Home | Databases | WorldLII | Search | Feedback New Zealand Bill of Rights Act Reports

Customer and Product Data Bill (Consistent) (Sections 14, 25 (c)) [2024] NZBORARp 27 (4 April 2024)

Last Updated: 25 May 2024

4 April 2024

LEGAL ADVICE

LPA 01 01 24

Hon Judith Collins KC, Attorney-General

Consistency with the New Zealand Bill of Rights Act 1990: Customer and Product Data Bill

Purpose

1. We have considered whether the Customer and Product Data Bill (the Bill) is consistent with the rights and freedoms affirmed in the New Zealand Bill of Rights Act 1990 (the Bill of Rights Act).
2. We have not yet received a final version of the Bill. This advice has been prepared in relation to the latest version of the Bill (PCO 23493/10.0). We will provide you with further advice if the final version includes amendments that affect the conclusions in this advice.

Summary

3. The Bill establishes an economy-wide framework to enable greater access to, and sharing of, customer and product data between businesses. The intention is to give customers (including both individuals and entities) in designated sectors greater control over how their customer data is accessed and used, promote innovation and facilitate competition, and facilitate secure, standardised, and efficient data services.
4. We have concluded that the Bill appears to be consistent with the rights and freedoms affirmed in the Bill of Rights Act. In reaching that conclusion, we have considered the consistency of the Bill with:
   1. section 14 (freedom of expression); and
   2. section 25(c) (the right to be presumed innocent until proven guilty).
5. Our analysis is set out below.

The Bill

6. Clause 3 of the Bill outlines the purpose of the Bill, which is to establish a framework to:
   1. realise the value of certain data for the benefit of individuals, organisations and society;
   2. promote competition and innovation for the long-term benefit of customers; and
   100. facilitate secure, standardised, and efficient data services in certain sectors of the New Zealand economy.

7. The regulatory scheme requires businesses that hold designated customer data1 (data holders) to:
   1. provide that data to the customer and, with the customer’s authorisation, to accredited third parties;
   2. perform actions in response to electronic requests from customers and accredited third parties such as opening accounts, making payments, or changing customer plans; and
   100. provide data about a data holder’s goods and services (product data) on request.
8. The Bill also standardises certain safeguards, controls, standards and functionality in connection with data services.
9. The Bill provides the Chief Executive of the Ministry of Business, Innovation, and Employment (chief executive) with a range of compliance and enforcement powers backed up by an offence and civil penalty regime. The Privacy Commissioner will continue to have investigation, guidance, enforcement, and redress powers over obligations set out in the Privacy Act 2020.
10. The scheme will apply to markets, industries and sectors designated by the Minister of Commerce and Consumer Affairs, taking a staggered approach to implementation. The first sector to which the Bill will apply is the banking sector.

Consistency of the Bill with the Bill of Rights Act

Section 14 – Freedom of expression

11. Section 14 of the Bill of Rights Act affirms the right to freedom of expression, including the freedom to seek, receive, and impart information and opinions of any kind in any form. The right to freedom of expression has also been interpreted as including the right not to be compelled to say certain things or to provide certain information.2
12. There are a number of provisions in the Bill which prima facie engage the right to freedom of expression. Some of these provisions are prescriptive, describing in detail who is required to give certain information, while others set out more generic requirements that may be included in any regulations. We note for completeness that any regulations must be consistent with the Bill of Rights Act, otherwise there is a risk that they will be ultra vires (go beyond the authority of the primary legislation).
13. There are several clauses that require individuals or businesses to provide information. For example, clause 15 requires a data holder to provide customer data to an accredited
    

1 Clause 8(3) provides that Designated customer data, in relation to a data holder and a provision of this Act, means customer data—

(a) that is specified, or belongs to a class specified, in the data holder’s designation regulations for the purposes of that provision; and

(b) that is held by (or on behalf of) the data holder on or after the day specified in, or determined in accordance with, the designation regulations.

2 See, for example, Slaight Communications v Davidson 59 DLR (4th) 416; Wooley v Maynard [1977] USSC 59; 430 US 705 (1977).

requestor if the customer’s authorisation is confirmed. Clause 54 enables the chief executive to serve a written notice on any person requiring them to provide any information necessary or desirable to perform their functions and duties under the Act.3 Clause 119 requires data holders to provide information to the chief executive including the data holder’s New Zealand Business Number, address for service and any other information required to be included in the register by regulations.

