An update on New Zealand’s Customer and Product Data Bill

The second reading of the Customer and Product Data Bill (Bill) commenced last month. The Bill aims to set up a framework to enable greater access to, and sharing of, customer and product data for both customers and businesses.

In this article we discuss the recommended amendments to the Bill, the Bill’s potential implications for businesses (particularly regarding the banking and electricity sectors who are expected to be among the first to be impacted by the proposed framework), and what the next steps are.

As explained in our previous article, Advancing a Consumer Data Right - the Customer and Product Data Bill, the introduction of a “Consumer Data Right” (CDR) is intended to provide customers with greater control over their own data and also allow businesses that hold designated customer data to share (with customers’ consent) customer data securely with accredited third parties.

Proposed amendments to the Bill

The Second Reading of the Bill incorporates amendments to the initial draft that were recommended in the Select Committee Report issued by the Economic Development, Science and Innovation Committee (the Committee) on 23 December 2024. The recommended amendments address some concerns raised during the consultation process. The proposed amendments provide greater clarity and guidance on how the proposed framework will operate.

The main amendments to the Bill proposed by the Committee are:

  • ‘Good Faith’ defence for data holders: The introduction of a “good faith” defence for data holders. This is to protect data holders from liability if they inadvertently provide customer data to an unauthorised third party, including in cases where a requestor is hacked. In such case a data holder would not face penalties where they can demonstrate that they have complied with the CDR’s requirements and exercised appropriate due diligence.
  • Stricter accreditation for requestors: To improve the security and trustworthiness of the CDR framework, the Committee recommends enhanced accreditation requirements for third-party requestors of customer data. Accredited requestors will now be required to:
    • maintain adequate security safeguards for data;
    • demonstrate the “good character” of senior management; and
    • provide evidence of compliance with the CDR framework and its obligations.

These stricter requirements are designed to ensure that only responsible and capable entities can request, receive and manage sensitive consumer data.

  • Clarifications on privacy remedies: Clarification of the relationship between the CDR and the Privacy Act 2020. Claims related to privacy interference resulting from CDR conduct are to be handled exclusively through the Privacy Act’s established processes, reducing the risk of duplicate claims and uncertainty for businesses.
  • Refinements to refusal of data requests: The new Bill includes additional safeguards to protect businesses from accepting requests that could result in financial harm or fraud or that are made under the threat of physical or mental harm. Data holders will have more clear guidance on when they can refuse to comply with a request, especially in cases of deception or potential financial harm.
  • Simplification of compliance obligations: Removal of some of the more burdensome provisions in the previous draft Bill. For example, the requirement for businesses to maintain records of every prior customer authorisation has been streamlined, and instead, businesses will only be required to lodge a single record for each new request. Additionally, the mandatory annual reporting to MBIE on CDR-related complaints has been removed, with the Committee noting that complaints can be addressed through sector-specific dispute resolution schemes.

Implications for businesses

The introduction of a CDR will bring New Zealand in line with a corresponding right that has been in place in Australia since 2020 (where it applies to both the banking and energy sectors). There has been some criticism of the Australian CDR stemming from high compliance costs and regulatory burdens, a lack of incentives for businesses to utilise CDR data, and restrictions on the use and storage of CDR data. The Bill seeks to avoid some of these issues through offering a clearer distinction between the application of privacy laws and the principles governing CDR data.

For businesses operating in sectors likely to be designated under the CDR framework, including the banking and electricity sectors, these amendments offer a clearer path to future compliance. However, the introduction of stricter accreditation for third-party requestors and the need for enhanced privacy and data security measures mean that companies should consider preparing themselves sooner rather than later.

Businesses should take the time to assess their current data practices, for customer data this includes conducting / undertaking a compliance audit, and ensuring their data security protocols are in line with the Bill’s requirements. Staff training on the new processes for handling customer consent and authorisations will also be critical. These matters will be relevant to businesses in their capacity as data holders and as data requestors.

Next steps

The Bill is expected to pass into law in the coming months, with the banking and electricity sectors likely to be the first designated sectors to whom the new regime will apply. As the Bill is generic and is applied to particular sectors by passing regulations, MBIE is also expected to release in the first half of this year the results of its consultation on the proposals for the regulations that will give effect to the sector designations. These results will likely focus on the points that MBIE has previously sought feedback on, including (in relation to the banking sector):

  • the scope of open banking designation regulations;
  • requisite accreditation criteria required for accredited requestors to access data;
  • appropriate fees and relevant standards necessary for a functioning regime; and
  • costs, benefits and risks associated with an open banking designation.

We will continue to monitor any new developments and provide updates to the Bill’s progress.

Get in touch

Please get in touch with our experts if you have any questions about this article or the CDR Bill in general.

Special thanks to Conor Masila for his assistance in writing this article.

Contacts

Michelle Dunlop
Karen Ngan
Jania Baigent
Zelda Gower

Related Articles

23/01/2025·

Litigation Outlook 2025

Commercial LitigationClimate change litigationCompetition lawDirectors' dutiesArtificial intelligence
20/12/2024·3 mins to read

Biometrics Privacy Code: Balancing Security and Privacy?

Privacy Act and data protectionDigital & new technologiesDigital identity
15/10/2024·4 mins to read

Workplace use of GenAI breaches privacy laws

Artificial intelligencePrivacy Act and data protection
9/10/2024·2 mins to read

Biometrics Privacy Code - facing up to an uncertain future

Privacy Act and data protection
4/10/2024·4 mins to read

AI Regulation: NZ walks a tightrope

Artificial intelligenceDigital & new technologiesPrivacy Act and data protection