The Customer and Product Data Bill (Bill) has been introduced to Parliament, seeking to establish a New Zealand Consumer Data Right (CDR).
For background on the CDR, including the journey leading up to the release of the Bill, please see our related Insights here. A summary of the key aspects of the exposure draft of the Bill (Exposure Draft) is set out here. This summary, and the comments raised within it, remain relevant for the purposes of the Bill. MBIE's summary of the significant differences between the Exposure Draft and the Bill is available here.
Consultation requirements
In addition to MBIE's summary list of changes, the requirements regarding public consultation and protection of Māori interests have also changed. All references to "the public" have been removed from consultation requirements and the Bill no longer requires consultation with "hapu, iwi and Māori organisations" (and instead, just one person with "expert knowledge of te ao Māori approaches to data" is to be consulted in relation to standards and regulations), subject to certain exceptions.
Liability
The Bill has also been updated to include a liability regime. Customers and other data holders and accredited requestors who have suffered loss as a result of a contravention of the Bill may seek compensation (with no cap on compensation specified in the Bill). Penalties have been adjusted from those previously announced (a summary of the previous penalty regime is available here). Penalties now range from low-level infringement notices of up to NZ$20,000, through to fines of up to NZ$2.5 million for companies that commit more material breaches.
Learnings from Australia
As noted in our previous insight available here, the independent statutory review of the Australian CDR made a number of recommendations regarding how the Australian equivalent of our proposed new CDR might be optimised. Some of those issues appear to have been addressed in the New Zealand CDR regime proposed by MBIE, whilst others have not (and some areas remain to be confirmed until we have draft regulations and standards).
By way of example, the Australian review recommended that the overlap between the Australian CDR and Australian privacy law be considered to reduce the regulatory compliance burden on participants. Under the New Zealand CDR, MBIE appears to have sought to be express in the application of the New Zealand Privacy Act 2020 (Act) and has clarified that data requests under the Bill are not to be treated as access requests under the Act. However, the Bill does provide that if a data holder breaches certain requirements they will be treated as having committed an “interference” under the Act. In addition, contraventions relating to storage and security may be treated as breaching security obligations under the Act.
Next Steps
Consistent with prior indications from MBIE, the explanatory statement within the Bill confirms that the CDR is not intended to prevent industry-led options from being progressed in parallel with the CDR and expresses an intent to leverage that work, including by making use of existing industry standards, technologies, and expertise. In industries such as the banking sector where significant progress has already been made via the API Centre (for example), there would be real value in leveraging the standards and expertise already developed in the drafting of future CDR regulations and standards.
The full text of the Bill is available here. As with the Australian Consumer Data Right, much of the detail of how the regime will operate remains to be determined through the development of more detailed regulations and standards.
The Russell McVeagh team will be monitoring the developments and will provide further updates as the Bill progresses. In the meantime, if you would like any advice regarding how the CDR might affect you and organisations in your industry, please do not hesitate to contact us.