. However, unlike the Australian regime, the proposed New Zealand CDR framework does not include a principle of reciprocity.
-
In-scope CDR Data: Under the Bill, CDR data in-scope of mandatory data sharing will be defined at a sector level through the designation process. Notably however, "derived data", being data created by a data holder through the application of insights and analytics, has not been expressly excluded from designation under the Bill.
-
Māori interests: The Bill does not define "Māori data", but proposes that before designating data in-scope of the CDR, the Minister shall have regard to (among other things): (a) the interests of customers, including Māori customers; and (b) the sensitivity of the data (potentially including whether the data is tapu). The Bill acknowledges that The Treaty of Waitangi/Te Tiriti creates rights and interests for Māori and that these must be taken into account when developing secondary legislation.
Next Steps
We will be monitoring developments and will provide a further update when the Bill is introduced to Parliament. In the meantime, if you would like any advice regarding how the New Zealand CDR might affect you and organisations in your industry, or if you require assistance with responding to the Government's request for submissions, please do not hesitate to contact us.