Kia ora koutou,

In my 10 Feb. notes from the Asia-Pacific region, I discussed the release of a cabinet paper outlining further decisions on the Consumer Data Right, which would inform the content of upcoming draft legislation. I can now report that the development of the CDR has taken a step forward, with the release of an exposure draft of the Customer and Product Data Bill and accompanying discussion document for consultation. 

The CPD bill is intended to unlock the value of data by improving customer access to and control of their data, standardizing how data is exchanged, and ensuring those who request access to data on behalf of customers are accredited and trustworthy. The bill strengthens existing access rights provided by the Privacy Act 2020, requiring businesses to provide customer data to accredited requesters and to ensure product data is made available electronically on request.

In addition to providing greater customer control, it is believed the bill will support innovators in the economy to create new products and services, and increase competition. Once passed, the bill will be implemented one sector at a time, starting with banking. 

While I have yet to read the bill and discussion document in detail, a few key observations are worth making:

  • Like the Privacy Act, the CPD bill will have extraterritorial effect, applying to overseas agencies in relation to conduct in the course of carrying on business in New Zealand in respect of designated customer and product data. Most overseas agencies doing business in New Zealand are already familiar with general data portability rights contained in overseas privacy laws, such as in Australia, but will need to take note of the specific requirements of New Zealand's new framework.
  • Unlike the Privacy Act, the CPD bill will apply to all customer data, including data that relates to companies, trusts and other entities. This reflects a significant expansion of the data rights regime — currently limited to identifiable individuals — and may come as a surprise to organizations. It also explains the change in terminology from "consumer" to "customer." However, the additional obligations and protections contained in the Privacy Act will not apply to customer data about companies. 
  • The inclusion of an obligation to make "product data" available appears to be a new development, setting this framework apart from privacy-focused data portability rights in overseas laws, and intended to support innovation and competition. Banking and financial services organizations are already used to stringent product disclosure and transparency requirements, but the inclusion of product data could come as a surprise to sectors that are less used to these concepts, including the energy sector. Similarly, the discussion document states the intention is to include "derived data" within the scope of customer data. This may cause intellectual property concerns for some organizations.
  • Part three of the CPD bill sets out some privacy-related requirements or safeguards, including establishing shorter timeframes to provide data, defining and prescribing the management of "authorization," providing for identity authentication, requiring consumer notification in relation to whether or not data has been shared, and requiring the development of complaints procedures. However, the bill does not otherwise regulate the processing of customer data, with the potential for more detailed requirements to be provided in secondary legislation, such as regulations and standards. 
  • The CPD bill generally intends for consumer requests to be treated as requests under Principle 6 of the Privacy Act, though it excludes many of the procedural provisions contained in Part 4 of the Privacy Act. Quite apart from the fact that requests from companies will not benefit from existing Privacy Act provisions, the way various Privacy Act provisions are applied or excluded in the bill will need careful thought, to ensure they are workable. For example, the bill appears to contemplate that the withholding grounds contained in sections 49-53 of the Privacy Act might apply, which could complicate and frustrate the intended automation of the process. 
  • Provisions on enforcement and penalties will be added later, once the final form of the main obligations is settled. However, the discussion document confirms there will be a shared enforcement regime, with the Ministry of Business, Innovation and Employment responsible for compliance and enforcement functions under the CPD bill, and the privacy commissioner responsible for compliance and enforcement under the Privacy Act, in relation to personal information. This shared enforcement regime will be managed through a Memorandum of Understanding. The discussion document also confirms the previously proposed tiered penalty regime, including significant fines for breaches of obligations. However, the extent to which the penalties will be applied in relation to privacy breaches remains unclear. This further reinforces the disparity between the Privacy Act and the CPD bill in relation to financial penalties. 

Submissions on the CPD bill are due by 24 July. The privacy commissioner has encouraged submissions on the bill, particularly in relation to the privacy aspects of the proposals. As this represents the most significant change to New Zealand's privacy regime since the passing of the Privacy Act 2020, IAPP members should certainly take note and make their views known to MBIE. We will also have an opportunity to discuss the impact of the bill at the upcoming IAPP ANZ Summit 2023 in November, so keep an eye out for announcements. 

In the meantime, enjoy the digest, stay safe and be kind.

Ngā mihi,
Daimhin