Home | Databases | WorldLII | Search | Feedback New Zealand Ad Hoc Government Discussion Papers

Options for establishing a consumer data right in New Zealand. Discussion document. Ministry of Business, Innovation & Employment [2020] NZAHGovDP 2 (5 August 2020)

Last Updated: 15 October 2020

Discussion Document

Options for establishing a consumer data right in New Zealand

August 2020

Permission to reproduce

Crown Copyright ©

This work is licensed under the Creative Commons Attribution 4.0 International License. To view a copy of this license, visit http://creativecommons.org/licenses/by/4.0/.

Important notice

The opinions contained in this document are those of the Ministry of Business, Innovation and Employment and do not reflect official Government policy. Readers are advised to seek specific legal advice from a qualified professional person before undertaking any action in reliance on the contents of this publication. The contents of this discussion paper must not be construed as legal advice. The Ministry does not accept any responsibility or liability whatsoever whether in contract, tort, equity or otherwise for any action taken as a result of reading, or reliance placed on the Ministry because of having read, any part, or all, of the information in this discussion paper or for any error, inadequacy, deficiency, flaw in or omission from the discussion paper.




ISBN 978-1-99-001938-8 (online)

How to have your say

Submissions process

The Ministry of Business, Innovation and Employment (MBIE) seeks written submissions on the issues raised in this document by 10am Monday 5 October 2020. Your submission may respond to any or all of these issues. Where possible, please include evidence to support your views, for example references to independent research, facts and figures, or relevant examples.

Please include your contact details in the cover letter or e-mail accompanying your submission. You can make your submission:

• by sending your submission as a Microsoft Word document to consumerdataright@mbie.govt.nz
• by mailing your submission to:

Consumer Data Right Project Team Commerce, Consumers and Communications

Ministry of Business, Innovation & Employment PO Box 1473

Wellington 6140

Please direct any questions that you have in relation to the submissions process to

consumerdataright@mbie.govt.nz

Use and release of information

The information provided in submissions will be used to inform MBIE’s policy development process, and will inform advice to Ministers.

MBIE intends to upload copies of submissions received to MBIE’s website at www.mbie.govt.nz. MBIE will consider you to have consented to uploading by making a submission, unless you clearly specify otherwise in your submission. If your submission contains any information that is confidential or you otherwise wish us not to publish, please:

• indicate this on the front of the submission, with any confidential information clearly marked within the text; and
• provide a separate version excluding the relevant information for publication on our website.

Submissions remain subject to request under the Official Information Act 1982. Please set out clearly in the cover letter or e-mail accompanying your submission if you have any objection to the release of any information in the submission, and in particular, which parts you consider should be withheld, together with the reasons for withholding the information. MBIE will take such objections into account and will consult with submitters when responding to requests under the Official Information Act 1982.

The Privacy Act 1993 establishes certain principles with respect to the collection, use and disclosure of information about individuals by various agencies, including MBIE. Any personal information you supply to MBIE in the course of making a submission will only be used for the purpose of assisting in the development of policy advice in relation to this review. Please clearly indicate in the cover letter or e-mail accompanying your submission if you do not wish your name, or any other personal information, to be included in any summary of submissions that MBIE may publish.

3

Contents

Glossary

1 Introduction

Purpose of this discussion document and context

The Ministry of Business, Innovation and Employment (MBIE) is seeking input on whether to develop a consumer data right (CDR) in New Zealand to give individuals and businesses greater choice and control over their data.

What does this discussion document do?

This discussion document seeks feedback on whether a CDR is needed in New Zealand and, if so, how it should be designed. The discussion document is divided into three key parts:

1. Does New Zealand need a consumer data right? This section includes a discussion of consumer data portability, the benefits, costs and risks associated with a CDR, and the potential scope of a CDR.

2. What form could a consumer data right take? This section contains a discussion and our initial analysis of the options we have identified for the overall approach to establishing a CDR.

