The paper provides valuable insights into how the CDR will be developed and what to expect when draft legislation is introduced in 2023.
In our final Consumer, Regulatory and Compliance update for 2022, this summary provides a short recap on the CDR as well as an update on the key details arising from the Cabinet paper (including significant new penalties proposed for breaches of the CDR framework). For further background on the CDR, please see our previous article here.
What is the CDR?
The CDR will require businesses to share prescribed data that they hold about consumers with trusted third party data recipients, at the consumer's request and with their consent. The data would be shared in a standardised machine-readable format so that it can be used by the third party recipient for the consumer's benefit (for example, for personalised price comparison services, or facilitating credit assessments by analysing transaction data). The Government anticipates that the CDR will enable the development of a wide range of products and services, reductions in search and switch costs, and increased competition.
When will the CDR be introduced?
The CDR will be rolled out on a sector-by-sector basis to certain designated industries. The CDR will be established under primary legislation setting out the high-level framework, with regulations designating particular sectors, and specific data standards setting out the detailed requirements for designated sectors.
An exposure draft of the bill is expected to be issued for consultation in early 2023, although the proposed timeframe for implementation is yet to be confirmed.
Which sectors will be designated?
The Government has confirmed that banking will be the first sector assessed for designation, under criteria to be set out in the CDR bill.
However, we expect that there will be significant interest in the draft legislation across the economy, given the potential for other sectors to be designated in due course. The Cabinet paper expressly lists other industries which may be nominated for designation in due course, including: “insurance, other financial services, energy (electricity and gas), health, the primary sector, telecommunications, and loyalty schemes.”
Who will administer and enforce the CDR?
The Cabinet paper outlines various roles for different regulators:
- MBIE will oversee the regime as “administering department” with responsibility for advising on designations and regulations, licensing data recipients, providing registry services and promoting the CDR. Data standards for designated sectors will be made by a statutory officer within MBIE.
- The Commerce Commission will have primary responsibility for enforcement of the CDR. The Cabinet paper proposes that the legislation grant the Commission the “full range” of enforcement powers, including “advocacy and outreach” powers as well as powers to investigate breaches and issue proceedings.
- Privacy issues will remain under the jurisdiction of the OPC using its existing powers under the Privacy Act 2020. Part 5 of the Privacy Act (governing complaints, investigations and proceedings) may be applied to breaches of certain CDR obligations as if they were breaches of relevant information privacy principles under the Privacy Act 2020.
It is expected that a memorandum of understanding will likely be required between the OPC and the Commerce Commission to provide clarity to designated sectors about their respective roles.
What enforcement consequences will apply?
The Cabinet paper proposes significant enforcement consequences for breaching the CDR, including both criminal and civil consequences depending on the nature of the breach.
The Cabinet paper proposes four main tiers of enforcement consequences, as follows:
- Infringement notices with fines of up to NZ$20,000, or fines for infringement offences up to NZ$50,000 (for technical contraventions of compliance obligations, e.g. a failure to maintain transaction records, or a failure to notify customers that a transfer of data is complete);
- Penalties of up to NZ$600,000 and compensation orders (for more serious contraventions, e.g. for a failure to authenticate the identity of a consumer or data recipient);
- Penalties of up to NZ$2.5 million and compensation orders (for serious offences e.g. a failure to provide a CDR service to consumers or accredited persons where required); and
- Penalties of up to NZ$5 million (or, if greater, either three times the value of any commercial gain, or 10% of the turnover in the period in which the breach occurred if commercial gain cannot be ascertained). This is reserved for egregious contraventions where the conduct occurs recklessly, knowingly, or intentionally (e.g. where a party fraudulently holds itself out as being an accredited recipient). For individuals, the consequences can also include imprisonment for a term of up to 5 years.
Who will fund the CDR?
The Cabinet paper proposes that the costs of processing applications for accreditation by prospective data recipients will be recovered through fees charged to the applicants (to be set out in regulations). The Government has estimated that application fees would cost approximately NZ$3600-4500 per application.
In addition, the CDR bill will include a levy-making power (to be set in regulations) that will permit charging of levies to participants in designated sectors, to enable partial recovery of the cost of the Commerce Commission’s regulatory functions.
2023 is set to be a significant year for the development of the CDR in New Zealand. We will continue to monitor and provide updates on the proposed CDR, including when the draft bill is issued early next year. We are also tracking the extent to which the CDR in New Zealand will align with the equivalent regime which currently applies in Australia.