The Ministry of Business, Innovation and Employment (MBIE) has recently released an exposure draft of the Customer and Product Data Bill (the Bill) for consultation, which would establish a consumer data right (CDR) in New Zealand. MBIE are seeking feedback on the exposure draft and how this new system for consumer data protection should work. Businesses that deal in data or that are in one of the key potential designated sectors (eg banking, telecommunications and energy) will want to consider the proposed draft Bill, whether they'd like to make a submission on the Bill and what the ramifications of a CDR may be for their operations.
What is a CDR?
The intent of a CDR is to give customers (including businesses and individuals) greater control over the use of their data. The purpose of this is to help innovators create new products and services and increase competition, thereby benefitting customers by leading to reduced prices, improved product offerings and greater productivity. Specifically, the Bill intends to unlock the value in customer data by:
- Improving customers’ access and control of their own data
- Standardising how data is exchanged
- Ensuring those who request access to data are accredited as trustworthy.
As currently proposed, the CDR regime will apply to the entire economy but will be turned on gradually in individual sectors through designation regulations (that will identify particular data holders, product data and customer data).
Once introduced, the law will apply extra territorially to customer or product data held by those carrying on business in New Zealand irrespective of where data is collected or held, or where the customer or product concerned is located. As with the Privacy Act 2020, the scope of "carrying on business" is broad and will apply to businesses regardless of whether they receive payment for goods of services or make any profit from their business in New Zealand. However, the regime will only capture businesses that apply for accreditation or are brought into the scope of the regime through the designation regulations.
As currently set out, MBIE will be responsible for monitoring compliance and enforcement of the CDR regime, but the Privacy Commissioner will retain all of their existing functions and powers in relation to any obligations in the Bill that relate to Privacy Act safeguards.
What happens next?
MBIE is seeking feedback on a number of issues, including:
- Requirements in relation to consent and ensuring that it is express and informed and how tikanga values might make these rules stronger
- What data should be within scope of the regime
- How MBIE should build on industry work to date, while making sure the standards work for diverse data holders and customers
- Who should be accredited to connect and share data with data holders.
As part of the consultation process, MBIE is also hosting a number of online webinars over the next few weeks (registration is available here). Submissions close on 24 July 2023. We recommend those with an interest in data sharing use this opportunity to engage with the Bill and make submissions - please get in touch with one of our team if you would like to discuss.
This article was co-written by Alex Chapman (senior associate), Kate Barber (solicitor) and Renee Stiles (partner).