You are here:
NZLII >>
Databases >>
New Zealand Bill of Rights Act Reports >>
2024 >>
[2024] NZBORARp 27
Database Search
| Name Search
| Recent Documents
| Noteup
| LawCite
| Download
| Help
Customer and Product Data Bill (Consistent) (Sections 14, 25 (c)) [2024] NZBORARp 27 (4 April 2024)
Last Updated: 25 May 2024
![2024_2700.jpg](2024_2700.jpg)
4 April 2024
LEGAL ADVICE
LPA 01 01 24
Hon Judith Collins KC,
Attorney-General
Consistency with the New Zealand Bill of Rights Act 1990: Customer and Product
Data Bill
Purpose
![2024_2701.jpg](2024_2701.jpg)
- We
have considered whether the Customer and Product Data Bill (the Bill) is
consistent with the rights and freedoms affirmed in the
New Zealand Bill of
Rights Act 1990 (the Bill of Rights Act).
- We
have not yet received a final version of the Bill. This advice has been prepared
in relation to the latest version of the Bill
(PCO 23493/10.0). We will provide
you with further advice if the final version includes amendments that affect the
conclusions in
this advice.
Summary
![2024_2702.jpg](2024_2702.jpg)
- The
Bill establishes an economy-wide framework to enable greater access to, and
sharing of, customer and product data between businesses.
The intention is to
give customers (including both individuals and entities) in designated sectors
greater control over how their
customer data is accessed and used, promote
innovation and facilitate competition, and facilitate secure, standardised, and
efficient
data services.
- We
have concluded that the Bill appears to be consistent with the rights and
freedoms affirmed in the Bill of Rights Act. In reaching
that conclusion, we
have considered the consistency of the Bill with:
- section
14 (freedom of expression); and
- section
25(c) (the right to be presumed innocent until proven guilty).
- Our
analysis is set out below.
The Bill
![2024_2703.jpg](2024_2703.jpg)
- Clause
3 of the Bill outlines the purpose of the Bill, which is to establish a
framework to:
- realise
the value of certain data for the benefit of individuals, organisations and
society;
- promote
competition and innovation for the long-term benefit of customers;
and
- facilitate
secure, standardised, and efficient data services in certain sectors of the New
Zealand economy.
- The
regulatory scheme requires businesses that hold designated customer data1 (data holders)
to:
- provide
that data to the customer and, with the customer’s authorisation, to
accredited third parties;
- perform
actions in response to electronic requests from customers and accredited third
parties such as opening accounts, making payments,
or changing customer plans;
and
- provide
data about a data holder’s goods and services (product data) on
request.
- The
Bill also standardises certain safeguards, controls, standards and functionality
in connection with data services.
- The
Bill provides the Chief Executive of the Ministry of Business, Innovation, and
Employment (chief executive) with a range of compliance
and enforcement powers
backed up by an offence and civil penalty regime. The Privacy Commissioner will
continue to have investigation,
guidance, enforcement, and redress powers over
obligations set out in the Privacy Act 2020.
- The
scheme will apply to markets, industries and sectors designated by the Minister
of Commerce and Consumer Affairs, taking a staggered
approach to implementation.
The first sector to which the Bill will apply is the banking
sector.
Consistency of the Bill with the Bill of Rights Act
![2024_2704.jpg](2024_2704.jpg)
Section 14 – Freedom of expression
- Section
14 of the Bill of Rights Act affirms the right to freedom of expression,
including the freedom to seek, receive, and impart
information and opinions of
any kind in any form. The right to freedom of expression has also been
interpreted as including the right
not to be compelled to say certain things or
to provide certain information.2
- There
are a number of provisions in the Bill which prima facie engage the right
to freedom of expression. Some of these provisions are prescriptive, describing
in detail who is required to give
certain information, while others set out more
generic requirements that may be included in any regulations. We note for
completeness
that any regulations must be consistent with the Bill of Rights
Act, otherwise there is a risk that they will be ultra vires (go beyond
the authority of the primary legislation).
- There
are several clauses that require individuals or businesses to provide
information. For example, clause 15 requires a data holder
to provide customer
data to an accredited
1 Clause 8(3)
provides that Designated customer data, in relation to a data holder and
a provision of this Act, means customer data—
(a) that is specified, or belongs to a class specified, in the data
holder’s designation regulations for the purposes of that
provision;
and
(b) that is held by (or on behalf of) the data holder on or after the day
specified in, or determined in accordance with, the designation
regulations.
2 See, for
example, Slaight Communications v Davidson 59 DLR (4th) 416; Wooley v
Maynard [1977] USSC 59; 430 US 705 (1977).
requestor if the customer’s authorisation is confirmed. Clause 54
enables the chief executive to serve a written notice on any
person requiring
them to provide any information necessary or desirable to perform their
functions and duties under the Act.3 Clause 119
requires data holders to provide information to the chief executive including
the data holder’s New Zealand Business
Number, address for service and any
other information required to be included in the register by regulations.
- Other
clauses require data holders to keep records and publish reports, policies and
other documents. For example, clause 47 requires
data holders and accredited
requestors to develop and publish policies relating to customer data, product
data and performance of
actions. Clause 112 requires data holders to give an
annual report to the chief executive setting out a summary of any complaints
made about its conduct in connection with regulated data services and any other
information prescribed in regulations.
