The Customer and Product Data Bill is going through Parliament, but what does it mean for you? Louisa Joblin and Sophie Phillips of Duncan Cotterill explain

By Louisa Joblin & Sophie Phillips*

The Customer and Product Data Bill (the Bill) will introduce a “consumer data right” or “CDR” to New Zealand, intended to give people greater access to their own data and allow it to be shared between businesses.

The CDR is seen as a key way to facilitate open banking in New Zealand, with banking being one of the first sectors to which the CDR will apply when the Bill becomes law.

The Bill has passed its first reading in Parliament and is currently before the Economic Development, Science and Innovation select committee.

The CDR will give customers and small businesses rights to:

Request customer data held about them from a data holder, which can then be shared with third parties;

Request a data holder to carry out certain actions on their behalf, such as opening accounts or making payments;

Authorise an “accredited requestor” to request data about them, or request a business carry out certain actions on their behalf; and

Request data about the goods and services a business offers.

In practice, the CDR is anticipated to allow customers to do things like more easily switching providers for services like banking, electricity, and telecommunications by sharing their data with their new provider through a secure method with their consent.

The Bill includes a designation process by which the law will apply to particular sectors at a time — with CDR first being implemented in the banking and electricity sectors.

There has been some criticism that important aspects of the CDR are left to be dealt with in regulations to be passed when the Bill becomes law. While this is likely intended to ensure flexibility for the application of the CDR framework to specific markets / sectors, it is arguable that enshrining more detail in the primary legislation would give consumers greater certainty about the safety and security of the CDR system.

What businesses can do to prepare

The CDR is expected to change consumer behaviour and the way businesses operate. For those businesses to which the law applies, there will likely be compliance costs getting their systems ready to handle CDR, including sharing data securely, to avoid the substantial penalties for non-compliance.

In anticipation of the Bill becoming law, businesses will need to begin to prepare for the CDR:

1. Technology
The Bill aims to ensure designated sectors make data available in an electronic, secure, and standardised manner.

Businesses in the electricity and banking sectors should ensure they can make data available in a standard format, and that their systems support sharing in an efficient and secure manner.

Businesses in those designated sectors may wish to carry out an audit on the technology they currently use to send and receive data. Technology may need to be updated and improved, or entirely new systems may need to be implemented.

2. Policies and Processes
The Bill requires a data holder or an accredited requestor to have a customer complaints process in connection with the data services provided or requested. The Bill also requires data holders and accredited requestors have one or more policies relating to customer data, product data, and the performance of actions under the Bill.

Businesses will need to review and update these processes and policies, or implement them if they do not already have them in place, before the Bill comes into effect for their sector.

3. Data exchange and security
Businesses will need to implement safeguards for the exchange of customer data, as well as training staff to securely handle customer data, in a way that complies with privacy and data protection laws. That will include having systems and processes for authenticating a customer’s identity and obtaining their consent, strong security safeguards, and robust training in privacy compliance.

Overseas experience

The Bill will allow New Zealand to follow the path set by Australia, the United Kingdom, and Europe in creating a “consumer data right” in New Zealand, as CDR regimes have already been implemented in those jurisdictions.

Notably, Australia initially applied its CDR regime to the banking and energy sectors, so New Zealand has been influenced by the Australian approach, following its lead in applying the regime sector by sector and choosing those sectors first.

While some have lamented New Zealand being behind other countries in the implementation of a CDR, as with any legislative solution, preparation and implementation takes time, and ultimately requires a government minded to support the initiative.

The Bill was already underway under the previous Government, and has been picked up by the current Government. In that time, New Zealand’s had the opportunity to learn lessons from experiences overseas.

During the first reading of the Bill, Commerce and Consumer Affairs Minister Andrew Bayly stated, “the advantage of our slow start is that we’ve been able to learn from others’ mistakes. Open banking has been slow in Australia…we’ve observed what has happened and learnt from this and adapted our framework so the same won’t happen here.”

Privacy implications

Some international privacy regimes, including the European Union’s General Data Protection Regulation (GDPR) include a “right to data portability”; the ability for individuals to request their personal information be moved from one agency to another in a readily accessible format. Until now, there has been no comparable right available under New Zealand’s privacy law.

The CDR will introduce the concept of data portability in the context of the specific sectors to which it applies, which increases the rights available to New Zealanders to exercise over their personal information.

Moving and sharing customer data between businesses will inevitably create risks for the privacy of that information, such as fraudulent requests for personal information, unauthorised disclosures, and misuse of access.

The protection of customer data will need to be robust, because the CDR will likely lead to large volumes of customer data being sent between businesses and may have cross-border application.

Businesses will need to put in place appropriate safeguards to ensure that customer data is protected, for example by ensuring that a customer’s consent is obtained and that their identify is verified. The Bill also stipulates privacy-focused controls, including that only accredited requesters who have the authorisation of the customer will be able to request customer data or request actions on a customer’s behalf.

Accreditation is required to demonstrate the third-party requesting data is “trustworthy, competent and secure.”

Contravention of the provisions in the Bill relating to the storage of data and security requirements will be treated as a breach of information privacy principle 5 of the Privacy Act, giving consumers an avenue to seek a remedy in the event of breach.

We now await the report of the select committee and the Bill’s progress, and will see with time whether the CDR effectively allows New Zealanders to benefit from having greater control over their own data, including ease of sharing, while also adequately protecting personal information.

*This article was prepared by Louisa Joblin, Special Counsel, and Sophie Phillips, Graduate, from Duncan
Cotterill’s Data Protection and Privacy Team.