Consumer Data Right on track for 2022: consumers “in the driver’s seat”

7 July 2021

Earlier this week the Government confirmed its decision to implement a new legislative framework for a “Consumer Data Right." 

The decision follows a consultation period last year, and extensive submissions from a range of industries.

The new Consumer Data Right (CDR) is intended to enable consumers to require data held about them to be shared with trusted third parties. As Commerce and Consumer Affairs Minister David Clark put it, the framework will put consumers “in the driver's seat" in terms of how their personal information is used by third parties.

What is a Consumer Dat​​a Right?

The term 'Consumer Data Right' describes a method for consumers to securely share data that is held about them with certain trusted third parties. For example, it would allow a consumer to freely and securely share their data held by a bank, with another bank the consumer is interested in joining, or with a budget services app.

The Government's decision is intended to align the CDR with the current Australian position. Australian CDR rules came into effect last year, and currently apply to the banking sector. In time, these rules are intended to apply also to the energy and telecommunications sectors.

Which sectors w​ill this apply to?

The Government has not yet announced which sectors should be considered for designation first. However, it is likely that the banking industry will be one of the first sectors for implementation of the Consumer Data Right, when it is introduced. The Banks have already invested significantly to support data portability, through Payments NZ's “API Centre", but will need to be prepared for the mandatory portability of consumer data. Careful planning will be particularly important for the banking sector, given various other significant regulatory changes including the Reserve Bank's Capital Revie​w requirements, the new financial advice regime, and prescriptive new responsible lending requirements.

As in Australia, it is likely that the CD​R will also be extended to the energy and telecommunications sectors.

What safeguards will​ apply?

One of the key concerns raised during submissions was about data security. To protect the security of transfers of consumer data, third party data recipients will need to be formally accredited. In addition, any data shared through the CDR will only take place with a person's informed consent, and would be strictly used for the reasons agreed upon.

The businesses and services wishing to receive data under the CDR would have to meet a number of safeguards to ensure the information could be handled safely and securely. The CDR is intended to work hand-in-hand with the Digital Identity Trust Framework announced earlier this year, which sets out the rules for the delivery of digital identity services.

The CDR framework will reflect the intersecting concerns of competition, consumer and privacy laws.​ The relevant regulator has not yet been appointed. A separate regulator could be established to oversee the regime as a whole and multiple regulators may play specific roles. Some of the elements of the CDR may also be overseen by one or more government agencies or other independent bodies. For example, there may be separate bodies to set rules, data standards, oversee accreditation, carry out enforcement and resolve disputes between consumers and third party data holders.

Next s​teps

The Government aims to make a second round of detailed policy decisions on the CDR framework later in 2021, with a target of 2022 for the introduction of new legislation.

Primary legislation will create the overarching framework of the CDR, introducing basic obligations that will apply to those within a designated sector. Designations will specify the type of data that is covered and the functionality that is enabled. For example, if the banking and financial services sector were designated, this could apply to specific data such as bank account information and transactions. More detailed obligations will be set out in rules and data standards.

Further​ reading

The CDR is part of a suite of legislation that strengthens New Zealand's data protection framework and brings it up to date with international developments. For further background refer to MBIE's website and Bell Gully's previous updates:

  • Financial Services in 2021: what ministerial briefings tell us about the year ahead
  • Guide to the Privacy Act 2020
  • Open banking and consumer protection
  • How open is New Zealand to Open Banking?

We will continue to monitor and provide updates on the proposed CDR for New Z​​​​ealand.

If you have any questions or require any other guidance, please contact our consumer law team or​​ your usual Bell Gully advisor. ​

This publication is necessarily brief and general in nature. You should seek professional advice before taking any action in relation to the matters dealt with in this publication.