Kia ora koutou,

In the IAPP 2023 Global Legislative Predictions, we noted New Zealand government efforts to introduce a consumer data right (our version of data portability) would continue this year. The Office of the Minister of Commerce and Consumer Affairs released a Cabinet Paper outlining further decisions on the CDR, which will inform the shape and content of the upcoming CDR Bill. Some decisions of interest include the following:

Banking should be the first sector to which CDR will apply

The minister determined "open banking" would enable customers to consent to their data being shared for value-added financial services. The sector has already made significant progress toward open banking but there are obstacles to banks entering the necessary bilateral agreements. Financial services, energy and health also ranked highly and could be next.

Enforcement powers will be shared between the Commerce Commission and the privacy commissioner

Reflecting the CDR’s dual purposes of supporting competition in the market and consumer rights and bolstering existing access rights contained in the Privacy Act 2020, the minister proposed a shared enforcement regime. The Commerce Commission would be responsible for protecting against harms to, and ensuring trust in, the CDR system. The privacy commissioner would be responsible for protecting against harms to individuals caused by privacy-related breaches.

The CDR Act will contain prescriptive privacy obligations

The CDR Act will contain a set of privacy obligations to prescribe how CDR data must be used, collected, disclosed or stored in context. The obligations will be over and above those contained in the Privacy Act’s information privacy principles. The minister said the powers and remedies available to the privacy commissioner would not change, and the privacy commissioner would not be able to issue infringement notices under the CDR Act. However, as noted above, the privacy commissioner could refer certain matters to the Commerce Commission for enforcement.

A comprehensive compliance and enforcement toolkit will include significant fines

The CDR Act will include a tiered penalty regime including significant fines for breaches of CDR obligations. The most egregious breaches — involving deliberate or reckless behavior — would be subject to serious criminal offences, fines of up to $1 million for an individual and, for a body corporate body, the greater of $5 million, three times the value of any commercial gain from the CDR data or 10% of the turnover in the periods in which the breach occurred.

It is heartening to see the government now moving towards penalty regimes similar to overseas practice. However, it is perplexing that the government did not have the foresight, or perhaps the confidence, to propose these sorts of penalties when reviewing the Privacy Act only a few years ago. It seems perverse for the CDR to carry such liability while the many fundamental rights and obligations in the Privacy Act carry almost none. If this imbalance is not addressed soon, or as the CDR Bill makes its way through the legislative process, focus on compliance with the CDR could come at the expense of other important privacy obligations.

Ngā mihi.