- A
limit on a right may nonetheless be consistent with the Bill of Rights Act if
the limit is justified under s 5 of that Act. The
s 5 inquiry asks:
- does
the provision serve an objective sufficiently important to justify some
limitation of the right or freedom?
- if
so, then:
- is
the limit rationally connected with the
objective?
- does
the limit impair the right or freedom no more than is reasonably necessary for
sufficient achievement of the objective?
- is
the limit in due proportion to the importance of the objective?4
- We
consider that any limits on the freedom of expression contained within the Bill
are justified under s 5 of the Bill of Rights Act
because:
- The
overall objective of the Bill, which is to enable greater access to, and sharing
of, customer and product data, is sufficiently
important to justify some limit
on s
14. The objective of many of these provisions is to
give customers greater control over their data and to ensure compliance with the
regulatory regime. For example, they require the provision of customer data and
product data to customers (and others) and enable
the regulator to monitor and
enforce the implementation of the framework.
- The
requirements to provide certain information in specific circumstances are
rationally connected to this objective. Ensuring that
relevant information is
provided in the prescribed manner is fundamental for achieving the Bill’s
regulatory objectives.
- The
requirements in the Bill limit freedom of expression no more than reasonably
necessary for the regime to operate efficiently and
are proportionate to the
3 Clause 54 could
also be considered a search power under s 21 of the Bill of Rights Act. If this
were to be the case we would consider
it to constitute a reasonable search.
4 Hansen v R [2007]
NZSC 7, [2007] 3 NZLR 1.
importance of the Bill’s objectives. Many of these provisions involve
factual information that contains limited expressive value.
- Accordingly,
any limits to s 14 are justified under s 5 of the Bill of Rights
Act.
Section 25(c) – Right to be presumed innocent until proven guilty
- Section
25(c) of the Bill of Rights Act affirms the right of everyone charged with an
offence to be presumed innocent until proven
guilty according to law. The right
to be presumed innocent requires the Crown to prove an accused person’s
guilt beyond reasonable
doubt.
- Strict
liability offences prima facie limit s 25(c) of the Bill of Rights Act.
This is because a strict liability offence may be proved by a finding that
certain facts
occurred without proof of mens rea. The accused is required
to prove a defence (on the balance of probabilities), or disprove a presumption,
to avoid liability. This
means that, where the accused is unable to prove a
defence, they could be convicted even where reasonable doubt about their guilt
exists.
- Strict
liability offences may nevertheless be justifiable limits on rights under s 5 of
the Bill of Rights Act. They have been found
to be more likely to be justifiable
where:
- the
offences are regulatory in nature and apply to persons participating in a highly
regulated industry;
- the
defendant will be in the best position to justify their apparent failure to
comply with the law, rather than requiring the Crown
to prove the opposite;
and
- the
penalty for the offence is proportionate to the importance of the Bill’s
objective.
- The
Bill contains strict liability offences for contravention of provisions under
the Bill which give rise to a prima facie issue of inconsistency with s
25(c). For example, clause 30(1)(a) creates an offence of refusing or failing
without reasonable excuse
to comply with a notice under clause 29. Another
example is clause 58(1)(a) which creates an offence of refusing or failing
without
reasonable excuse to comply with a notice under clause
54.
- We
have concluded that the strict liability offences are justified for the
following reasons:
- the
offences serve the important objective of promoting compliance with the Bill in
order to give customers greater control over their
data, enable innovation and
facilitate competition.
- we
consider that the fines are reasonable, likely to be commensurate with the
entities’ or individuals’ ability to pay
and necessary to ensure
compliance with the Bill. The maximum penalty for a strict liability offence
generally is $100,000 for individuals,
and $300,000 in any other case. Clause
137 has a maximum fine of
$200,000 for individuals and
$600,000 for body corporates.
- the
court maintains the discretion to impose a lesser
penalty.
- common
law defences of absence of fault will still be available to the defendant. The
defendant will be best placed to demonstrate
that they had reasonable excuse or
that there was a total absence of fault.
- The
Bill also contains infringement offences resulting in the requirement to pay an
infringement fee or fine.5 The infringement
fee is set at $20,000 and a fine imposed by a court cannot exceed $50,000.
- The
context for these strict liability and infringement offences is within a
regulated environment designed to enable greater access
to, and sharing of,
customer and product data. They apply to businesses engaged within that
regulated environment. Fines are also
set at a level that accounts for
no-fault-based offences while acknowledging that the cost of non-compliance must
not be lower than
the cost of compliance. Bearing all these factors in mind,
these offences appear to be justifiable limits to the right to be presumed
innocent.
Conclusion
![2024_2705.jpg](2024_2705.jpg)
- We
have concluded that the Bill appears to be consistent with the rights and
freedoms affirmed in the Bill of Rights Act.
![2024_2706.jpg](2024_2706.jpg)
Jeff Orr
Chief Legal Counsel Office of Legal Counsel
5
See for example clauses 35, 45, 46, 48 and 114.
NZLII:
Copyright Policy
|
Disclaimers
|
Privacy Policy
|
Feedback
URL: http://www.nzlii.org/nz/other/NZBORARp/2024/27.html