The development of NZ’s Consumer Data Right has taken a further step forward, with MBIE’s release of an exposure draft of the Customer and Product Data Bill. The CPD Bill is intended to unlock the value of data, by improving customer access to and control of their data, standardising how data is exchanged, and ensuring those who request access to data on behalf of customers are accredited and trustworthy. In addition to providing greater customer control, it is believed that the Bill will support innovators in the economy to create new products and services and increase competition. Once passed, the law will be implemented one sector at a time, starting with the banking sector.
In this article, we highlight some important things to note about the Bill.
The new framework will apply to overseas organisations
Like the Privacy Act, the CPD Act will have extraterritorial effect, applying to overseas agencies in relation to conduct in the course of carrying on business in NZ in respect of designated customer and product data. Most overseas agencies doing business in NZ will already be familiar with general data portability rights contained in overseas privacy laws (such as in Australia), but will need to take note of the specific requirements of NZ’s new framework.
The new framework extends beyond personal information
Unlike the Privacy Act, the CPD Act will apply to all customer data, including data that relates to companies, trusts and other entities. This reflects a significant expansion of the data rights regime (currently limited to identifiable individuals), and may come as a surprise to organisations. It also explains the change in terminology from “consumer” to “customer”. Clearly however, the additional obligations and protections contained in the Privacy Act will not apply to customer data about companies.
The inclusion of an obligation to make “product data” available appears to be a new development, setting this framework apart from privacy-focused data portability rights in overseas laws, and intended to support innovation and competition. Banking and financial services organisations will already be used to stringent product disclosure and transparency requirements, but the inclusion of product data could come as a surprise to other sectors less used to these concepts, including the energy sector.
Similarly, MBIE states that the intention is to include “derived data” within the scope of customer data. This may cause IP concerns for some organisations.
NZ’s definition of consent is starting to align to overseas best practice
Sections 30 and 35 of the Bill operate to create a form of authorisation that aligns much more closely to overseas definitions of consent, such as in the GDPR. Authorisation for the purposes of the CPD Act will need to be express, informed, current and freely given. While many organisations already align their consents to overseas best practice, those that do not will need to take note.
The CPD Bill includes some specific privacy requirements
Part 3 of the CPD Bill sets out some privacy-related requirements or safeguards, including establishing shorter timeframes to provide data, defining and prescribing the management of “authorisation”, providing for identity authentication, requiring consumer notification in relation to whether data has been shared or not, and requiring the development of complaints procedures. More detailed requirements will be provided in secondary legislation (regulations and standards).
It’s not clear how Part 4 of the Privacy Act will apply to CPD requests
The CPD Bill generally intends that requests under the CPD Act should be treated as requests under IPP 6 of the Privacy Act, though it excludes many of the procedural provisions contained in Part 4 of the Privacy Act. Quite apart from the fact that requests from companies will not benefit from existing Privacy Act provisions, the way the various Privacy Act provisions have been applied or excluded in the Bill will need careful thought, to ensure it is workable. For example, the Bill appears to contemplate that the withholding grounds contained in sections 49-53 of the Privacy Act might apply, which could complicate and frustrate what is intended to be an automated process.
MBIE has confirmed the enforcement and penalties approach
Provisions on enforcement and penalties will be added to the CPD Bill later, once the final form of the main obligations is settled. However, MBIE has confirmed the following:
- There will be a shared enforcement regime, with MBIE responsible for compliance and enforcement functions under the CPD Act, and the privacy commissioner responsible for compliance and enforcement under the Privacy Act, in relation to personal information. This shared enforcement regime will be managed through a Memorandum of Understanding.
- The previously proposed tiered penalty regime, including significant fines for breaches of obligations, is still proposed. However, it remains unclear the extent to which the penalties will be applied in relation to privacy breaches. This further reinforces the disparity between the Privacy Act and the CPD Bill in relation to financial penalties.
Submissions on the DPD Bill are due by 24 July 2023, and information on making submissions can be found here. We’ll keep tracking the progress of the CPD Bill, and will publish more articles on this topic as the details are finalised.