Recap – what is the Consumer Data Right?
The CDR is intended to provide greater access to, and sharing of, consumer and product data between businesses.
In summary, the bill provides for a trusted third party or “accredited requestors” (such as fintechs) to submit requests on behalf of consenting customers to receive data about those customers from relevant “data holders” in designated sectors (such as banks and electricity companies). Data holders would be obliged under the CDR regime to comply with those requests and disclose the customer’s data to the accredited requestor.
For example, an individual could authorise a budget service provider accredited under the CDR to obtain access to their banking transaction data from their bank. The bank would be obliged to disclose that information to the budget service provider under the CDR regime.
The bill sets out a framework for the CDR to be applied to one sector at a time (each “designated sector” will be set out in secondary legislation). The Government has indicated that banking and electricity are likely to be the first sectors designated, and late last year MBIE consulted on the details of those designations.
What are the proposed changes?
On 23 December 2024, the Economic Development, Science and Innovation Committee (Committee) presented its final report on the bill. The report follows a consultation in August last year (see our previous article here). To summarise some of the key recent recommendations of the Committee:
“Good faith” defence for data holders
Many submissions on the bill had noted that it did not address scenarios where data holders may become inadvertently exposed to liability where they provide customer data to an unauthorised recipient purporting to be a customer or accredited requestor (for example, if an accredited requestor is hacked and requests customer data). The Committee has recommended the addition of a new defence for data holders to claims under the CDR provided they can prove that they provided data in compliance with the CDR in good faith, took reasonable precautions, and exercised due diligence to avoid a contravention of the CDR.
The proposed "good faith" defence for data holders, if retained in the final framework, may provide a vital safety net for data holders mitigating the risk of liability, if they can demonstrate compliance, reasonable precautions, and due diligence. For New Zealand businesses in any sectors likely to be designated, this underscores the importance of implementing robust data governance frameworks, ensuring staff are trained on CDR obligations, and maintaining detailed records of compliance efforts. Early preparation will be critical to leveraging this defence effectively while minimising operational disruptions.
Additional requirements for accredited requestors
The Committee has proposed several important amendments to strengthen the accreditation requirements for requestors under the CDR. These changes aim to ensure that only trustworthy and capable entities are granted the ability to request and manage sensitive customer data through the CDR framework. In particular, accredited requestors will be required to:
- maintain “adequate security safeguards” in relation to data provided under the CDR;
- demonstrate that their directors and senior managers are of “good character”; and
- demonstrate compliance credentials by showing that they can comply with the CDR’s provisions and are unlikely to contravene its requirements.
These proposed amendments raise the bar for accreditation and signal the importance of responsible data stewardship by fintechs and other accredited requestors.
Businesses considering accreditation should begin evaluating their leadership standards, security practices, and compliance readiness to prepare for these requirements.
Privacy remedies clarified
One of the themes emerging from submissions was the concerning overlap between the CDR and the Privacy Act 2020, both of which relate in part to the protection and transfer of personal information. To avoid duplicative claims and ensure consistency, the Committee has helpfully recommended that remedies for interferences with privacy be confined to those outlined in the Privacy Act. A new clause will prevent courts and tribunals from making compensatory orders for such interferences, which effectively means that privacy claims in connection with CDR conduct and activities will require resolution through the established procedures and remedies under the Privacy Act. This amendment should help to simplify the legal landscape for privacy claims and remedies.
The focus on privacy serves as a reminder for businesses to review their data practices and privacy compliance ahead of the introduction of the CDR regime. For some businesses this will be an opportune time to undertake or refresh a privacy legal “health check”.
Additional safeguards for refusing requests
The Committee has recommended several refinements to the circumstances in which data holders and accredited requestors can refuse requests under the CDR.
In particular, the Committee has recommended new provisions enabling data holders to reject requests if they reasonably believe the accredited requestor has not met their obligations. Additionally, there are new provisions permitting refusal if the request stems from deception or could result in financial harm.
Originally, the bill had imposed a duty on data holders to refuse requests made under the threat of physical or mental harm. However, the Committee noted that accredited requestors are often better positioned to identify and prevent such threats. To address this, a new clause proposes a shared duty of care, prohibiting requestors from accepting authorisations or acting on customer instructions given under the threat of physical or mental harm.
Other simplifications
The Committee’s recommendations include a number of other measures likely to simplify obligations for data holders. In particular:
- An original requirement to maintain records of any previous authorisations given by or on behalf of a customer was considered excessive – instead it will be sufficient for data holders and accredited requestors to keep a single record of each authorisation and, for each request, identify the relevant authorisation under which it was made.
- The bill originally required data holders and accredited requestors to develop policies relating to customer data, product data and actions performed under the CDR framework. To avoid creating unnecessary compliance costs, the Committee has recommended removing this requirement.
- The bill originally required data holders and accredited requestors to provide an annual report to MBIE which would include a summary of complaints relating to the CDR. The Committee has recommended removing this requirement (noting that complaints could be directed to a sector-wide dispute resolution scheme where applicable).
Timing
The bill is expected to pass into law early this year, alongside a Government decision on whether the banking and electricity sectors will be designated and on what terms. That designation is then expected to take effect in December 2025 (for the banking sector, in respect of the major banks). If the electricity sector is also designated, regulations and standards are expected to be implemented during 2026.
As noted above, MBIE has recently consulted on proposals for the relevant designation regulations (submissions closed on 10 October 2024) and participants in those sectors should pay close attention to the outcome of that consultation when published early this year.
For the major Banks (ANZ, ASB, BNZ, Westpac and Kiwibank), implementation of the CDR will be focused on dovetailing with the industry-led approach to Open Banking through the API Centre’s Standardised APIs (for payment initiation and account information) and the Minimum Open Banking Implementation Plan. For further details of those initiatives see the API Centre’s progress updates (here).
Next steps
Overall, the changes to the bill are likely to be positively received by data holders. At the same time, the CDR is likely to have a material influence on the data landscape in New Zealand.
For all businesses involved in collecting or using customer data, it will be important to start preparing for compliance with the CDR regime, including engaging with sector-specific obligations introduced under regulations. Proactively addressing these changes this year will position businesses to navigate this significant regulatory shift smoothly and to leverage the opportunities created by the new regime.
Bell Gully’s Consumer, Regulatory and Compliance (CRC) Team has been closely monitoring the development of the Consumer Data Right. If you have any questions about the matters raised in this article, please get in touch with the contacts listed or your usual Bell Gully adviser.