Customer and Product Data Bill – Select Committee reports back

On 23 December last year – while most of us were frantically shopping and trying to avoid hearing Mariah Carey – the Economic Development, Science and Innovation Committee managed to release its report on the CPD Bill.

The Committee’s recommendations are relatively limited in scope, and the core aspects of the Bill remain firmly intact. However, there are some important proposed changes:

‍Derived Data. The Committee has recommended excluding any reference to “derived data” from the Bill. Derived data is data that is wholly or partly derived from designated customer data, and the Bill had initially provided for requirements for the use, modification or disclosure of derived data (as well as customer data) by data requesters to be included in regulations. Similar provisions in the Australian Consumer Data Right have proved difficult to implement and detracted from uptake, so many will see this recommendation as a big win. Interestingly, the Committee considered that the protections already provided by the Privacy Act meant that these provisions were unnecessary. This shows a desire to avoid creating a ‘two-tier’ system, where CPD data is subject to a layer of more onerous obligations under the legislation.

‍New Defence for Data Holders. The Committee has recommended adding a new defence for data holders for claims against them based on the data holder providing data to another person. This provides that it is a defence if the data holder proves they, in compliance or purported compliance with the Bill, provided data in good faith and (in certain circumstances) they took reasonable precautions and exercised due diligence. This was added to address possible scenarios where, by complying with their obligations in the Bill, data holders become inadvertently exposed to liability (e.g. where an accredited requestor is hacked and requests customer data).

‍Approved Standards Bodies. The Committee has recommended that MBIE should be able to approve one or more outside organisations to have a principal role in developing standards and supporting services for the CPD regime on MBIE’s behalf. The key beneficiary of these provisions is likely to be the Payments NZ ‘API Centre’, which is currently managing New Zealand’s industry-led open banking programme (although it will likely need some changes to its governance structure given that Payments NZ is bank-owned). Notably, the Committee has also proposed that levies collected from data holders and recipients under the Act could be used to fund any such standards body.

‍Accreditation Criteria. The initial Bill left the criteria for accreditation of data requestors to be determined by regulation. The Committee has recommended that some core high-level criteria should be entrenched in the primary legislation itself. They are: (1) the directors and senior managers are of “good character”, (2) the entity has “adequate security safeguards” in relation to the data they receive, and (3)the entity is capable of effectively complying with its obligations under the Act and there is no reason to believe they are likely to contravene them.

‍Simplifying the Regime. There are also a range of recommendations aimed at removing complexity and compliance cost from the regime – including removing various policy, reporting and record keeping obligations on data holders and requesters. The Committee has also proposed removing a provision of the Bill which prevented data holders and requesters from imposing penalties or enforcing rights against customers if they had contravened a duty under the Act.

The scope and substance of the Committee’s recommendations reflect the submissions and advice received during the Select Committee process. They are generally aimed at improving the workability of the regime in some key areas, while acknowledging the legislation as a whole is in good shape.

We can expect smooth progress of the Bill through the remainder of the Parliamentary process – and a lot of work to be done this year in drafting the regulations and standards required to activate the CPD regime by the ambitious deadline of December 2025.

You can find our Deep Dive guide to the Bill here – we’ll be continuing our updates throughout 2025.

‍