Last year the New Zealand Government confirmed its decision to establish a Consumer Data Right ("CDR") framework for New Zealand, indicating that the New Zealand regime will broadly align with Australia's multi-sector designation model introduced in 2019 (more information about Australia's CDR can be found here).
While New Zealand is still waiting for draft legislation to be released, the Australian Government has recently completed an independent statutory review of the Australian CDR ("Review"), marking three years since it was first introduced.
The Review identifies a number of potential areas for improvement in the Australian regime and makes a range of recommendations for change, providing New Zealand with the opportunity to front foot some of these issues while our regime is still in the "design" phase.
Key findings and recommendations
The Review included a consultation process and summarises the findings from submissions made by a range of stakeholders across Australia's CDR ecosystem (full text of the Review is available here). Key findings and recommendations include:
Regulatory requirements: Some participants found that the Australian CDR rules and standards were complex and overly prescriptive, resulting in participants spending more time on compliance activities than on the development of innovative new CDR products. The accreditation process and division of oversight roles between government agencies has also created confusion and complexity for participants. The Review recommends that consideration be given to ways in which the rules, standards, and governance structure can be simplified.
Regulatory alignment: The Review also recommends that the Australian Government monitor, and address, overlap between the CDR and other existing (and emerging) regulatory regimes to ensure that the CDR is easy to navigate and that the regulatory compliance burden on participants is reduced. In particular, the Review recommends that the Australian Government consider overlap between the CDR and Australian privacy law.
Consent process: The Review found that the Australian CDR consent process is complex and has potential to lead to "consent fatigue", undermining genuine consent and resulting in a decrease in overall participation. In particular if, as currently proposed, the Australian CDR broadens to include action initiation in addition to mere data sharing, the Review recommends that consideration be given as to how the consent process can be simplified for consumers (for example, by bundling consents).
Participation: The Review concludes that the size and complexity of the Australian CDR is a barrier to entry for smaller business participants and that, overall, participation in the CDR has been low. The Review recommends that the Australian Government consider ways to increase small business participation in the CDR – for example, by giving the flexibility to share CDR data with a wider range of non-accredited third parties, increasing the duration of consent, removing administrative burdens, and loosening data deletion requirements (to the extent appropriate).
Data quality: The Review found that data quality is limiting adoption of the CDR in Australia, with some participants still relying on screen scraping as a result. The Review found that addressing data quality as a priority, including via more rigorous compliance enforcement, may increase participant confidence in the CDR and aid in the development of new CDR products. The Review goes as far as recommending that screen scraping be banned in sectors where the CDR is a feasible alternative.
Reciprocity: The Australian CDR rules include sharing obligations on some accredited data recipients ("ADR") – this means that some ADRs are required to share CDR data (including data generated by that ADR), free of charge. However, the Review found that potential participants are avoiding accreditation, or looking to use alternative access models, to get around being subject to the reciprocal data holder obligations, undermining the success of the CDR. The Review recommends that reciprocal data sharing obligations be monitored to ensure that all participants contribute to the system for the ultimate benefit of the consumer.
Sector-by-sector approach: The Australian CDR has been implemented on a sector-by-sector basis, starting with the financial sector, and to be followed by the telecommunications and energy sectors. The Review found that while this approach could support certain cross-sector data sharing use cases, it may not be sufficiently flexible to meet consumer expectations in the longer term (and particularly in the context of the currently proposed introduction of action initiation within the Australian CDR, which the New Zealand Government has indicated will be in-scope of the New Zealand regime also). The Review contemplates a data purpose-driven approach for CDR expansion in the longer term, rather than expansion on a sector-by-sector basis.
New Zealand's CDR
The Review findings provide an opportunity for New Zealand to take into account some of the learnings from the first three years of operation of the Australian regime as we embark on our own CDR journey. Draft New Zealand CDR legislation was set to be introduced in 2022, so we may see a Bill introduced into Parliament very soon.
The Russell McVeagh team will be monitoring the developments and will provide a further update when the Bill has been released. In the meantime, if you would like any advice regarding how the New Zealand CDR might affect you and organisations in your industry, please do not hesitate to contact us.
This article is intended only to provide a summary of the subject covered. It does not purport to be comprehensive or to provide legal advice. No person should act in reliance on any statement contained in this publication without first obtaining specific professional advice. If you require any advice or further information on the subject matter of this newsletter, please contact the partner/solicitor in the firm who normally advises you, or alternatively contact one of the partners listed below.