Customer and Product Data Bill

2.1. Are there any publicly available inquiry, review or evaluation reports that have informed, or are relevant to, the policy to be given effect by this Bill?

YES

Discussion document: Options for establishing a consumer data right in New Zealand, Ministry of Business, Innovation and Employment, 5 August 2020 https://www.mbie.govt.nz/dmsdocument/11625-discussion-document-options-for-establishing-a-consumer-data-right-in-new-zealand

New Zealand firms: Reaching for the frontier, Productivity Commission, April 2021 https://www.productivity.govt.nz/assets/Documents/Final-report-Frontier-firms.pdf

Discussion document: Unlocking value from our customer data, Ministry of Business, Innovation and Employment, 22 June 2023 https://www.mbie.govt.nz/dmsdocument/26877-unlocking-value-from-our-customer-data-bill-discussion-document-pdf

2.2. Does this Bill seek to give effect to New Zealand action in relation to an international treaty?

NO

2.3. Were any regulatory impact statements provided to inform the policy decisions that led to this Bill?

YES

Regulatory Impact Statement: Establishing a Consumer Data Right, Ministry of Business, Innovation and Employment, Published 9 July 2021. A copy of the RIS is available at:

https://www.mbie.govt.nz/dmsdocument/15545-regulatory-impact-statement-establishing-a-consumer-data-right-proactiverelease-pdf

Supplementary Regulatory Impact Statement: Further decisions on establishing a consumer data right, Ministry of Business, Innovation and Employment, 19 December 2022. A copy of the RIS is available at: https://www.mbie.govt.nz/dmsdocument/25845-supplementary-regulatory-impact-statement-further-decisions-on-establishing-a-consumer-data-right-proactiverelease-pdf

2.3.1. If so, did the RIA Team in the Treasury provide an independent opinion on the quality of any of these regulatory impact statements?

YES

A quality assurance panel with members from the Treasury’s Regulatory Impact Analysis Team and the Ministry of Business, Innovation and Employment (MBIE) reviewed the first Regulatory Impact Statement (RIS) “Establishing a consumer data right” finalised by MBIE on 23 June 2021. The review panel’s opinion is set out in the Cabinet paper that this RIS accompanied: https://www.mbie.govt.nz/dmsdocument/15536-establishing-a-consumer-data-right-proactiverelease-pdf.

The second RIS “Supplementary Regulatory Impact Statement: Further decisions on establishing a consumer data right” did not meet the threshold for receiving an independent opinion on the quality of the RIS from the RIA Team based in the Treasury.

2.3.2. Are there aspects of the policy to be given effect by this Bill that were not addressed by, or that now vary materially from, the policy options analysed in these regulatory impact statements?

NO

2.4. Has further impact analysis become available for any aspects of the policy to be given effect by this Bill?

NO

2.5. For the policy to be given effect by this Bill, is there analysis available on:

(a)   the size of the potential costs and benefits?

YES

(b)   the potential for any group of persons to suffer a substantial unavoidable loss of income or wealth?

NO

The RIS identifies a range of benefits for customers and businesses from enabling greater data portability.[1] For consumers these include improvements to the range and quality of goods and services, greater choice and convenience, easier switching between providers and plans, and more control over their data. For businesses, these include opportunities to introduce new products and improve productivity.

It is difficult to estimate the overall monetary value of benefits to customers or businesses as this is contingent upon a number of factors, including the market or sectors that are designated, the scope of any designations, the rate of innovations that rely on the transfer of data, and overall participation. However, research in New Zealand and the United Kingdom suggests that improving switching alone could allow individual customers to save significant sums each year by moving to alternative bank accounts, and electricity or mobile plan providers that better suit their needs.[2]

Businesses within a designated sector would be required to put in place systems and processes that enable data to be shared in a machine-readable format. The extent of these costs will vary depending on the size of the market, the types of data subject to the consumer data right, and whether businesses are already complying with other portability regimes. Those wishing to access to access data will incur costs associated with obtaining accreditation. The cost of accreditation may be greater for smaller providers or new entrants, who are less likely than larger providers to have already made adequate investment in infrastructure to handle and protect data.

Government will incur indicative costs of approximately $10 million to $19 million per year, however, the amount will depend on how its rulemaking, enforcement, accreditation and registry functions are implemented.

2.6. For the policy to be given effect by this Bill, are the potential costs or benefits likely to be impacted by:

(a)   the level of effective compliance or non-compliance with applicable obligations or standards?

YES

(b)   the nature and level of regulator effort put into encouraging or securing compliance?

