In December 2019, the Hon Kris Faafoi, in his capacity as Minister of Commerce and Consumer Affairs, penned an open letter to New Zealand banks announcing his intention to take advice on the establishment of a legislative framework for a possible Consumer Data Right in New Zealand.
Minister Faafoi cited concerns regarding the pace and scope of progress with the development of industry-led open banking initiatives in the financial services space as a trigger for policy thinking in this area. Whilst it appears that the first cab off the rank will be the financial services sector, Minister Faafoi left the door open to mandating consumer data sharing in other sectors to the extent "necessary and appropriate".
MBIE is currently undertaking early policy thinking on whether a Consumer Data Right should be introduced in New Zealand and Minister Faafoi has confirmed that he expects to release a discussion document seeking public feedback in the first half of 2020.
What is the "Consumer Data Right"?
The Consumer Data Right broadly refers to legislation which aims to facilitate informed choices by consumers and greater competition between businesses, by providing consumers with better access to, and control over, their data. More specifically, it gives consumers in regulated industries the right to access data held about them by industry participants with respect to their consumption of goods and services, and to require that such data be disclosed directly to other accredited industry participants.
Australia enacted a Consumer Data Right in August 2019, initially to apply to the financial services sector, with the energy and telecommunications sectors proposed to follow. The EU has also enacted similar initiatives, both as part of Europe's General Data Protection Regulation (GDPR) and the revised Payment Services Directive (PSD2).
The complexity of developing rules to establish a level playing field between market participants, whilst at the same time ensuring consumer protection, security and improved customer service has been evidenced by the significant delays to enactment and implementation which continue to plague both the EU and Australia.
It is currently unclear what form the potential New Zealand Consumer Data Right might take and uncertainty exists as to what data, organisations and industries will be in-scope for regulation, which regulators would be involved in administering and enforcing the regime and what the territorial reach of the data right would be.
What are the key considerations?
Irrespective of what form the Consumer Data Right takes, it will be essential that the framework is designed for success, both in terms of effectively enabling cost-efficient access to market for new-entrant participants, as well as being sufficiently safe and easy to use to encourage voluntary consumer participation.
However, if Australia and the EU are anything to go by, the path to success is unlikely to be a fast or inexpensive one. In particular, there is likely to be material additional costs for participants in terms of implementation and compliance, as well as significant costs for Government in enacting new legislation and setting up and administering agencies to regulate it (the Australian Government has reportedly committed A$90 million just to resource agencies involved in regulating the Australian regime between FY18 and FY23).
Key considerations for each industry and participant will be different. However, all affected participants are likely to be on the same page in terms of wanting to ensure that the framework appropriately protects the privacy of data and maintains a high standard of security in their industry. A key part of this will be robust consumer authentication standards and an accreditation process which ensures participants meet minimum security standards.
As the Consumer Data Right will, in most cases, involve the processing of personal information, it will also be important that any Consumer Data Right framework aligns with applicable privacy law more broadly (noting that the New Zealand Privacy Act 1993 is also currently under review).
If you would like any advice regarding how the New Zealand Consumer Data Right might affect you and organisations in your industry, please do not hesitate to contact us.
This article is intended only to provide a summary of the subject covered. It does not purport to be comprehensive or to provide legal advice. No person should act in reliance on any statement contained in this publication without first obtaining specific professional advice. If you require any advice or further information on the subject matter of this newsletter, please contact the partner/solicitor in the firm who normally advises you, or alternatively contact one of the partners listed below.