100. How could a consumer data right be designed? This section includes a discussion on the elements that may be necessary in establishing a CDR.

The discussion document contains a high-level analysis of the options that we have identified to establish a CDR in New Zealand. The discussion document does not contain quantified cost benefit analysis and it does not contain analysis of how a CDR could be implemented in New Zealand. More detailed analysis will be completed as part of the policy development process as much of the detail is yet to be determined.

Process and timeline

Please provide submissions by 10am Monday 5 October 2020. Input on this document will be used to inform government on whether a CDR should be developed in New Zealand. The anticipated timelines for this work are set-out below.

2. Does New Zealand need a

consumer data right?

In the United Kingdom (UK), consumer data portability has been applied as ‘open banking’ to:

• use bank data to forecast how much someone will be able to save at the end of the month, and automatically move the amount into savings
• automatically round up purchases each time someone shops, and investing the difference
• separate bill money from spending money to help people keep track of their finances
• provide access to different bank accounts and credit cards in one place.
  • Many businesses across the economy collect and hold significant volumes of data when providing goods and services to consumers. The collection and use of data has accelerated as consumers increasingly transact and participate in society online.

Various innovative products and services have emerged that utilise data to benefit consumers by helping them manage their finances, compare product offerings, or more easily switch among different product providers. These products and services can be especially useful in sectors or markets where there are high search and switch costs1 such as insurance or banking. We are only beginning to understand the potential uses of data and these are likely to rapidly expand over time.

What is a consumer data right?

We use the term ‘consumer data right’ or CDR to describe a statutory ability for consumers to securely share data that is held about them with trusted third parties. This transfer of information is known as ‘data portability’. The third party could be another product provider or a separate entity such as a fintech. The data would be shared in a consistent machine- readable format so that it can be utilised by the third party for the consumer’s benefit.

Internationally there is increasing recognition of the growing importance of the value associated with data, including its role as an input to service provision. Some jurisdictions have attempted to intervene by engaging in legislative reform to promote consumer data portability or strengthen existing privacy rights, including the European Union (EU) through its General Data Protection Regulation (GDPR) and Australia through its Consumer Data Right (ACDR).

Other jurisdictions have introduced data portability regimes in specific sectors, such as the United Kingdom which has specifically addressed data portability in the banking sector through ‘open banking’.

¹ ‘Search costs’ refers to the costs or time associated with a consumer searching for a new product or supplier or comparing similar products from different suppliers (e.g. comparing different insurance policies). ‘Switch costs’ refers to the costs, time or disruption associated with a consumer switching to a new product or supplier.

Consumer data portability is limited in New Zealand

In New Zealand, the Privacy Act 1993 protects the collection, use and disclosure of personal information – that is information about an identifiable individual. The Act provides for individuals to access personal information held about them, and the Health Act 1956 provides a similar ability in respect of health information.

There have been some sector-led initiatives in New Zealand to promote data portability, including in the banking and electricity sectors. However, progress has been relatively slow and these initiatives do not appear to be delivering the full range of positive outcomes for consumers as yet.

² Open Letter to API Providers regarding industry progress on API-enabled data sharing and open banking, from the Minister of Commerce and Consumer Affairs, Hon Kris Faafoi, December 2019 https://www.mbie.govt.nz/assets/open- letter-to-api-providers-regarding-industry-progress-on-api-enabled-data-sharing-and-open-banking.pdf

During the response to the COVID-19 pandemic the digital transformation of the economy has been accelerated as greater volumes of business and commerce are conducted online. This also coincided with a rapid shift to contactless payments in traditional stores, exacerbating concerns about the impact that merchant service fees are having on businesses, particularly smaller retailers, and the lack of competition in the provision of retail payment services3.
Establishing a CDR in the banking sector would enable the development of alternative contactless payment solutions that could provide greater convenience and security when consumers are shopping in stores or online. This could help contribute to the ongoing COVID- 19 recovery effort by reducing payment fees charged to retailers. This is just one possible example of where a CDR could lead to new products and services being developed to benefit individuals and businesses.

