The bill passed its third reading last week and was welcomed by the Minister of Commerce and Consumer Affairs as “a monumental step” that would grant New Zealanders “greater ownership of their data, and more power and ease when it comes to shopping around for the best deal on utilities and other essential services.” The Minister envisaged that the CDR will “support innovation and competition across key sectors, encouraging businesses to offer new products and services using that data they already hold”.
The CDR will apply progressively to various designated sectors. The first sector (banking) will be required to comply with the CDR, and various regulations and standards to be issued under the Act, by 1 December 2025. Given the Government’s stated intent to roll out the CDR quickly, designated “data holders” and third party “accredited requestors” should ensure they are familiar with the Act in order to maximise the opportunities and reduce the risks arising from the new regime.
What is the Consumer Data Right?
The key effect of the Act is to introduce the key overarching principles that will govern the CDR. The application of the CDR in specific sectors will be governed by regulations and technical standards.
To summarise how the CDR will work in practice:
- The CDR allows consenting customers to authorise accredited third-party service providers (“accredited requestors”) to request data or initiate certain actions on their behalf from “data holders,” such as banks.
- Under the CDR regime, data holders will be required to comply with these requests and disclose customer data to the accredited requestors (or take requested actions where within the scope of the CDR regime).
- To ensure the appropriate protection of customer data, only certain entities will be able to act as accredited requestors. To obtain accreditation, requestors must meet certain requirements specified under regulations including security requirements to demonstrate their suitability for handling potentially large volumes of customer data.
As noted above, the CDR will begin initially with banking. The electricity sector is likely to be the second designated industry, with other sectors such as telecommunications and insurance to follow in due course.
You can read more about the CDR in our previous update here, which notes various changes recommended by the Select Committee. The bill was enacted largely without amendment from the version returned by the Select Committee, although there were some minor edits introduced via an Amendment Paper in early March, which were approved during the third reading. To summarise the key changes:
- Accredited requestors (who are required to obtain customer authorisations when requesting regulated data services) will not be liable for breaching that requirement where a customer has ended an authorisation if “the accredited requestor did not know, and could not reasonably be expected to know, that the authorisation had ended.” It is unclear how this sits alongside data holders’ obligations to confirm that services are within the scope of authorisations given by customers, and whether they have a similar protection where they could not reasonably be expected to know that an authorisation had expired. It may be that this is an issue for data holders to seek to resolve via the designation regulations.
- MBIE has a broad new power “to provide services to promote the purpose of the Act.” The explanatory note explains that this could include making systems available to issue or hold digital certificates of data holders and accredited requestors, or facilities for accredited requestors to test their systems before connecting to data holders.
- There is a new option to designate persons as data holders if they opt in (with details to be specified in regulations). This could cover, for example, other registered banks who choose to participate in the CDR (outside the major banks subject to the initial designation).
Next steps
Following the enactment of the Act, it is anticipated that the four major banks will be designated as data holders in regulations by 1 December 2025, with Kiwibank to follow in June 2026. Given the tight timings, it will be important for the regulations and technical standards to be drafted closely in line with existing industry practices developed voluntarily by the banking industry under the API Centre standards (as has already been proposed by MBIE). Even with close alignment on the standards, the banks' preparations for the new CDR within the intended timeframe (alongside a wide number of other regulatory changes and related operational demands) will not be straightforward.
In addition, assuming the initial proposal to designate the electricity sector progresses, that would likely take effect in 2026. Electricity sector participants should consider the Act carefully in advance and ensure they are prepared to engage in any consultation on the regulations and technical standards in due course.
As for businesses looking to become “accredited requestors” under the CDR, the key focus will be on familiarising themselves with the new Act and the anticipated requirements for any application to MBIE. While this process is still to be confirmed in regulations, we expect – at minimum – this will require businesses to show they can:
- maintain appropriate security safeguards in relation to the data provided (including, potentially, certain specified industry standards);
- demonstrate that their directors and senior management are “fit and proper persons” (aligned with similar tests in other legislation); and
- generally, demonstrate compliance capabilities and credentials in relation to data security.
The introduction of the CDR marks a significant shift in how customer data will be accessed and shared in New Zealand. While it offers the potential for increased innovation and improved insights for consumers, implementing the regime will require substantial effort from both industry and regulators to establish an effective framework. As with any wholly new legislative framework (but particularly in this context given the significance and value of customer data), prospective data holders and accredited requestors will undoubtedly face a number of operational challenges and untested legal questions as they get to grips with the many details of the new Act.
Bell Gully’s Consumer, Regulatory and Compliance (CRC) Team has been closely monitoring the development of the Consumer Data Right since the first proposals in 2021 and is well placed to advise on how the new regime will impact your business in practice. Please get in touch with the authors or your usual Bell Gully adviser if you would like to discuss further.