Background
Last year, the NZ Government consulted the public on the options to establish a consumer data right (CDR) in NZ. (Our newsletter on the CDR consultation is here.) In this digital, data-driven world it is common for businesses to collect data from their transactions with consumers. (They can even end up with more data on a consumer than the consumer themselves!) A CDR will require certain businesses to share that data when requested to by the consumer. For example if someone wants to move banks, their old bank would be required to share necessary details with the new bank in a prescribed, secure manner and environment. The aim of a CDR is to ultimately enhance consumers’ welfare by reducing search and switch costs, facilitating competition and encouraging innovation.
Development
On 5 July 2021, following consultation, the Government decided to implement a new CDR legislative framework, which will be rolled out on a sector-by-sector basis. This sector-specific approach is the current approach being taken in Australia.
Australia’s CDR
Australia’s CDR first applied to the banking sector, under which major banks are required under the Competition and Consumer (Consumer Data Right) Rules 2020 to share product reference data (eg information relating to interest rates, fees and charges, and eligibility criteria for banking products like credit cards and mortgages) with accredited data recipients. Australia’s CDR has common elements to the General Data Protect Regulation (GDPR), the European Union’s new primary data privacy legislation, and even goes beyond the GDPR in relation to consumer consent. The CDR always requires obtaining consent for collecting, using, and disclosing data, whereas the GDPR has other legal bases businesses can rely on (eg it is necessary for compliance with a legal obligation).
NZ’s proposed CDR legislative framework
The Government is proposing to introduce legislation in 2022. It is proposed that there will be a primary legislation which will create the overarching framework for the CDR, introducing basic obligations applying to those within a designated sector, while detailed obligations will be set out in rules and data standards. It is likely that the Government will refer to Australia’s CDR and the GDPR in building the framework.
Types of consumer consent
Consumer consent and control will be central to the CDR. It is expected that consumers may give accredited providers “read access” (the ability to read consumer data) and “action initiation” (the ability to carry out an action with the consent of a consumer).
Next steps
The Government is working out which sectors should be designated first. It aims to make further (more detailed) policy decisions on the CDR framework later this year. The Commerce and Consumer Affairs Minister also said it is his intention that the CDR will work hand-in-hand with the Digital Identity Trust Framework (a regulatory framework that will set out rules for delivery of digital identity services) announced in early 2021.
Links: