Contributed by: Liz Blythe, Louise Taylor and Vaash Singh
Published on: January 16, 2023
The Office of the Minister of Commerce and Consumer Affairs has released a Cabinet Paper seeking agreement from Cabinet on certain high-level design elements needed to prepare draft CDR legislation (CDR Bill). An exposure draft of the CDR Bill is expected to be released for consultation early this year.
A summary of the key proposals made in the Cabinet Paper are set out below. For further background on the CDR, please see our related Insights below. The Cabinet Paper can be viewed here.
The Government considers the banking sector to be the natural starting point for rolling out New Zealand's CDR regime, particularly given the significant investment some banks have already made towards open banking.
Government has advised that banking data standards will build on the work already undertaken by the New Zealand API Centre.
Other sectors that ranked highly for designation were financial services, energy and health. These sectors are therefore likely to be the next in-scope for designation, after banking.
Government has proposed MBIE as the best functional fit to administer the CDR.
As the administering department, MBIE would be responsible for advising on secondary legislation (including designations), licensing data recipients, providing registry services, establishing data standards for designated sectors, and promoting the CDR.
The Government proposes that CDR enforcement be carried out by the Commerce Commission. The Commerce Commission is proposed to be given a full range of compliance and enforcement powers under the CDR Bill, ranging from those aimed at supporting compliance through to sanctioning participants for non-compliance.
Under the proposed structure, the Commerce Commission would not address privacy-related matters, which would instead fall within the jurisdiction of the Privacy Commissioner.
It is proposed that the two regulators enter into a memorandum of understanding to clarify their respective roles and responsibilities in relation to the CDR.
It is proposed that the Privacy Act 2020 (Privacy Act) would apply to all data holders and data recipients under the CDR and that the Privacy Commissioner would be able to exercise its existing functions and powers in relation to participants in the CDR regime.
The Privacy Commissioner would also have enforcement and redress powers over any obligations in the CDR Bill that relate to privacy. The Government proposes to implement this by providing that Part 5 of the Privacy Act applies to breaches of certain CDR obligations as if they were breaches of the relevant information privacy principles under the Privacy Act.
Under this proposed approach, the Privacy Commissioner would only address privacy-related complaints from individual consumers. Consumer complaints relating to non-privacy related matters, and complaints from legal entities, would need to be lodged with the Commerce Commission (or via applicable existing industry dispute mechanisms).
The Government has proposed significant penalties for breaches of the CDR regime, with the most egregious breaches (involving deliberate or reckless behaviour) potentially constituting criminal offences.
The proposed tiers for enforcement are as follows:
Infringement notices up to $20,000 and infringement offences up to $50,000.
For basic breaches of compliance obligations such as failure to maintain transaction records.
Penalties of up to $200,000 for an individual, and $600,000 for a body corporate plus compensation orders.
Applies to breaches that are more serious than just infringement offences such as a failure by the data holder to properly authenticate the identity of a consumer or data recipient.
Penalties of up to $500,000 for an individual and $2,500,000 for a body corporate plus compensation orders.
Applies to breaches that are more serious than Tier Two offences such as a failure by a data holder to provide a CDR service to consumers and accredited persons.
Imprisonment of up to 5 years and/or a fine of up to $1,000,000 for an individual.
For body corporates, greater of $5,000,000 or either (a) three times the value of any commercial gain; or (b) 10% of the turnover in the periods in which the breach occurred if commercial gain cannot be ascertained.
Applies to the most egregious breaches such as a person knowingly misleading or deceiving another person into believing that they are a CDR consumer for the purposes of obtaining CDR data.
The Government has acknowledged that designing, implementing and enforcing the CDR regime will come with significant costs. The Government has proposed that some of these costs should be met by the Crown and that others should be recovered via CDR levies and accreditation fees, to be determined on a sector-by-sector basis.
The Russell McVeagh team will be monitoring the developments and will provide a further update when the exposure draft of the CDR Bill is released. In the meantime, if you would like any advice regarding how the New Zealand CDR might affect you and organisations in your industry, please do not hesitate to contact us.
This article is intended only to provide a summary of the subject covered. It does not purport to be comprehensive or to provide legal advice. No person should act in reliance on any statement contained in this publication without first obtaining specific professional advice. If you require any advice or further information on the subject matter of this newsletter, please contact the partner/solicitor in the firm who normally advises you, or alternatively contact one of the partners listed below.
Partner, Technology and Digital
Special Counsel, Technology and Digital
Partner, Banking and Finance
Partner, Public Law and Regulation
Data Protection and Privacy
Banking and Finance
Consumer and Marketing Law
Technology and Digital