Current regulatory settings may hinder data portability

We have heard a number of concerns about how current regulatory settings, or a lack of settings in some cases, may be hindering consumer data portability, for example:

1. data holders are often reluctant to share information with third parties even when the individual has authorised it, or require a higher threshold of identification from the consumer than when they originally became a customer, due to privacy concerns4
2. in practice, data holders may choose to refuse access to data in order to protect a competitive advantage

100. there are generally no requirements for data to be shared in a consistent format across a sector

4. data holders and third parties must hold bi-lateral agreements for the sharing of data which is inefficient (i.e. a fintech that relies on access to a consumers’ bank data will need to enter into individual contracts with each bank)

5. there is a lack of transparency around the fees that data holders can charge third parties for accessing application programming interfaces (APIs).

We have also heard that some third parties in the financial services sector are utilising less secure methods of accessing consumer data in the absence of a CDR. For example, some are using ‘screen scraping’ where a consumer effectively logs into an online account (e.g. online banking) via a third parties’ interface. This could pose a risk to consumers as it does not limit the use of the data, and may also be a breach of the bank’s terms and conditions.

Are there any additional problems that are preventing greater data portability in New Zealand that have not been identified in this discussion document?

³ Businesses are charged a ‘merchant service fee’ by their bank for accepting online debit, contactless debit card, and all credit card transactions. Merchant service fees vary depending on the volume and size of transactions. According to a Retail NZ survey from 2019, the mean merchant service fees are 1.1 per cent for contactless debit card transactions and 1.5 per cent for credit card transactions, however there can be large variance in the fees paid (http://retail.kiwi/system/resources/W1siZiIsIjIwMTkvMDUvMjAvNm11cDk2M3Znal9SZXRhaWxOWl9QYXltZW50c1JlcG 9ydDIwMTkucGRmIl1d/RetailNZ-PaymentsReport2019.pdf).

⁴ The Privacy Act 1993 provides for personal information (relating to an individual) to be accessed by that individual, and for it to be disclosed with a third party on a limited number of grounds, including where the agency (data holder) believes that the disclosure was authorised by the individual. Verification of an individual’s identity can be achieved through a digital identity service, such as RealMe.

What are the benefits of a consumer data right?

Establishing a CDR would give consumers greater choice and control over their data in new ways with trusted third-party providers. This will give rise to new products and services, allow consumers to compare products more easily, seamlessly switch product providers and transact with greater convenience. This will increase competition and innovation which, in turn, will benefit consumers by leading to reduced prices and improved product offerings.

We have identified a number of benefits, costs and risks for establishing a CDR which are summarised in the table below.

⁵ The Privacy Commissioner recommended a ‘data portability’ right in its Report to the Minister of Justice in 2017, https://www.privacy.org.nz/assets/Files/Reports-to-ParlGovt/OPC-report-to-the-Minister-of-Justice-under-Section-26- of-the-Privacy-Act.pdf

	Do you agree with the potential benefits, costs or risks associated with a consumer data right as outlined in this discussion document? Why/why not?
	Are there additional benefits, costs or risks that have not been explored in the above discussion on a consumer data right?

What is the scope of a consumer data right?

We consider that there may be a rationale for the government to introduce a CDR to foster greater consumer data portability and realise the consumer welfare and economic benefits. We would like to explore this further to better understand the costs and benefits of a CDR.

Consumer data

A CDR will apply to information relating to a particular consumer that is the end user who purchases a good or service from a supplier. This ‘consumer data’ can include information about a range of facets of our daily lives, including our purchasing preferences, travel destinations, spending or savings history, energy consumption or health records.

We consider that a CDR should apply equally to any end user of a product or service. This will mean that individual consumers as well as businesses and other entities will receive the benefits of a CDR. For businesses, especially small and medium-sized enterprises, a CDR could make it easier to carry out accounting or file taxes, obtain finance or insurance, and receive payments for goods and services.

