A Deep Dive into The Customer and Product Data Bill

What’s happening?

New Zealand’s much-anticipated “consumer data right” legislation – the Customer and Product Data (CaPD) Bill – was released in draft form on 22 June.

The Bill provides a framework for the easy and safe exchange of customer data and, importantly, allows customers to require designated data holders (like banks) to share information with accredited data requestors (like fintech companies).

It is intended to:

1.   Improve customers’ access and control of their own data.

2.   Standardise how data is exchanged.

3.   Ensure those who request access to data are accredited as trustworthy.

While there is much to be decided and the current Bill is only a discussion draft, we now know enough (from the Bill itself and the accompanying MBIE Discussion Document) to take a first deep dive into what will be a new open data regime for New Zealand.

The legislation is significant, as it’s rare that governments seek to participate this actively in the economy – to influence particular commercial outcomes, business models and ways of engaging with customers.

HGM White Paper

For those short on time, we’ve listed the highlights in quickly digestible form below.

Otherwise, we have put together a more detailed white paper expanding on some key themes – which you can access here.

What next?

Initial consultation on the draft Bill closes on 24 July. The Government aims to introduce legislation to Parliament (incorporating any changes following initial consultation) by the end of 2023, at which point the usual legislative process (including a further opportunity for public consultation at Select Committee stage) will apply.

MBIE has provided a template for respondents to use for submissions. The template (along with more information on the process) is available here.

The highlights

• MBIE has summarised the core principles of the legislation as “Respect, Care and Trust”. These broadly reflect the three key aspects of the regime – customer consent, data security standards, and accreditation of data recipients.

• The draft Bill provides a high-level framework for the CaPD regime, but most of the detail in key areas is left to subsequent regulations and standards. We’ve included a table at the end of the white paper setting out what the regulations and standards will cover.

• The regime potentially covers the entire economy but will only be “switched on” for specific sectors and data types on a case-by-case basis. The banking sector will be the first designated.

• A “customer” is widely defined to include any business or organisation (as well as consumers). This opens the door for B2B relationships and use cases.

• A fundamental pillar of the regime is that “action initiation” is in scope, not just data access. For open banking, this will enable customers to authorise payments directly from their accounts.

• Consent is at the heart of the regime. Almost everything that happens (including the initial data exchange and any subsequent transfers by data requestors) needs to happen with customer consent.

• Consent is particularly important for CaPD because it’s a mandatory regime – data holders will have virtually no ability to decline a valid data request once customer consent is provided.

• Like similar overseas regimes, the draft Bill provides for common data and security standards to be set by regulation (for example, technical standards for developing the APIs that will facilitate data exchange and action initiation).

• The Government has highlighted its desire to build on existing industry work – particularly the standards already developed by Payments NZ for the API Centre programme.

• Recipients of CaPD data will need to be accredited. MBIE has suggested a three-pronged approach for accreditation, including a “fit and proper person” test, information protection and security measures, and (possibly) evidence of appropriate insurance. More stringent requirements will apply if the requestor wants “write access” (the ability to initiate actions on behalf of customers).

• In the areas of consent, security and accreditation (as well as the proposed enforcement and penalty regime) the CaPD regime imposes a significant extra layer of compliance on existing data sharing and privacy frameworks. This begs the question whether New Zealand is creating a two-tier system for data privacy, and brings the adequacy of the existing Privacy Act regime into focus.

• The regime will involve significant operational complexity outside the core data exchange and accreditation standards – for example, handling the different buckets of “CaPD” and “non-CaPD” data, the treatment of derived or “value-added” data, and requirements around data policies and ethics.

• MBIE says “the draft law could benefit significantly from looking to and learning from the principles and concepts of Māori Data Governance”. This may create an opportunity to address obligations under te Tiriti o Waitangi and to provide for culturally-grounded data governance and regulation where appropriate.

• The draft Bill was informed by the Australian Consumer Data Right legislation. It also allows consistency with international standards to be considered as a factor in the development of any binding data exchange standards, and enables the setting of accreditation criteria similar to those in Australia and the UK.

• The draft Bill does not include a “reciprocity” regime – with the Government seemingly prioritising maximising uptake over the risks of an uneven playing field for data holders.

• The draft Bill does not include a separate class of accreditation for “intermediaries” or data aggregators. They are required to be accredited themselves, and to ensure they have the consent of the underlying customer to pass data onto their data requestor clients.

• Regulations will govern how consent and data access will be handled for joint account holders and “secondary users” (e.g. people with authority to act on behalf of companies).

• Previous Cabinet papers had identified the Commerce Commission as the enforcement agency for CaPD; however, the draft Bill confirms MBIE in this role.

• The draft Bill is silent on much of the detail on enforcement and penalties. However, the Discussion Document outlines the likely regime, involving fines of $20,000 (for minor infringements) through to $5 million, three times the value of relevant commercial gain, or 10% of turnover in the relevant period (for intentional/reckless deception or fraud).

• Initial consultation on the draft Bill closes on 24 July. The Government aims to introduce legislation to Parliament (incorporating any changes following initial consultation) by the end of 2023, at which point the usual legislative process (including a further opportunity for public consultation at Select Committee stage) will apply.