The Government is working on a draft law establishing a “consumer data right” (CDR). Recent submissions will be considered before legislation to establish a CDR framework is introduced to the House, which is currently expected to occur by the end of 2023.

The proposed CDR will require certain businesses to securely provide a customer’s data to accredited third parties at the customer’s request.  Affected organisations will need to make a number of changes to ensure they comply with the new regime.

CDR - the key features

The focus of the draft law is “customer data”, meaning data about an identifiable customer (for example account histories and transaction details) held by “data holders”. Data holders will be designated by regulations. The banking industry is set to be the first to be affected, as part of the drive towards “open banking” in New Zealand, with other sectors to follow.

The new law will enable customers to ask data holders to provide accredited third parties with access to their customer data, using standardised data exchange methods. The aim is to empower consumers to get value out of their data as well as to promote competition amongst providers. For example, a customer could require their current bank to provide their customer data to a rival bank, thus assisting the rival to potentially match or better the current bank’s offering.

The draft law is still in the early stages, with consultation on an exposure draft of the Consumer Product and Data Bill having recently closed. Many of the details as to how the new regime would work in practice remain to be decided but it will inevitably require both data holders and accredited requestors to make quite significant changes across various aspects of their business. For example:

• IT systems will need to be updated to comply with new rules to enable the exchange of data with standard formats and safeguards.

• Record keeping obligations will be imposed to enable monitoring of data holder and accredited requestor compliance, to support enforcement.

• Data holders and recipients will be required to have to adopt detailed customer data policies, including a complaints process.

The draft law also provides for an enforcement regime with four tiers of liability and hefty fines ranging from $20,000 for a failure to maintain transaction records to $5 million where a person fraudulently holds out that they have CDR accreditation.

Next steps

The Government has held workshops with various stakeholders including the financial services, energy retailers, telecommunications providers and banking and payments sectors and has also called for submissions on the exposure draft of the bill, with a particular focus on:

• How to ensure that consent to data exchange is express and informed.

• The process for setting more detailed data exchange rules.

• Who should be accredited to connect to data holders; and

• How unlocking product and customer data could help meet the aspirations of people, iwi, businesses and others.

The submissions will now be considered before a bill is introduced to Parliament, which is scheduled to happen later this year.

Get in touch

We will continue to monitor progress of the proposed new regime and will publish updates as developments occur. In the meantime, if you would like to talk to one of our experts about the potential implications of the Bill on your business, please get in touch with one of our contacts.