Our initial view is that only ‘provided’ or ‘observed’ data would be subject to the CDR. ‘Derived’ data – that is data that has been created by a data holder through the application of insights and analytics – should generally be excluded from the definition of ‘consumer data’. This is because this type of data has been derived by the data holder through proprietary means which may be commercially sensitive. Excluding this information from a CDR will help to ensure that data-holders are not discouraged from developing new methods of collecting and analysing data. It is worth noting, however, that derived data may still be considered ‘personal information’ for the purposes of the Privacy Act 1993 if it relates to a natural person, and that individuals could therefore request this information under that Act.

Product data

In addition, we consider that a CDR should incorporate information about the products or services offered to consumers by a business. This ‘product data’ could include information about the fees and interest rates for savings accounts provided by a particular bank or different prices for electricity plans. While strictly not about a specific consumer, this data can be used to help consumers make more informed decisions by making it easier to compare and switch between different products, which could provide significant benefits in markets with high search costs (e.g. insurance). Some of this information may currently be publicly available on the websites of suppliers or on government registers such as the Disclose Register under the Financial Markets Conduct Act 2013, though a CDR could extend beyond information that is already available in the public domain.

Some overseas jurisdictions are considering extending regimes like a CDR to anonymised market-level data. While this could provide useful insights, such as the market share of
particular providers, and could increase competition in certain sectors, our current thinking is that any CDR would not apply to market-level data as this is less likely to be used by consumers.

Read access and write access

There are two main forms of consumer data portability:

1. ‘read access’ refers to the transfer of data a company holds about a consumer to a third party at the consumer’s direction and with their consent. The third party can read the consumer’s data, but they cannot modify it. For example, read access in the electricity sector could allow a consumer to share their usage history with a third party in order to help determine the best provider and pricing plan for them.

2. ‘write access’ refers to enabling a third party to change or add to data about a consumer at their direction and with their consent. Write access could be used by consumers to authorise third parties to apply for, manage and change products on their behalf through an API or other means.

We consider that a CDR should provide for both read access and write access in order to reduce switching costs and fully realise the benefits for consumer welfare as set out in the table above on page 10. Some examples of where write access could be beneficial, include the ability to:

1. open accounts with new service providers and close accounts with existing providers quickly and easily through a third party

2. transfer data, such as bank transaction data or payment data from one provider to another

100. update contact details or personal information across multiple service providers

4. use an app or accounting software to arrange payments from a bank account.

There are some risks associated with write access that will need to be taken into account when designing a consumer data right. For example, there will need to be a high degree of trust in order for consumers to allow a third party to change data on their behalf, and the additional functionality could pose a heightened security risk.

	What would the costs and benefits be of applying the consumer data right to businesses and other entities, in addition to individuals?
	Do you have any comments on the types of data that we propose be included or excluded from a consumer data right (i.e. ‘consumer data’ and ‘product data’)?
	What would the costs and benefits be of including both read access and write access in a consumer data right?

3. What form could a consumer

data right take in New Zealand?

What are the outcomes that we are seeking to achieve?

A CDR could have positive outcomes for consumer welfare and economic development.

A CDR will help to achieve these outcomes by reducing barriers for consumers to use their data by sharing it with trusted third parties. This will enable third parties to develop new and innovative products and services that make it easier for consumers to make informed decisions. In turn, this innovation will facilitate competition, economic development and improve consumer welfare.

We suggest the following criteria for assessing any options for establishing a CDR:

1. Trust. How well will the option strengthen privacy rights and maintain the security of consumer data while it is being used and shared?

2. Reach. How well will the option enable multiple sectors to become ‘open’6 thriving data sharing economies? An option which enables multiple ‘open’ sectors presents significant economic development opportunities, greater competition and productivity for the long term benefit of consumers.

100. Speed. How quickly will data portability become widespread throughout the economy, allowing the benefits to be realised?

