The general structure of the bill remains largely unchanged from the exposure draft issued in 2023, described in our separate summary here.
To summarise the key features of the framework:
- The CDR will allow consumer and small business customers to require entities holding their data (“data holders”) to share that information with certain third-party service providers (“requestors”), such as product comparison websites. Customers can also require that data holders carry out certain “designated actions”, for example initiating payments on the customer’s behalf.
- The bill applies to information about customers, such as their account information, and also to “product data”, i.e., information about the goods or services offered by the data holder.
- To enable the sharing of data under the regime, data holders within a designated sector will be required to make data available in a standardised, machine-readable format via application programming interfaces (APIs). Data holders will be required to follow various technical standards specified in regulations. Requestors will need to be formally accredited and will be required to meet various criteria for the purposes of accreditation, including detailed security requirements.
- The first designated sector will be the banking sector, but the regime will also be extended in due course to other sectors, likely to include telecommunications, energy, insurance, and health.
The bill gives various examples of how the CDR might work in practice, including:
- A customer may authorise their electricity provider (a data holder) to provide details of their electricity usage to a company that makes recommendations about electricity deals in the market.
- Banks may be required to treat home loan interest rates as a class of “product data” and to treat borrowers’ transaction histories as a category of “customer data.”
- The standards, to be set out in regulations, could include requirements for the manner in which data is provided and received (for example, a requirement to use an API).
Summary of key changes
Despite the overall consistency with the exposure draft of the bill, there have been a number of updates to important aspects of the bill. To summarise some of the key changes:
- Commercial information
The bill includes new restrictions on the types of product data that can be required to be shared. Importantly, data holders will not be required to share product data that is not “ordinarily publicly available”. MBIE has explained that this change responds to concerns by data holders about the lack of limits on the range of information that may be required to be disclosed, such as commercially sensitive data or data that has been enhanced by proprietary analysis. - Declining requests
In response to submissions by data holders, the updated bill now adds some specific circumstances where data holders may decline requests. Helpfully, the exceptions include where the data holder reasonably believes that disclosure of the data would be likely to have a materially adverse effect on the security, integrity, or stability of the data holder’s information and communication technology systems. Data holders will also be able to refuse requests where they reasonably believe that a request is made under the threat of physical or mental harm. - Development of standards
Ordinarily, the introduction of standards for data holders will require consultation with parties substantially affected by the standards. The updated bill now includes an exception to the requirement for consultation where the Minister believes that amendments to existing standards are urgent, or are minor and technical in nature. - Privacy
The updated bill now deals more directly with privacy matters, and clarifies that data requests under the bill are not to be treated as access requests under the Privacy Act 2020. However, the bill also provides that if a data holder breaches certain requirements they will be treated as having committed an “interference” under the Privacy Act which can give rise to damages awards. In addition, contraventions relating to storage and security may be treated as breaching security obligations under the Privacy Act. - Enforcement and dispute resolution
The bill has also been updated to set out the penalties for breach. In summary, they range from low-level infringement notices of up to NZ$20,000 for certain minor breaches, through to significant fines of up to NZ$2.5 million for failing to verify customers before providing data in response to a request.
The updated bill also extends the category of claimants who can recover compensation for a contravention. This will include not only customers but other data holders or accredited requestors who have suffered loss as a result of a contravention. A helpful example in the bill illustrates that if a requestor’s contravention causes a customer to suffer loss, and a data holder is required to compensate the customer under a separate industry code, the data holder can obtain compensation from the requestor.
Separately, the updated bill clarifies that data holders or accredited requestors must be members of a dispute resolution scheme (such as the approved financial dispute resolution schemes or the Utilities Disputes Energy Complaints Scheme) if one is prescribed for that particular class of data holder or accredited requestor.
- Removing outsourced providers
The exposure draft of the bill had referred to “outsourced providers” and rights for accredited requestors or data holders to contract out the performance of a duty or power they hold under the regime. This concept has been removed from the updated bill. MBIE has clarified that outsourcing will be governed by “general legal principles” rather than under specific statutory provisions.
Implications and next steps
The proposed framework has significant implications for a range of industries, potentially increasing customer mobility between service providers and imposing new technical requirements for managing and storing customer data.
All businesses, particularly those in sectors most likely to be designated (e.g. banking, telecommunications, energy and insurance) should consider the bill carefully and reflect on how they can best engage with the consultation process in due course.
In particular, it will be important for data holders to ensure that the CDR framework takes account of existing initiatives already underway. For example, in the banking and payments sector, the Payments New Zealand API Centre has been developing technical standards for the exchange of payments and transaction information.
Positively, the explanatory note to the bill confirms that it: “should not prevent industry-led options from being progressed in parallel to regulatory intervention and where possible, should seek to leverage that work, for example by making use of existing industry standards, technologies, and expertise.” This is a helpful signal that ongoing industry measures should form the basis for standards in due course. Early preparation for the submission process should help data holders to build on that early signal and ensure the final form of the legislation appropriately reflects industry-specific requirements.
Bell Gully’s Consumer, Regulatory and Compliance (CRC) Team has been closely monitoring the development of the Consumer Data Right. If you would like further details on the bill, or assistance in preparing for the submission process later this year, please get in touch with the authors or your usual Bell Gully adviser.