What does the draft law do?
On this page we explain why the draft law is being explored, what problems it seeks to address, and how it will create better outcomes for all in Aotearoa New Zealand.
Businesses today hold lots of data about their customers
When businesses like banks, power companies and mobile phone companies provide us with services, data is created – for example, account histories, transaction records or information on product usage. This is ‘customer data’. It is held by businesses and is protected by business security measures (as well as the Privacy Act 2020 in the case of personal information).
This data could be used to improve the lives of customers, but customers are often prevented from unlocking its full value
Customer data holds enormous value and opportunity, but only if customers are able to make full use of it. For example, a customer may want to share information about their power usage with a price-comparison application to find out which power provider would be cheapest for them based on their consumption habits. Or they might want to put that information through a carbon-footprint calculator, to learn more about their emissions profile.
Unfortunately, consumers are generally unable to access or exchange their data in a way that would enable them to unlock the full value of their data.
The draft law would give customers greater control over their data, by allowing them to choose to exchange it with trusted third parties
The draft law unlocks the value of data for people and their businesses by:
- improving customers access to and control over their own data
- allowing for customers to request that their data be exchanged in a standardised way, and
- ensuring those who access data using the draft law are accredited as trustworthy.
In practical terms, it will give customers the power to ask that a business share their customer data with another, trusted business in a safe and secure manner. This will allow for new, data-enabled products and services to be created.
The draft law also means businesses will have to make information about their products available in formats that can be automatically read and processed by a computer. This will enable easy product comparison and switching.
This will improve outcomes for customers and create opportunities for new and exciting products and services
The draft law will help innovators in our economy create new products and services and increase competition. This in turn will benefit customers by leading to reduced prices, improved product offerings, and greater productivity. The draft law also creates opportunity to support by-Māori, for-Māori data initiatives, business-to-business applications, and improved accessibility and inclusion.
Nau mai, haere mai - welcome to our Customer and Product Data Bill explainer video. In this video, we'll explain at a very high level, what the customer and product data build does, what that means for businesses and consumers, and how you can have your say on the design of the bill. We'll also talk about next steps and future timelines.
Let's start by understanding what the new bill will do. When businesses like banks, power companies and mobile phone companies provide us with services data is created. For example, account histories, transaction records, or information on product usage. The data is valuable and could be used to benefit customers. For example, if you could access and exchange data about your power usage, you could use that information to work out which electricity provider would be cheapest for you to use. To do this, though, customers need to be able to access and control their data, as well as exchange it with apps and services they trust. This is where the bill comes in. The Customer and Product Data Bill improves customers access to and control over their data. It also makes it easier to exchange data with consent so that customers can unlock its full value. Let's take a look at what this will mean in practice.
This slide shows how things work at the moment and how things will work once the bill is in place. A diagram appears on screen showing how data can be shared. Currently data about me/my organisation is held by businesses for example: name, address, phone number, transactions, loans, power use, phone call etc. I can ask for it to be shared with anyone already, but how it is shared is a bit random, inefficient, risky and limited to “personal information”. Data remains protected by the Privacy Act and security measures. The bill will have rules or standardised protections to guide the sharing of data to make it easier. This would include standards, easy consumer controls, and an accreditation system for data requestors. As we noted earlier, when businesses provide us with goods and services, they collect and create data about us. This is customer data. Here are some examples of the kinds of customer data businesses collect about us today. A diagram appears on screen showing different kinds of businesses and the different kinds of data they collect. Data collected includes things such as name, address, phone number, transaction history, internet usage, power usage, and more. This data is valuable, and it could be used to benefit you in a number of ways, but only if you can access it and exchange it appropriately. Currently, customers can access and exchange their data, but it's difficult to do so and can be risky. Common methods of exchanging data involve doing things like providing your bank login details to non bank apps, or logging into your bank account through a third party interface. Other methods like sending data over email are a little less risky, but are inefficient or inaccurate. This makes it difficult for you to access and exchange your data easily when you want to. Here are some of those examples on the screen now. A diagram appears on screen showing different kinds of data sharing methods that are used today. These include emails, screen scraping, sharing login information, and hardcopies of information. The Customer and Product Data Bill fixes us by enabling rules to be created which set common standards for data access, control and exchange. The Bill also provides safeguards for customer consent and accreditation of those trusted to connect to customer data. Data will continue to be protected by the Privacy Act and business security measures just like it is today. But it will now be a lot easier to manage and exchange your data if you choose to do so. In short, the Bill makes it easier for you to control the data businesses hold about you.