4. Cost. How well will the costs of implementing a CDR be minimised so that the costs do not outweigh the benefits?

⁶ The use of ‘open’ in this paper differs from its use when discussing ‘open data’. Whereas ‘open data’ refers to data that anyone can use and share, in an ‘open’ sector that would be enabled through a CDR a consumer’s data is still secure and can only be accessed by trusted third parties with the consent of a consumer.

5. Flexibility. How well will an option allow for solutions to be tailored to the needs of a sector, and allow sector-led solutions to be developed before regulatory intervention?

	Do you have any comments on the outcomes that we are seeking to achieve? Are there any additional outcomes that we should seek to achieve?
	Do you have any comments on our proposed criteria for assessing options? Are there any additional factors that should be considered?

Options to establish a consumer data right

We have identified four main options for the high-level approach to designing a CDR. Each option is summarised below along with the pros and cons. At the end of this section on page 18 there is a brief summary of our initial analysis of each option against our assessment criteria. We have not included quantified cost benefit analysis as this will depend on the detailed design of any CDR.

Option one: Status quo

Under this option, the government would not introduce a consumer data right and the development of consumer data portability would be left to individual businesses or sectors.

There may be some progress in sectors where there is a consensus, however it is likely that progress would continue to be slow overall.

Do you have any comments on the discussion of Option one: Status quo?

Option two: A sectoral-designation approach

Under this option a high-level framework would be established in legislation that would apply across the entire economy, but the CDR would only apply to sectors or markets that had been designated through secondary or tertiary legislation. This option is a sectoral designation approach similar to the ACDR.

The scope of a designated sector and the data holders within the sector to which the designation would apply would be determined during the designation process. Once a sector has been designated, the detailed rules would be designed and applied in relation to the particular risks of the sector.

Using a sectoral-designation approach would create a framework that would allow consumers of a designated sector to safely share data relating to them with trusted third parties. The generic framework could be governed by a set of general rules, and independent bodies could set standards for sharing information, carrying out accreditation of third parties and enforcement. These elements are discussed further in chapter 4.

Do you have any comments on the discussion of Option two: A sectoral-designation process?

⁷ The Digital Identity Trust Framework is under development and will be a standards-based regulatory regime that will govern the operation of the digital identity eco-system and will provide for an accreditation process for digital identity providers.

Option three: An economy-wide consumer data right

A number of overseas jurisdictions have sought to improve consumer access and use of data through an extension of existing privacy protections. This includes the economy-wide general data protection approach in the EU’s GDPR which was introduced in 2016 and came into force in 2018. The GDPR is intended to strengthen the data-protection rights of individuals by giving them the right to receive a copy of their personal data in a structured, commonly used and machine-readable format and transfer this data to a trusted party.

A similar approach in New Zealand on the GDPR would require providing data portability rights in legislation. This could involve giving consumers specific tools for protecting, accessing and using data held about them, as well as a system of fines for violating these. This CDR would apply across the entire economy, rather than to specific sectors, but it would be primarily focused on data about individuals and not information about businesses, or ‘product data’.

Do you have any comments on the discussion of Option three: An economy-wide consumer data right?

Option four: Sector-specific approach

Under this option, distinct CDRs could be designed for specific sectors as the need arose. This differs from Option two in which there is an overarching legislative framework that can be applied across different sectors. This option could involve sector-specific legislation that may incorporate some of the aspects of Option two, such as shared standards within a sector, or an
accreditation regime. This option would effectively be an extension of sector-led initiatives that are underway in New Zealand.

A sector-specific approach in New Zealand could be similar to the EU and UK approach to open banking, including the Payment Services Directive 2 (PSD2). PSD2 is an EU directive that specifically requires banks to open consumer data to third-party account information service providers and payment initiation service providers if required to do so by the user.

	Do you have any comments on the discussion of Option four: Sector-specific approach?
	This discussion document outlines four possible options to establish a consumer data right in New Zealand. Are there any other viable options?

