What is a CDR?

A CDR is the ability for consumers to share data that is held about themselves with trusted third parties. This transfer of information is known as ‘data portability’. The data is shared in machine-readable format, using standardised formats and interfaces, so that it can be utilised by the third party for the consumer’s benefit.

While the types of data that will be in scope are yet to be defined, the Ministry of Business, Innovation and Employment (MBIE) has indicated that the regime will apply to ‘provided’ or ‘observed’ information of consumers about a range of facets of their daily lives, including purchasing preferences, spending or saving history, energy consumption and health records.

Why is it needed?

With much of consumers’ daily lives being conducted electronically, there is clear value in enabling them to retrieve their information easily and in a practical format.

The Privacy Act 2020 includes the right for individuals to access their personal information held by businesses, but it does not specify how that information is to be provided. This has led to a range of different approaches being taken by businesses. There are some categories of information that are not captured by this access right, as the Privacy Act deals only with personal information. Moreover, there are restrictions placed on businesses in terms of who, and for what purposes, they are able to share personal information with others. These are some of the factors that have been identified as hindering the development of a meaningful data portability right in New Zealand, and supporting the case for legislative intervention.

As noted by MBIE: “Over time, [the CDR regime] will give individuals and businesses access to a wider range of products and services, reduce search and switch costs, facilitate competition, encourage innovation, increase productivity and help build the digital economy.”

Which sectors will it apply to?

The CDR is proposed to apply sector-by-sector, with work underway to identify which sectors should be considered for designation first. Given that international developments of CDRs have largely focused on the banking sector, that sector looks set to be the first to be designated, with the energy and telecommunications sectors following closely behind.

How does it compare internationally?

The move will align New Zealand more closely with several of its key trading partners, where legal data portability rights already exist.

Australia’s first set of CDR “Rules” for the banking sector commenced in February last year. Under these Rules, the four major Australian banks are required to (amongst other things) share data about the products they offer and securely transfer (at the customer’s request) certain data relating to their customers’ cards, loans and transactions. The disclosure requirements are being phased in over a two-year period.

The approach proposed by MBIE is similar to the Australian approach, and no doubt the success (or otherwise) of the Australian rollout will inform the New Zealand CDR. In the banking sector in particular, we would expect a high degree of alignment with the Rules, given that the big four New Zealand banks are subsidiaries of Australian banks.

The EU and the UK have a generally applicable data portability requirement in the EU’s General Data Protection Regulation (GDPR) and the UK’s Data Protection Act 2018. Despite the difference in approach, those regimes will remain influential and alignment will need to be considered from a privacy perspective to ensure New Zealand retains its “adequacy” status for the purposes of data transfers to and from the EU.

How are privacy concerns dealt with?

Any sharing of a consumer’s personal information with third parties brings about privacy challenges, and careful thought needs to be given as to how to address them. Those challenges include:

• enabling consumers to consent to their data being shared and to amend or withdraw their consent;
• ensuring that individuals are given sufficient information to make an informed choice;
• ensuring that third parties only use the data they are given for defined purposes;
• adequately protecting the data, given that the risk of security breaches is likely to increase as consumer data is accessed by more companies; and
• protecting the privacy of information about other individuals (eg joint account holders in a banking context).

The CDR regime will need to work hand-in-hand with the requirements of the Privacy Act 2020, and the intention appears to be for the CDR to be made consistent with – and not overlap or replace – the existing law. The Office of the Privacy Commissioner (OPC), in its response to the consultation document issued last year, has suggested the CDR right could eventually form part of the Privacy Act (creating a general portability right similar to the UK/EU).

What are the implications for New Zealand businesses?

The legislation will clearly bring about significant implementation costs and practical challenges for businesses in the designated sectors. While it is difficult to specify these costs and challenges in any detail at this stage, at a broad level we would expect these to include costs in relation to:

• assessing ‘CDR readiness’; 
• procuring new systems or rewriting existing systems to hold consumer information in specified formats and to enable transferability;
• implementing new security measures to receive and hold consumer data (particularly if specific security standards are mandated within a given sector); and
• updating existing privacy policies and practices to ensure compliance with (for example) consumer consent and withdrawal mechanisms.

What’s next?

The legislation itself is set to be introduced in 2022, so is still some way off, but more detailed policy decisions and implementation plans are expected later this year.