YES

Benefits will only be realised to the extent that data holders comply with core obligations under the Bill to implement electronic systems to give effect to requests for data and actions. However, the Bill provides MBIE with a full range of compliance, monitoring and enforcement powers, and given this and the nature of the regulated population (primarily larger firms that hold significant amounts of customer data) we do not anticipate that there will be a high rate of non-compliance.

3.1. What steps have been taken to determine whether the policy to be given effect by this Bill is consistent with New Zealand’s international obligations?

MFAT has been consulted on the content of the Bill.

3.2. What steps have been taken to determine whether the policy to be given effect by this Bill is consistent with the principles of the Treaty of Waitangi?

MBIE officials have considered findings by the Waitangi Tribunal in relation to Māori data[3], consulted with Māori, including both individuals and iwi, Māori data experts, Māori data service providers, and sought and considered advice from the Treaty Provisions Oversight Group. The Bill ensures that the views of iwi/Māori are considered when setting the rules in secondary legislation for how and what data is accessed and what protections there should be around how this data is accessed. This will help ensure the Bill supports uses of data by hapū and iwi are, and there are appropriate protections around use of data, which is consistent with treating Māori data as taonga.

3.3. Has advice been provided to the Attorney-General on whether any provisions of this Bill appear to limit any of the rights and freedoms affirmed in the New Zealand Bill of Rights Act 1990?

YES

Advice provided to the Attorney-General by the Ministry of Justice, or a section 7 report of the Attorney-General, is generally expected to be available on the Ministry of Justice’s website upon introduction of a Bill. Such advice, or reports, will be accessible on the Ministry’s website at https://www.justice.govt.nz/justice-sector-policy/constitutional-issues-and-human-rights/the-bill-of-rights-act/advice/.  

3.4. Does this Bill create, amend, or remove:

(a)   offences or penalties (including infringement offences or penalties and civil pecuniary penalty regimes)?

YES

(b)   the jurisdiction of a court or tribunal (including rights to judicial review or rights of appeal)?

YES

The Bill’s offences and penalties regime and jurisdiction of a court or tribunal is included in Appendix One.

3.4.1. Was the Ministry of Justice consulted about these provisions?

YES

The Ministry of Justice was consulted on the jurisdiction of a court or tribunal clauses in the Bill and was comfortable with the approach taken. The Ministry was consulted on clauses in the Bill relating to the offences and penalties regime and defences. Feedback from the Ministry on the penalties and offences regime and defences (and our responses to their feedback) is included in Appendix One.

3.5. Does this Bill create, amend or remove any provisions relating to the collection, storage, access to, correction of, use or disclosure of personal information?

YES

Much of the Bill relates to access to customer data, including personal information, by customers and authorised third parties. These include obligations in clauses 14–16, 27, 38–44, and regulations and standards made in accordance with clauses 28, 31 and 33.

The Bill also contains provisions setting out how information privacy principles under the Privacy Act 2020 apply to requests and storage and security in clauses 52 and 53. Clause 52 specifies that requests for customer data are not IPP 6 requests and, accordingly, nothing in part 1 of Part 4 of the Privacy Act 2020 applies. Notwithstanding, for the purposes of Parts 5 and 6 of the Privacy Act, an action of the data holder must be treated as being an interference with the Privacy of an individual if the data holder contravenes the provisions relating to requests for customer data. Clause 53 provides that certain contraventions relating to storage and security (clause 38(3) or 44(2) must be treated as breaching information privacy principle 5 set out in section 22 of the Privacy Act 2020 for the purposes of Parts 5 and 6 of that Act.

In line with the purpose of the Bill, these provisions seek to enhance the access that customers otherwise have to their personal information, by facilitating secure, standardised, and efficient data services.

3.5.1. Was the Privacy Commissioner consulted about these provisions?

YES

The Privacy Commissioner has been consulted about these provisions. See Appendix Three for the Privacy Commissioner’s feedback on these provisions.

3.6. Has there been any external consultation on the policy to be given effect by this Bill, or on a draft of this Bill?

YES

There have been two rounds of public consultation: on the policy underlying the Bill and on a draft of the Bill. These have informed the policy design in the Bill.

On 29 July 2020 Cabinet agreed to release a discussion document seeking feedback on options for establishing a consumer data right in New Zealand [DEV-20-MIN-0155]. Overall, submitters agreed that New Zealand needs a consumer data right to realise the economic and consumer welfare benefits by removing the barriers that are preventing widespread data portability. There was broad support among submitters for the Bill’s sectoral-designation model, similar to that in Australia. There were differing views from submitters on issues such as the extent of any privacy protections that the Bill should provide in addition to the Privacy Act 2020

On 19 June 2023 Cabinet agreed to release of the draft Customer and Product Data Bill and accompanying discussion document [CAB-23-MIN-0425]. Submitters were able to provide feedback through a variety of different means, including through formal written submissions, online webinars and workshops, and a consumer-focused survey. We received 940 responses to the consumer-focused survey. We also had more than 330 participants attend our online webinars, our online workshop in collaboration with industry, and three hui with iwi and hapū representatives, and Māori data experts and practitioners. Submitters broadly supported the approach and objectives of the draft Bill. However, they provided feedback on a range of specific issues, including issues relevant to the draft Bill, issues for future regulations and standards, and operational and implementation considerations.