Initial analysis of options against assessment criteria

Do you agree or disagree with our assessment that Option two is most likely to achieve the best outcome using the assessment criteria?

Do you have any comments on our initial analysis of the four options against our assessment criteria?

4. How could a consumer data right

be designed?

This chapter discusses how a CDR might be designed, should the government decide to establish one. Our discussion of these elements is focused on the sectoral-designation approach discussed in chapter three, given our preliminary view that it is the option most likely to meet our assessment criteria. However many of the elements discussed could apply to the other options.

If government were to establish a CDR through a sectoral-designation approach, a high-level framework would be set in legislation and specific sectors would be ‘designated’ into the regime via secondary or tertiary legislation. Much of the detail would be set during the designation process in consultation with the relevant sector. This would allow the settings to be tailored to the specific needs and risks of the sector.

Design of a consumer data right

The overall design of the framework is yet to be determined, however we have identified a number of areas that the legislation could cover, including:

1. establishing a CDR that can be designated to specific sectors through secondary or tertiary legislation

2. providing for the type of data and the types of data holders within a sector, included in the CDR to be set during the designation process

100. providing for detailed rules for accessing and transferring data to be set during the designation process

4. establishing an accreditation regime for third parties

5. strengthening privacy safeguards

6. establishing an enforcement regime and methods for consumer redress.

These factors are discussed in more detail below.

Designation process

Under a sectoral-designation model, primary legislation could establish the ability for a sector to be ‘designated’ through secondary or tertiary legislation (e.g. through regulations), and would set out the procedural requirements for any such process. The designation process may include an assessment of the likely impacts on consumers and the relevant sectors, as well as an analysis of the costs and benefits of designating a particular sector.

Sectors could be designated where there would be overall consumer welfare benefits. For example, where there are high barriers to entry, strong public interest, high search and switching costs, or untapped economic development opportunities.

Scope of a designation

In a designated sector, data holders would be required to grant access to data to third parties (on the consumer’s consent), and it would need to be provided in a specified format. It is envisaged that the exact type of data and data holders (e.g. the types of businesses within a sector) to be included will be determined during the designation process. We recommend an industry data-specification process to review and reach an agreement on exact definitions of consumer data and product data for the industry.

A data-specification process allows for greater flexibility and the ability for the scope of CDR to move with developments in technology and data. For example, in some sectors, such as those where there are high search costs (e.g. insurance), the need for product data may be greater than in other sectors. It also allows for any CDR to be adjusted to recognise regulatory settings within the sector to avoid any potential overlap.

Rules and data standards

Primary legislation could allow for detailed rules and data standards to be set through secondary or tertiary legislation. A set of rules and data standards that can be applied across a designated sector is vital to the operation of a data portability regime.

A set of detailed rules would effectively set out how the data portability regime will function. It may establish, among other things, the types of data that can be shared and the timeframes for the sharing of data. It could also set some limitations on the prices that may be charged by data holders for accessing data so they are not excessive and do not restrict access by third parties. In addition, a set of data standards would determine the technical detail of how information is shared between data holders and third parties in a given sector.

Accreditation regime

An important element of promoting confidence in a CDR is ensuring that consumer data is only shared with entities that are able to hold the data safely and securely. This could be achieved through an accreditation model such as the one used for the ACDR, in which accreditation is undertaken by a centralised body. Once accredited, a third party can interact with any of the other accredited parties.

An accreditation regime improves the security and privacy of consumer data and removes the need for third parties to have multiple bi-lateral agreements with separate data holders, greatly improving the efficiency of the regime. Care will need to be taken to ensure that the accreditation regime does not exacerbate competition concerns by deterring innovative businesses from entering the market. One way that this could be achieved is if the accreditation regime allows for intermediaries to provide some of the systems or infrastructure that may be necessary to obtain accreditation.

Primary legislation could outline the processes and standards for accreditation and provide for the accreditation of a third party to be removed in certain situations, such as insolvency. It would likely also determine which body or bodies manage the accreditation process.

