The primary effect of the bill is the creation of a “Consumer Data Right” (CDR) in New Zealand, which will grant new rights for consumers to control the transfer and use of their data. The bill has been described by the Government as promising a “transformative effect on competition” and has significant implications for many consumer-facing industries.
Overview of the bill and the CDR framework
Our previous update (here) summarises the key features of the CDR framework and some of the key changes to the bill since the exposure draft was first issued in 2023. In brief summary:
- The bill imposes various duties on businesses within designated industries that hold customer data and certain categories of product data (“data holders”). In particular, data holders will be required to provide customer data to customers and, at the customer’s request, to certain approved third parties (“accredited requestors”). The data will be provided in a standardised format to enable the accredited requestors to interpret and analyse that data and provide services to customers (for example, price comparison services and personal budgeting tools).
- The bill will also oblige data holders to perform certain actions where requested by customers (or accredited requestors acting with the customers’ consent), such as opening accounts, making payments, or changing customer plans.
The bill delegates a significant amount of detail to regulations, so many aspects of the design of the CDR are currently unclear. This includes, for example, which categories of data are subject to the CDR, what rules and standards govern the transfer of that data, what requirements apply when dealing with joint account holders, how customers’ identity should be verified, and which sectors will be designated (although the Government has confirmed that the first designated sector will be banking, with electricity a likely second).
While many of the critical details will therefore be determined during later consultations, the bill includes various material matters that businesses should consider carefully when assessing the likely impact of the CDR. For example:
- Product data
The bill requires product data (i.e., data about a data holder’s goods and services) to be made available electronically on request. The bill makes clear that the scope of product data is limited to data that is “ordinarily publicly available”. Data holders may wish to seek greater clarity as to what that is intended to capture, particularly given the potentially material penalties for failing to disclose data when required (see below).
- Privacy overlap
The bill provides that certain breaches of the CDR obligations will be treated as being an “interference” under the Privacy Act 2020. Data holders and accredited requestors may wish to seek greater clarity on the intended relationship between the CDR and the Privacy Act. For example, it is unclear to what extent individuals are able to seek separate remedies where breaches of the CDR are treated as a Privacy Act “interference.” - Scope of consultation rights
The bill requires the Minister of Commerce and Consumer Affairs to consult with certain parties before making regulations under the CDR. The relevant parties are: the Privacy Commissioner; a person with expert knowledge of te ao Māori approaches to data; and any person who will be “substantially affected” by the regulations. The Bill does not clarify who will be treated as being “substantially affected” which may concern certain data holders given the importance of having input into the design of the CDR and the underlying rules and standards. Among other things, data holders will want to ensure that the detailed standards under the CDR are aligned with existing industry initiatives (such as the standards developed by Payments NZ’s API Centre) and to ensure that the Minister’s decisions take account of industry technological expertise.
- Disputes Tribunal
The bill has been updated to give the Disputes Tribunal jurisdiction over CDR disputes, which will provide an alternative pathway for customer compensation claims (up to the Tribunal’s limit of $30,000). However, that may concern accredited requestors and data holders given the Tribunal’s less formal process (which involves no lawyers or judges). It may also test the resources of Tribunal referees, given that CDR complaints could be legally or technically complex. - Penalties and compensation
The bill includes a relatively detailed liability regime. It permits compensation for customers who have suffered loss, as well as tiered penalties, ranging from infringement notices of up to NZ$20,000 through to fines of up to NZ$2.5 million for companies that commit more material breaches. There are relatively narrow defences available, including for contraventions arising due to a “technical fault.” We expect that data holders and accredited requestors will want greater clarity as to the scope of these defences. For example, the “technical default” defence is only available where the data holder has exercised due diligence and has been complied with certain “reliability and availability requirements” (which have not yet been prescribed).
The CDR will create a significant and potentially far-reaching new legal regime. It will important for consumer-facing businesses, particularly those within sectors likely to be designated under the CDR (such as banking, electricity, telecommunications, insurance and health) to engage in the submission process to influence the design of the new framework. As noted above, time is relatively tight: submissions close on 5 September 2024.
Bell Gully’s Consumer, Regulatory and Compliance (CRC) Team has been closely monitoring the development of the Consumer Data Right. If you would like further details on the bill, or assistance in preparing a submission, please get in touch with the authors or your usual Bell Gully adviser.