Towards the end of June 2023, the Ministry of Business, Innovation and Employment (MBIE) released a much-awaited discussion document on a consumer data right (CDR) for Aotearoa New Zealand, together with an exposure draft of the Customer and Product Data Bill (Bill). The discussion document follows the earlier consultation that was undertaken in August 2020. The consultation period ends and submissions on the draft Bill are due by Monday 24 July 2023.
Bill’s purpose
The draft Bill aims to establish a framework to realise the value of certain data for the benefit of individuals and society, promote competition and innovation for the long-term benefit of customers, and facilitate secure and efficient data services in certain sectors of the New Zealand economy.
Customer data is information generated when businesses (eg, phone companies, banks, and power companies) provide customers with services. This includes information such as names, addresses, phone numbers, usage, accounts, payments, account histories, transactions. Customer data is highly valuable, however, currently underutilised in the economy.
The draft Bill seeks to achieve its purpose by improving the ability of customers to access and use data held about them by businesses in certain sectors (“data holders”), as well as improving access to data about products and services in those sectors. The Government believes this will encourage data driven services which will enable customers to compare products and services and switch between providers to best suit their individual needs and circumstances. For example, a consumer may request that an electricity company (the data holder) provide electricity usage information (customer data) to the customer, which can then be used by the customer to find the most suitable power company for them.
Framework proposed
The framework contemplated by the draft Bill allows for a very prescriptive regime. It involves:
- enabling regulations to designate classes of customer data held by a data holder, classes of data about the goods and services offered by a data holder, and classes of actions to be performed by a data holder that are to be subject to the CDR;
- establishing a process by which MBIE will accredit persons or organisations that a customer can authorise to request designated data from a data holder or request a data holder to perform a designated action (eg, third parties that use the customer’s data to provide value added services to the customer), and these persons or organisations would be an accredited requestor;
- requiring data holders to operate electronic systems that meet the requirements of regulations and standards in order to facilitate the CDR (which could cover anything from security to useability);
- requiring data holders to provide designated customer data to customers or accredited requestors or perform a designated action that is requested by customers or accredited requestors, and provide requested product data to any person, so long as all such requests are in accordance with the required electronic systems;
- requiring data holders and accredited requestors to maintain systems or processes in the manner set by regulations to enable requests or authorisations to be given on behalf of customers by persons belonging to a class of secondary user designated by regulations;
- if data holders or accredited requestors use an outsourced provider in connection with the CDR, requiring each of them to comply with duties set by regulations (eg, maintain records or provide details about the outsourcing arrangement);
- requiring data holders and accredited requestors to comply with regulations and standards covering every conceivable aspect of the CDR, from how requests are to be made, communicating with customers, to dealing with designated data;
- requiring authorisations by customers to be made in the manner prescribed by regulations and standards and requiring data holders to confirm the authorisation, have systems in place to enable the customer to view or end the authorisation, verify the identity of the customer and accredited requestor, notify the customer when providing designated customer data or performing a designated action, and publish CDR policies, all also in such manner as is prescribed by regulations and standards;
- enabling MBIE to set the standards to be met by data holders and accredited requestors;
- requiring data holders and accredited requestors to keep various records concerning the CDR for at least 5 years;
- requiring data holders and accredited requestors to have customer complaints processes and provide an annual report to MBIE on complaints that are made; and
- establishing a register of data holders and accredited providers.
There are several sticks contemplated by the draft Bill:
- Failing to meet prescribed storage requirements in relation to personal information will be deemed to breach the privacy principle concerning security under the Privacy Act.
- MBIE’s chief executive will have the power to require any person to supply information, produce documents or give evidence in relation to any aspect of the CDR, and it will be an offence for failing to comply.
- Regulations may require the payment of money to customers if a data holder or accredited requestor breaches its duties and a loss is suffered.
As the draft Bill only sets up a framework, there is a detailed process to be followed before any class of persons are designed as data holders. This requires the Minister to consider a number of factors, such as the interests of consumers, including Māori customers, likely costs and benefits, efficiencies, and the benefits and risks in relation to security, privacy and intellectual property rights. The Minister will also be required to consult with various parties, including affected persons, the Privacy Commissioner, tikanga experts and the public.
The Government has indicated that the initial sector to be designated under the CDR will be banking, with plans for this to extend to other sectors such as energy, finance, insurance, and health.
Consultation items
The draft Bill is not yet complete, and there are various matters that MBIE outline in or are seeking feedback on in the discussion document. These include:
- the length of time for which customer consent to sharing designated customer data will apply;
- proposals on how consent should be obtained, and may be modified or withdrawn;
- aspects around how standards should be made;
- requirements for becoming an accredited requestor (in relation to which MBIE propose a fit and proper person test, demonstrated security measures, appropriate insurance, supporting Māori participation and meeting ethical requirements);
- how accessibility and inclusion should be supported;
- what should be in customer data policies (eg, whether customer data insights are on-sold);
- whether customer losses should be subject to a cap; and
- enforcement options, for which MBIE proposes a range of fines up to $5m or three times the commercial gain for a body corporate and 5 years imprisonment and/or a fine of up to $1m in the case of individuals.
MBIE acknowledges the costs associated with implementing a regime such as this. The draft Bill enables the imposition of levies, as potential cost recovery through accreditation fees, however, the discussion document notes that no final decisions have been made on this. The discussion document also notes that significant investment would likely be required from data holders and also accredited requestors in order for them to participate in the CDR regime, and that is a factor that will need to be considered.
For those interested in the Australian regime, the discussion document incudes comparisons between that regime and what MBIE propose.
Making submissions
Now is the time to have your say on the proposals. MBIE is seeking feedback on the draft Bill and the discussion document, with the consultation period closing on Monday 24 July 2023. You can make a submission on MBIE’s website, which is accessible here.
If you would like any further information on the proposals or any assistance in making a submission, please get in touch with a member of the Lane Neave Corporate Team.
We will continue to monitor these proposed changes. There will also be an opportunity to submit on the final form of the Bill once it is introduced into Parliament, which the Government aims to do by the end of the year.