Privacy safeguards

While the security of consumer data will be protected through an accreditation regime, it may also be necessary to establish some additional privacy safeguards in primary legislation to strengthen existing privacy rights. These could go beyond the existing high-level privacy principles to enable the secure portability of consumer data to trusted third parties. For example, the ACDR establishes a range of privacy rights and obligations for users of the scheme, including the requirement for informed consent to collect, disclose, hold or use relevant data.

In order to ensure that access to consumer data is only shared when it has been authorised by the consumer, and that it is only used for the intended purpose, it is necessary to create a framework where consumer consent is required before information is transferred. A key part of obtaining an individual’s consent to share data is confirming the identity of the individual. This will be made easier through the creation of a Digital Identity Trust Framework which is being progressed by the Government. The Digital Identity Trust Framework is intended to accelerate the development and update digital identity services that are secure, trusted and interoperable.

Consumers may require a certain degree of financial or digital literacy to ensure that they understand the potential risks posed by consenting to their data being shared and used by a third party. This could pose a particular risk for vulnerable consumers. The onus will likely fall on the organisation seeking consent to achieve a balance between providing the necessary information and ensure adequate understanding so that the consumer can provide informed consent while avoiding ‘notice fatigue’.

Liability, enforcement and redress

Primary legislation may establish a liability and enforcement regime for the CDR. This could include setting out a range of offences, penalties or other enforcement tools that will apply to a designated sector, and setting out who is liable in the event of a breach.

In addition, it will also need to establish a means for consumers to report issues, and access redress in the event of a dispute between a consumer and a third-party or data holder. This may be achieved through the designation process whereby the sector specific dispute resolution service is empowered to resolve disputes in that sectors’ CDR (e.g. if the electricity sector was designated, Utilities Disputes may be the relevant dispute resolution provider).

	Do you agree with the key elements of a data portability regime as outlined in this section? Are there any elements that should be changed, added or removed?
	Do you have any feedback on our discussion of any of these key elements?
	Are there any areas where you think that more detail should be included in primary legislation?
	How could a consumer data right be designed to protect the interests of vulnerable consumers?

Further design considerations

Māori data sovereignty

We have identified that the establishment of a CDR may interact with the concept of indigenous data sovereignty, and the notion that Māori data is taonga to be held, protected and used by Māori. Taonga are protected by Article 2 of Te Tiriti o Waitangi. The Waitangi Tribunal has indicated that taonga are subject to the Treaty principles and the Crown is obliged to actively protect taonga, consult with Māori in respect of taonga, and recognise Māori rangatiratanga over taonga.

Should government decide to establish a CDR, it should be developed in a way which builds trust and value for Māori. We will use the principles of Te Tiriti o Waitangi and engage Māori to ensure this is achieved.

Vulnerable consumers and accessibility issues

On page 21 it is noted that care will need to be taken to ensure that vulnerable consumers understand the scope of any consents they grant for access to their data. In addition, it will be necessary to consider how the needs of disabled people or those with accessibility issues are met. We will consider the specific needs of disabled people and accessibility requirements further during the ongoing development of any CDR.

Interoperability with overseas jurisdictions

Overseas jurisdictions have taken different approaches to enabling consumer data portability. For example, the GDPR is focused on expanding existing privacy protections to improve the ability for consumers to access and use their data. Meanwhile, the ACDR has established a framework and infrastructure to enable consumer data portability to be rolled out gradually as needed across the economy.

There may be some benefits in aligning any CDR in New Zealand with similar requirements in overseas jurisdictions. For example, the Australian and New Zealand Productivity Commissions identified a number of areas where a trans-Tasman approach to open banking and data portability could benefit both countries8. This included by making it easier for firms to obtain finance for trans-Tasman trade activities, broadening the market for emerging fintech firms and encouraging increased competition in trans-Tasman financial services.