14. Other clauses require data holders to keep records and publish reports, policies and other documents. For example, clause 47 requires data holders and accredited requestors to develop and publish policies relating to customer data, product data and performance of actions. Clause 112 requires data holders to give an annual report to the chief executive setting out a summary of any complaints made about its conduct in connection with regulated data services and any other information prescribed in regulations.
15. A limit on a right may nonetheless be consistent with the Bill of Rights Act if the limit is justified under s 5 of that Act. The s 5 inquiry asks:
    1. does the provision serve an objective sufficiently important to justify some limitation of the right or freedom?
    2. if so, then:
       1. is the limit rationally connected with the objective?
    2. does the limit impair the right or freedom no more than is reasonably necessary for sufficient achievement of the objective?

3. is the limit in due proportion to the importance of the objective?4

16. We consider that any limits on the freedom of expression contained within the Bill are justified under s 5 of the Bill of Rights Act because:
    1. The overall objective of the Bill, which is to enable greater access to, and sharing of, customer and product data, is sufficiently important to justify some limit on s

14. The objective of many of these provisions is to give customers greater control over their data and to ensure compliance with the regulatory regime. For example, they require the provision of customer data and product data to customers (and others) and enable the regulator to monitor and enforce the implementation of the framework.

2. The requirements to provide certain information in specific circumstances are rationally connected to this objective. Ensuring that relevant information is provided in the prescribed manner is fundamental for achieving the Bill’s regulatory objectives.

100. The requirements in the Bill limit freedom of expression no more than reasonably necessary for the regime to operate efficiently and are proportionate to the
     

3 Clause 54 could also be considered a search power under s 21 of the Bill of Rights Act. If this were to be the case we would consider it to constitute a reasonable search.

4 Hansen v R [2007] NZSC 7, [2007] 3 NZLR 1.

importance of the Bill’s objectives. Many of these provisions involve factual information that contains limited expressive value.

17. Accordingly, any limits to s 14 are justified under s 5 of the Bill of Rights Act.

Section 25(c) – Right to be presumed innocent until proven guilty

18. Section 25(c) of the Bill of Rights Act affirms the right of everyone charged with an offence to be presumed innocent until proven guilty according to law. The right to be presumed innocent requires the Crown to prove an accused person’s guilt beyond reasonable doubt.
19. Strict liability offences prima facie limit s 25(c) of the Bill of Rights Act. This is because a strict liability offence may be proved by a finding that certain facts occurred without proof of mens rea. The accused is required to prove a defence (on the balance of probabilities), or disprove a presumption, to avoid liability. This means that, where the accused is unable to prove a defence, they could be convicted even where reasonable doubt about their guilt exists.
20. Strict liability offences may nevertheless be justifiable limits on rights under s 5 of the Bill of Rights Act. They have been found to be more likely to be justifiable where:
    1. the offences are regulatory in nature and apply to persons participating in a highly regulated industry;
    2. the defendant will be in the best position to justify their apparent failure to comply with the law, rather than requiring the Crown to prove the opposite; and

100. the penalty for the offence is proportionate to the importance of the Bill’s objective.
     21. The Bill contains strict liability offences for contravention of provisions under the Bill which give rise to a prima facie issue of inconsistency with s 25(c). For example, clause 30(1)(a) creates an offence of refusing or failing without reasonable excuse to comply with a notice under clause 29. Another example is clause 58(1)(a) which creates an offence of refusing or failing without reasonable excuse to comply with a notice under clause 54.

22. We have concluded that the strict liability offences are justified for the following reasons:
    1. the offences serve the important objective of promoting compliance with the Bill in order to give customers greater control over their data, enable innovation and facilitate competition.
    2. we consider that the fines are reasonable, likely to be commensurate with the entities’ or individuals’ ability to pay and necessary to ensure compliance with the Bill. The maximum penalty for a strict liability offence generally is $100,000 for individuals, and $300,000 in any other case. Clause 137 has a maximum fine of

$200,000 for individuals and $600,000 for body corporates.

100. the court maintains the discretion to impose a lesser penalty.

4. common law defences of absence of fault will still be available to the defendant. The defendant will be best placed to demonstrate that they had reasonable excuse or that there was a total absence of fault.

23. The Bill also contains infringement offences resulting in the requirement to pay an infringement fee or fine.5 The infringement fee is set at $20,000 and a fine imposed by a court cannot exceed $50,000.
24. The context for these strict liability and infringement offences is within a regulated environment designed to enable greater access to, and sharing of, customer and product data. They apply to businesses engaged within that regulated environment. Fines are also set at a level that accounts for no-fault-based offences while acknowledging that the cost of non-compliance must not be lower than the cost of compliance. Bearing all these factors in mind, these offences appear to be justifiable limits to the right to be presumed innocent.

Conclusion

25. We have concluded that the Bill appears to be consistent with the rights and freedoms affirmed in the Bill of Rights Act.
    

Jeff Orr

Chief Legal Counsel Office of Legal Counsel

5 See for example clauses 35, 45, 46, 48 and 114.