The Select Committee Report on the Consumer and Product Data Bill (Report) was released on 23 December. The Report was prepared by the Economic Development, Science and Innovation Committee (Committee) and recommended several changes to the Consumer and Product Data Bill (Bill) based on submissions and advice.
The Bill seeks to establish a New Zealand Consumer Data Right (CDR). For further background on the CDR, including the journey leading up to the release of the Bill, please see our related Insights here.
The Committee in its Report unanimously recommended that the Bill be passed but with some amendments. We have set out the key amendments proposed by the Committee below:
- Purpose: One of the stated key purposes of the Bill is to realise the value of data to benefit "individuals, organisations and society". The Committee recommended clarifying this purpose to refer to benefitting "customers and society", as opposed to individuals and organisations.
- Territorial application: The Government sought submissions on the territorial application of the Bill. Currently, it applies to designated customer data or designated product data held by both New Zealand and overseas agencies who carry on business in New Zealand. The Committee recommended inserting a clause to ensure that the Bill also applies to any conduct regulated by the Bill that occurs (in whole or in part) in New Zealand, regardless of whether designated data is held.
- Accreditation criteria: The Bill provides for accreditation criteria of applicants to be set out in the relevant regulations, including a fit and proper person test. The Committee recommended that high level guidance on the accreditation criteria to be set out in the legislation itself, including a requirement to prove, to the chief executive of the responsible government department's satisfaction, that: (a) the applicant’s director and senior managers are of good character; (b) adequate data security safeguards are in place; and (c) the applicant can comply with its obligations under the Bill and is not likely to contravene any provision.
- Privacy Act interaction: The Government specifically sought submissions on the proposed interaction between the Bill and the Privacy Act 2020 and ultimately recommended simplifying the interaction. The Committee proposed two privacy restrictions be removed from the Bill on that basis that the Privacy Act already provides sufficient protection - one requiring accredited requestors to comply with specific regulations when dealing with data and the other requiring accredited requestors to record how they de-identify data received. The Committee also recommended that the Bill be explicit as to which CDR contraventions will give rise to liability under the Privacy Act.
- New good faith defence: The Committee recommended inserting a new "good faith" defence which makes it clear that data holders should not be liable under the Privacy Act, contract or other non-statutory obligations for disclosing customer data to a fraudulent requestor under the CDR (e.g. a hacker) provided that they complied in good faith with the CDR requirements.
- Ability to refuse requests: The Bill permits a data holder to refuse to perform any action if it reasonably believes that complying with the request would cause serious financial harm, or that the request is deceptively made. The Committee proposed that the data holder's ability to refuse requests be extended to enable the data holder to also refuse to disclose data on these same grounds.
- Maximum penalty: The Bill is currently silent as to how the maximum penalty applies to multiple contraventions of the same civil liability provision. The Committee recommended that it be clarified in the Bill that the maximum penalty should apply in aggregate as a cap to multiple similar contraventions of the same civil liability provision, rather than apply as a maximum penalty to each such contravention.
- Policy requirements: The Bill includes a requirement for data holders and accredited requestors to develop, publish, implement and maintain policies relating to customer and product data, and actions performed under the CDR. Failure to do so results in an infringement offence. The Committee recommended the deletion of these policy requirements and the related infringement offence in order to reduce compliance costs.
It is important to note that these are currently only recommendations, and we will need to wait to see which of these are incorporated into the Bill at its second reading. The Government has indicated that the Bill will be passed into law sometime in early 2025, and that the open banking regulations and standards will start to come into force in December 2025, so a second reading of the Bill is likely to occur soon.
We also expect to hear in the first half of 2025 whether the electricity sector will be designated in scope of the CDR. If so, the Government has indicated that associated regulations would be finalised in late 2025 and take effect during 2026.
The full text of the Report (including a version of the Bill with the Committee's proposed amendments) is available here. The Russell McVeagh team will be monitoring the developments and will provide further updates as the Bill progresses. In the meantime, if you would like any advice regarding how the CDR might affect you and organisations in your industry, please do not hesitate to contact us.