	Do you have any suggestions for considering how Te Tiriti o Waitangi should shape the introduction of a consumer data right in New Zealand?
	How could a consumer data right be designed to ensure that the needs of disabled people or those with accessibility issues are met?

⁸ Growing the digital economy in Australia and New Zealand: Maximising opportunities for SMEs, Australian and New Zealand Productivity Commissions, January 2019 https://www.productivity.govt.nz/assets/Research/b32acca009/Growing-the-digital-economy-in-Australia-and-New- Zealand_Final-Report.pdf

To what extent should we be considering compatibility with overseas jurisdictions at this stage in the development of a consumer data right in New Zealand?

Legislative design

If government were to progress a CDR it would intersect with various aspects of New Zealand’s statute book, including competition, consumer and privacy law. Competition, consumer and privacy law have varied objectives and would interact with a CDR in different ways.

Given that the legislative framework of a CDR intersects competition, consumer and privacy law, it may sit better in a stand-alone Act. This would provide greater flexibility to support existing laws, avoid misalignment and reduce any overlap or duplication.

Do you have any comments on where a consumer data right would best sit in legislation?

Institutional arrangements

Some of the elements of a CDR discussed above will likely need to be overseen by one or more government agencies or other independent bodies. There may be separate bodies to set rules, data standards, oversee accreditation, carry out enforcement and resolve disputes between consumers and third party data holders.

The ACDR uses a multi-regulator approach. The Australian Competition and Consumer Commission is the lead regulator, develops rules and carries out accreditation of third-parties.
The Office of the Australian Information Commissioner is tasked with enforcing the privacy safeguards established by that regime, and a separate body was established to develop the technical standards for data sharing.

A similar approach could be followed here where multiple regulators play specific roles. Alternatively, a separate regulator could be established to oversee the regime as a whole. There may be pros and cons to either approach. The involvement of multiple regulators would allow each regulator to bring their knowledge and expertise to a particular aspect of a data portability regime. However it could lead to some inefficiencies, and there may be economies of scale gained through having a single regulator.

	Do you have any comments on the arrangements for establishing any new bodies to oversee parts of a consumer data right?
	What are the pros or cons of having multiple regulators, or a single regulator, involved in a consumer data right?

Monitoring and evaluation

If government decides to proceed with the establishment of a CDR it will be important to put in place a monitoring and evaluation plan to measure if the CDR is meeting our stated outcomes of improving consumer welfare and economic development.

Our monitoring and evaluation plan will be informed in part by the design of any CDR. However, we would like feedback on how we could measure the effectiveness of a CDR. For example, we could measure the number of third parties utilising consumer data portability, or the level of growth in relevant sectors, or use insights from consumer surveys.

If government decides to establish a consumer data right, do you have any suggestions of how its effectiveness could be measured?

5 Conclusion

Our preliminary view is that that there is a case for government intervention to promote more widespread secure data portability through a CDR that could be applied across a range of sectors of the economy. This will help give consumers access to a wider range of products and services that better meet their needs by reducing barriers to sharing and use of data by trusted third parties. In turn, this will promote competition, innovation, economic development and good outcomes for consumers.

Based on our initial analysis, the best option to achieve this appears to be a sectoral- designation approach similar to the ACDR. This would see a CDR established in legislation in New Zealand, which would provide a framework that can be applied flexibly across different sectors as the need arises. Much of the technical detail would then be determined through the designation process.

Any regime would require funding both to establish the regime and to provide sufficient resources to any agencies or regulators that are involved. It is anticipated that this may be initially funded from the Crown, however there will be a separate policy process to determine who should fund the aspects of a CDR (i.e. whether it should be Crown funded or third-party funded through fees or levies).

Next steps

Following consultation on this discussion document, we will consider the submissions and will provide advice to the new government following the 2020 general election on whether regulatory intervention is required to achieve widespread secure data portability in New Zealand through a CDR.

Should government decide to progress with a CDR, additional consultation with interested parties and agencies will be conducted as we develop the key features of a CDR.