Core principles

The draft law is underpinned by the core principles of Respect, Care and Trust. These principles guide our consumer data right so it functions well for all in Aotearoa New Zealand.

Respect means …

  • Use of the services regulated by the draft law is opt-in for consumers, who can opt out at any time.
  • Customer Data is only ever exchanged with the free and informed consent of the customer.
  • Data holders and receivers must ensure consent can be easily withdrawn at any time.
  • Penalties apply if customer data is accessed in breach of the rules.

Care means …

  • The government can set standardised safeguards, processes, and penalties around the electronic exchange of customer data. This means all customers using the system can have confidence in the level of protection provided for their information.
  • The government does not access, hold onto or transmit customer data at any point during the exchange.

Trust means …

  • Privacy protections for personal information remain in place at all times.
  • Only trusted people, with trusted systems, are able to make data or action requests using the draft law, thanks to the accreditation regime.
  • Breaches are enforced by MBIE or the Office of the Privacy Commissioner, depending on the nature of the issue.

Tied to those principles are these important concepts:

The Bill does not mean businesses have to create or collect new data about you

The Customer and Product Data Bill creates standards and rules around the exchange of existing data which businesses already create or hold about customers – like account and transaction information. It does not create new obligations to collect or create data.

The Bill does not give the government powers to store or share your data

The Bill enables standards to be made so that people and businesses can connect and exchange data securely with one another. It also provides for some standard safeguards for customers regarding consent and complaints. It does not create a way for the government to store, view or share your data.

The Bill establishes a consumer data right (CDR) regime – but it will not be mandatory for customers to use this regime

Participation in the CDR is completely opt-in for customers. This means you can choose not to use it. If you do use it, your data will only be shared on your consent to parties you trust, and it can only be used for the purposes you consent to.

The CDR does not prohibit businesses from using existing data access and exchange arrangements

Many businesses already have existing data access and exchange arrangements. The CDR will not prohibit businesses from using these arrangements. However, the CDR would apply to your business if your business were designated into the CDR system (refer to the last concept for more information on this). If this occurs, CDR data access and exchange arrangements will sit alongside existing arrangements.

Customer data is data a business creates about you. Product data is data about a good or service

Customer data is data a business creates or collects about you (its customer). In the case of a bank, this could be your transaction history. In the case of an energy service provider, it could be information on your specific energy usage.

Product data is data about a good or service a business provides. In the case of a supermarket, it could be the cost of different foods. In the case of a mobile phone plan provider, it might be information about what data, text and call allowances are for each of the plans they have.

The draft Customer and Product Data Bill sets the ground rules around access to, and exchange of, customer and product data. The Bill is very high level – it creates the framework for the CDR regime, but it doesn’t provide all the specific detail about how it will work in different scenarios. This is because a lot of this detail will come when the regulations, standards and designations are developed later.

There will be a new period of engagement and consultation when these are being created. There is a while to go until the first business is brought into the CDR regime.

The Customer and Product Data Bill creates a high-level framework which can be applied to the whole economy. It will be ‘turned on’ for sector by sector, through ‘designations’ (which are provided for in the Bill). There are a few years to go until the first sector is designated into the framework established by the Bill. But when we do begin to consider which data in which sectors will be designated, there will be a period of consultation where we engage with the sector and businesses in it – there will be no surprises.

Last updated: 18 August 2023