Tell me in 30 seconds
New Zealand are in the process of developing a consumer data right (NZ CDR) regime. The recently released Customer and Product Data Bill confirms that the proposed NZ CDR Regime will be broadly similar to the Australian consumer data regime. Notably, it will be following the same approach as Australia in rolling out to the banking industry first. Practically, this likely means that organisations who operate in both Australia and NZ should be able to leverage learnings from the Australian CDR in the NZ context.
A NZ CDR?
New Zealand are in the process of developing a consumer data right (NZ CDR) regime. They are doing so for the same reasons as Australia: to support the development of new services that will create more choice and value for consumers acquiring services such as banking, electricity and telecommunications, thereby increasing competition and driving innovation.
What has happened so far?
In June 2021, the Office of the Minister of Commerce and Consumer Affairs (Minister) released a cabinet paper proposing the establishment of a NZ CDR similar to the Australian consumer data right (AU CDR): a high-level framework that would apply across the entire economy, that is turned on for particular sectors that are designated through secondary or tertiary legislation.
Following a cabinet paper released in mid-2022 that (amongst other policy principles) proposed the NZ CDR would be rolled out first in the bank sector, the NZ Ministry of Business Innovation and Employment (MBIE) has now released an exposure draft of the Customer and Product Data Bill (CDR Bill) and is currently seeking feedback on whether the proposed drafting is practically workable and achieves its policy intent.
What is the proposed NZ CDR?
The CDR Bill contemplates a framework where certain sectors will be designated, requiring businesses within those sectors to be data holders for specified CDR Data. Third parties who become accredited and registered (called ‘accredited requestors’) will be empowered to collect, use and disclose CDR Data on behalf of consumers to supply goods and services. The performance of these, and other actions relating CDR Data (named regulated data services) will be subject to stringent technical and performance requirements in regulations and standards. Regulated data services must also only be performed with the authorisation of the relevant consumer.
The framework also includes provisions that allow ‘outsourced providers’ to be contracted to perform duties or powers of data holders and accredited requestors, and further provisions governing record keeping by participants, complaints procedures, and privacy requirements. A publicly available register will detail the CDR participants.
How does the draft NZ CDR Bill compare to the AU CDR?
The NZ CDR has significant similarities with that of the AU CDR, but also some key differences, which are summarised in the following table. We note that the table is not exhaustive and subject to change, especially as the NZ CDR continues to be develop.
AU CDR
|
NZ CDR
|
Example
uses 2
|
|
Rollout
|
The CDR will be rolled out on a sector-by-sector basis to designated industries. |
The CDR will be rolled out on a sector-by-sector basis to designated industries. |
|
Designated sectors
|
The following sectors have been designated: Banking, Energy, Telecommunications and Non-bank lending. Other sectors that may be subject to designation including insurance. |
Banking has been announced as the first sector to be designated. Other sectors that may be subject to designation include insurance, other financial services, electricity and gas, health, telecommunications and loyalty schemes. |
|
Scope of CDR
|
The CDR was originally data sharing only. It is currently being expanded to include action initiation. |
The CDR will cover both data sharing and action initiation. |
|
CDR Data
|
Consumer Data and Product Data. The scope of these datasets is established in the relevant sector Designation Instrument and clarified in the CDR Rules. |
Customer Data and Product Data. The scope of these datasets will be established in designation regulations. |
|
Consent/Authorisation
|
Any requests for Consumer Data must be subject to express and informed consent from the consumer. |
Any requests for Consumer Data must be subject to express and informed consent from the consumer. |
|
Accreditation process
|
Third parties who wish to collect, use and disclose CDR data must be accredited. These are “accredited data recipients” |
Third parties who wish to participate must be accredited for read only access and/or action initiation. These are “accredited requestors”. |
|
Alternative participation methods
|
Third parties may participate via alternative means such as representative arrangements, sponsorship arrangements, CDR insights etc. |
No alternative methods in the CDR Bill. |
|
Outsourcing
|
Outsourced providers may be contracted to perform duties or utilise powers on behalf of data holders and accredited data holders/accredited requestors (as relevant). |
Outsourced providers may be contracted to perform duties or utilise powers on behalf of data holders and accredited data holders/accredited requestors (as relevant). |
|
Reciprocity
|
Accredited persons may be subject to reciprocal data holder obligations (ie they may be required to share particular CDR data in accordance with the obligations of a data holder) |
Not applicable |
|
Technical requirements
|
Detailed technical requirements include binding data standards promulgated on GitHub. |
Technical requirements will be provided in subsequent secondary legislation or regulations. |
|
Interaction with Privacy laws
|
Bespoke CDR Privacy Safeguards apply to personal information within the CDR Regime. Privacy Act 1988 (Cth) otherwise applies. |
Existing Privacy Act 2020 (NZ) protection will apply to personal information within the CDR Regime. |
|
Who will oversee and enforce the CDR
|
|
|
|
Enforcement
|
Tiered enforcement model, with the breaches of the Privacy Safeguards attracting penalties up to the greater of AUD$10 million or 3x times the value of the benefit or 10% of the adjusted turnover in the preceding 12-month period (if the benefit can’t be ascertained) |
Tiered enforcement model, with the most serious breaches attracting penalties of up to the greater of NZD $5million or 3x times the value of the commercial gain or 10% of the turnover in the period (if commercial gain can’t be ascertained) |
|
Next steps?
The public submission process for the CDR Bill will close on 24 July 2023. Feedback will be reviewed by MBIE and inform recommendations to the Minister of any changes required to the CDR Bill.
Across the second half of 2023, the New Zealand Government will go through a round of policy approvals and additional drafting, with the aim for the CDR Bill to be introduced into Parliament in late 2023, where it will go through the usual Parliamentary process for the passage of legislation. This will include a select committee process and further public submissions on the bill.
Engagement on regulations and designation will begin in parallel, though these can only be finalised once the bill has passed. It has already agreed that the banking sector will be the first sector to be assessed for designation, so it is time to look to the Australian experience and get ready for a similar journey in New Zealand.
King & Wood Mallesons has extensive experience advising clients on the CDR regime in Australia, supporting several major clients in CDR compliance, structuring their business to best take advantage of the CDR, and engaging OSPs and other contractors. Let us know how we can provide expertise to help you as you begin your CDR journey in New Zealand.