A new Consumer Data Right in New Zealand

In a significant update in data privacy and usage regulations in New Zealand, there have been recent developments to the New Zealand Draft Customer and Product Data Bill (the “Bill“), which aims to establish a Consumer Data Right (CDR) in New Zealand.

Current Status and Scope

Currently before Parliament, the Bill has not yet been enacted into law. It defines “customer data” to include account histories, transaction records, and product usage information for individuals and businesses, which is distinct from the “personal information” protected under the Privacy Act 2020 (Privacy Act).

Impact on Businesses

Initially, the Bill will be applied to the banking and electricity sectors, with other sectors to be designated in the future. Companies outside these sectors should start considering how they might utilise their own customer data once the Bill becomes law.

Future Implications

Businesses in sectors designated in the future may be required to make product-related data about their customers available in machine-readable formats. This will help customers make informed decisions, facilitate comparisons, and enable easier switching of services. Businesses will need to improve their processes to manage and share customer data more efficiently and to remain compliant with the regulation.

The Bill may also require businesses to share customer-related data upon request, potentially raising confidentiality concerns. However, amendments to the draft Bill aim to limit the obligation to share commercially sensitive or proprietary data. Organisations will have opportunities to make submissions before their sector is designated.

Key Features and Updates:

  • Data Sharing: Customers can request data holders to share information with accredited third-party service providers, such as comparison websites.
  • Designated Sectors: The Bill initially applies to the banking and electricity sectors, with plans to extend to telecommunications, energy, insurance, and health.
  • Accreditation and Security: Accredited requestors must meet various criteria, including a ‘fit and proper’ person test and certain data protection and security requirements.
  • Declining Requests: Data holders can refuse requests under certain circumstances, such as threats to IT system security or requests made under the threat of physical or mental harm.
  • Privacy Integration: The Bill clarifies data requests are distinct from those under the Privacy Act. However, breaches of certain requirements under the Bill will be treated as having committed an “interference” under the Privacy Act, and contraventions relating to storage and security may be considered breaches of security obligations under the Privacy Act.
  • Penalties and Compensation: Penalties range from low-level infringement notices of up to NZ$20,000, through to fines of up to NZ$2.5 million for more serious breaches by companies.


Next Steps

The Bill encourages the continuation of industry-led solutions and aims to leverage existing standards and expertise, especially in the banking sector where significant progress has already been made. These frameworks will help shape future CDR regulations and standards.

The team at Source will continue to monitor the Bill’s progress and provide updates.


Need help navigating how CDR might affect your organisation? Contact us for support.

Related articles

Understanding the Hawking Prohibition in Financial Services
What the new rules for casual employees mean for employers: 3 changes to be aware of
Beyond the office: Our guide to remote working
Privacy Awareness Week 2024

Subscribe to Receive Our Latest Offers and Updates.

Get in