Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

New Zealand: Parliament introduces Customer and Product Data Bill

On May 15, 2024, the New Zealand Parliament introduced a Customer and Product Data Bill (the Bill). The Bill aims to establish an economy-wide framework to enable greater access to and sharing of customer and product data between businesses. Notably, it aims to provide for consumer data rights in designated sectors, giving customers greater control over how their data is accessed and used, promoting innovation, enabling competition, and facilitating secure, standardized, and efficient data services.

What is the scope of the Bill?

The Bill applies to:

  • New Zealand agencies; and
  • overseas agencies in relation to conduct in the course of carrying on business in New Zealand.

What are some key definitions?

The Bill defines the following key terms:

  • data holder: a person of a class specified in regulations made under the Bill that holds customer data or product data of a kind that is designated in those regulations;
  • customer data: data that is about an identifiable customer that is held by a data holder; and
  • regulated data service: the service of providing data or performing an action under Part 2 of the Bill.

What are some key obligations for businesses?

The Bill mandates a data holder to:

  • provide data about a customer at the request of the customer or an accredited requestor;
  • perform an action relating to a customer at the request of the customer or an accredited requestor, subject to meeting certain requirements;
  • deal with joint customers (e.g., joint holders of a bank account) in accordance with requirements prescribed in the regulations made under the Bill;
  • provide data about a product at the request of any person, provided that the data is designated by the regulations, the request is valid, and the request is made using an electronic system;
  • deal with secondary users (e.g., a director may be a secondary user for a customer that is a company) in accordance with requirements prescribed in the regulations;
  • operate an electronic system for providing regulated data services with reasonable reliability that complies with technical or performance requirements set out in the regulations;
  • maintain certain records and policies relating to customer data, product data, and action performance; and
  • have a complaints process relating to its conduct in connection with regulated data services.

What are the enforcement powers under the Bill?

The Bill empowers the chief executive (acting as the regulator of regulated data services) to issue a notice requiring a person to supply information or produce a document for inspection. Failure to do so constitutes an offense, liable to a fine not exceeding AUD 100,000 (approx. $66,600) in the case of an individual or AUD 300,000 (approx. $199,820) in any other case.

Furthermore, the Bill provides for the chief executive to issue an infringement notice to a person believed to be committing or to have committed an infringement offense (defined as relatively minor contraventions of the Bill). The penalty for infringement offenses are:

  • an infringement fee of AUD 20,000 (approx. $13,320); or
  • a fine imposed by a court not exceeding AUD 50,000 (approx. $33,300).

Finally, the Bill notes that a request for data under the Bill (that involves personal information) is not a request under information privacy principle 6 (access to personal information) as set out in Section 22 of the Privacy Act 2020.

You can download the bill here and track its progress here.