3.7. Have the policy details to be given effect by this Bill been otherwise tested or assessed in any way to ensure the Bill’s provisions are workable and complete?

YES

MBIE has engaged with international counterparts, including the Australian Treasury and the Australian Competition and Consumer Commission about their legislative regimes and the Bill.

4.1. Does this Bill contain any provisions that could result in the compulsory acquisition of private property?

NO

4.2. Does this Bill create or amend a power to impose a fee, levy or charge in the nature of a tax?

YES

Clauses 127 and 128 provide for prescribed fees and charges in connection with the performance or exercise of any function, power, or duty of the chief executive under the Bill.

Clause 129 allows for levies to be prescribed for data holders and accredited requestors to cover:

a)    a portion of the costs of the chief executive of MBIE when performing or exercising their functions, powers, and duties under the Bill

b)    a portion of the costs of the Privacy Commissioner in performing or exercising their functions, powers, and duties under the Privacy Act 2020 in connection with a contravention referred to in section 52(3) or 53(1)

c)     to cover the costs of collecting the levy money.

This may be preferred to recovering those costs from general taxation where the benefits of the Bill are received by a limited group (e.g. data holders, accredited requestors and customers in a particular designated sectors).

As well as restricting levies to regulator costs incurred under the Bill, safeguards include a requirement on the Minister to consult on any proposed levies (clause 131), an ability for regulations to provide for refunds of any over-recovery of actual costs (clause 129(6)(d)).

4.3. Does this Bill affect rights, freedoms, or impose obligations, retrospectively?

NO

4.4. Does this Bill:

(a)   create or amend a strict or absolute liability offence?

YES

(b)   reverse or modify the usual burden of proof for an offence or a civil pecuniary penalty proceeding?

NO

The Bill contains strict liability offences in clauses 30 (failing to comply with notice to test electronic system), and 58 (failing to comply with notice to supply information or produce documents). These offences are of a regulatory nature and are subject to a defence of reasonable excuse. Where a defendant points to evidence capable of amounting to a reasonable excuse, the burden is on the prosecution to prove the lack of any such excuse.  

4.5. Does this Bill create or amend a civil or criminal immunity for any person?

NO

4.6. Does this Bill create or amend a decision-making power to make a determination about a person’s rights, obligations, or interests protected or recognised by law, and that could have a significant impact on those rights, obligations, or interests?

NO

4.7. Does this Bill create or amend a power to make delegated legislation that could amend an Act, define the meaning of a term in an Act, or grant an exemption from an Act or delegated legislation?

YES

Regulations can exempt persons from compliance with any requirement in the Act (clause 135). This is considered necessary to accommodate any unique circumstances in particular sectors of the economy, or particular participants, that may make compliance with specific provisions of the Bill unduly onerous or burdensome. Before recommending an exemption, the Minister must have regard to the purpose of the Act, and be satisfied that the extent of the exemption is not broader than is reasonably necessary to address the matters that gave rise to the exemption. There is also a requirement to publish a statement of reasons.

4.8. Does this Bill create or amend any other powers to make delegated legislation?

YES

The Bill includes powers for the Minister to make regulations (clauses 97–100, 126-131), and for the chief executive of the administering Ministry to make technical standards (clauses 132-134). The Bill provides an enabling framework for a consumer data right, but individual sectors of the economy will be brought into the regime one at a time by regulations. This is necessary to ensure that the costs associated with the Bill are only incurred where there will be sufficient benefits. Different detailed requirements will need to be implemented in each sector, appropriate to the nature of the businesses, customer data and goods and services provided. In addition, the Bill’s core duties rely on implementation of an electronic system, and the functionality that will be required to be provided by that system is technical in nature and subject to frequent updates.

A number of safeguards for regulations are provided by clauses 98, 99, 126(2) and 131. These comprise considerations that the Minister must have regard to before recommending regulations, and consultation requirements.

Safeguards are provided for standards made by the chief executive. Clause 134 requires consultation. Clause 133 requires the chief executive to comply with any requirements, limits and restrictions prescribed by the regulations.

4.9. Does this Bill contain any provisions (other than those noted above) that are unusual or call for special comment?

NO