Let's take a look at a concrete example to show how this would work in practice. Let's say you want to get some budgeting advice from an app which looks through your spending and helps you identify where you can cut unnecessary expenses. To get the best out of the app, you need to provide it with your transaction history in an easily readable format. Your transaction history is held by your bank as your customer data - all you have to do is get it from your bank to the budgeting app. At the moment to get this data across, you have to use methods which are dangerous or slow. For example, you could share your transaction data with the app by sharing your login details. But this is risky and could cause problems for you. Or you could share this transaction data by asking the bank to send you a hard copy of your transactions, and then take those transactions and put them into a spreadsheet, which you could then send through to the budgeting app. But this is slow and time consuming. The Customer and Product Data Bill fixes this by creating roles and safeguards to enable easy exchange, the bill would allow you to ask your bank to provide the data to the budgeting app on your behalf. This enables you to easily and safely exchange your data if you want. The data would only be exchanged if you asked for it to be exchanged, and there would be a number of safeguards in place to make sure the exchange was safe, your consent was central to it, and you can withdraw from the exchange at any time.
So that's how the customer data part of the Bill will work. But the Bill doesn't only apply to customer data. It will also allow us to unlock value from product data to save us time and money. Put simply product data is information about a good or service that a business provides. Here are some examples on the screen. This product data is made available to us through methods such as websites, ads and direct to consumer marketing. The Customer and Product Data Bill makes it easier to access product data by setting standard data points that businesses must make available about their offerings and making that data machine readable. In other words, able to be automatically read by a computer application. This will make it easier for customers to compare information about products. Let's take a practical example. Say you run a price comparison website which helps customers find the cheapest mobile plan. At the moment to make your website work you have to regularly check the website for all the different mobile companies to note down the prices of their mobile plans, then you take this information and manually input it into your website yourself. With the customer and product data bill, mobile phone companies could be asked to make this product data easily available and machine readable. That way instead of manually checking every website, you could set up a computer app that collects price data from different mobile plan providers and inputs it into the website. This will save you a lot of time and money and mean your price comparisons can now be done in real time. We think this will make it easier for customers to switch products and get a better deal. It could also help to ensure that businesses and their products are more transparent and competitive.
So now we've covered what the bill will do. Let's take a look at what is inside the bill itself. The bill establishes the framework for giving customers more access to and control over their data, standardizing methods of exchanging that data by building on and adopting industry standards already in place, and accrediting those who are trusted to request data or request actions on behalf of the customer.
The bill keeps customer consent central to everything. Customers opt into using the cdr and can withdraw from using it anytime. The bill also requires designated data to be provided on request, so designated data holders have to provide designated product and customer data according to specified safeguards and standards. The bill could potentially apply to the whole economy, including the crown, so data held by government could become designated into the system. And the bill relies on the Privacy Act as much as possible. That means that there's a whole lot of things our bill doesn't do, because it's already covered by the Privacy Act.
The bill does not govern the creation, collection, storage or deletion of information. It does not limit on use or on disclosure of information. It does not change rules about data ownership or where data should be stored. And the bill does not prevent other methods of data exchange or voluntary use of the standards and safeguards.
The bill also doesn't require data to travel via the government; create new powers for the government to collect or view customer data; require new data to be created about customers; or allow businesses to share your data without your consent.
We're currently consulting on the bill, which means members of the public can read it and provide us with their feedback. This is an opportunity for you and anyone else interested in the bill to have your say and influence it. If you're interested in having your say on the bill, we recommend you visit the MB consumer data right web page, where you can find more detailed information on the bill and how to submit. You'll also find a list of some of the things we're most interested in hearing about. At the end of this presentation we'll also leave you with a few different ways you can contact us.
Onto what happens next. We're aiming to introduce a bill to Parliament by the end of this year, and our timeline reflects this. Submissions close on the bill on the 24th of July. Please ensure you have provided any feedback you have prior to that date to give us an opportunity to consider it. If you're not sure where to start with your feedback, we encourage you to focus on the three areas showing on the screen right now. The three areas showing on the screen are: settings for ongoing consent (pages 24-25); Tiriti o Waitangi considerations (pages 21 and 34-35); and Ethical use of data (pages 37-40) .Those are the areas we're most interested in hearing from people about. After submissions close, our policy team will work to incorporate all the feedback we've heard. This will involve rewriting parts of the bill to make sure we've captured what people have been saying. Following this, we'll look to introduce the bill to Parliament. It normally takes about 12 months for a bill to work through the various stages of Parliament and we expect this to be the case with our one. There will be further opportunities to make changes and submissions during that 12 month process.
Thank you for taking the time to watch this video. If you'd like to make a formal submission on the bill, you can do so by visiting the consultation page on MBIE’s website. If you'd like to provide us with some quick opinions on how the bill should work, you can complete our five minute survey. If you want to learn more about the bill, you can visit the consumer data right page on MBIE’s website. There you'll find the bill, the discussion document and other important information to help you with your submission. And if you think of questions which you'd like answered, you can email us at email@example.com