The problem area is s32, which inserts two new clauses into the Commerce Act to allow the Commerce Commission to share information with other government agencies. But new s99AA(2)(b) says they can only do so when "appropriate protections are or will be in place for the purpose of maintaining the confidentiality of anything provided (in particular, information that is personal information within the meaning of the Privacy Act 2020)", while new section 99AB allows them to impose conditions on the receiving agency requiring confidentiality and restricting access.
On the face of it, this is good: public agencies sharing private or confidential information with each other should of course ensure it is properly protected. The problem is the interface with the Official Information Act. Such confidentiality agreements may allow the government to withhold information under s9(2)(ba)(ii) of the OIA, essentially because of a contract it has made with itself, while in theory the Commerce Commission could impose a "no release" requirement and then argue that (because they are enabled by statute) release would be "contrary to an enactment".
This does not seem to be the policy intent. The departmental disclosure statement and regulatory impact statement talk mainly about privacy and lack of explicit legal power, insofar as they mention this section at all (though the RIS foes highlight "information of a confidential nature" which needs to be protected). The obvious answer is to insert a specific clause saying "this section does not limit the Official Information Act", to ensure that the public's right to access public information is not affected.