The Office of the Minister of Commerce and Consumer Affairs has released a Cabinet Paper seeking agreement from Cabinet on certain high-level design elements needed to prepare draft CDR legislation (CDR Bill). An exposure draft of the CDR Bill is expected to be released for consultation early this year.
A summary of the key proposals made in the Cabinet Paper are set out below. For further background on the CDR, please see our related Insights below. The Cabinet Paper can be viewed here.
Legislative design of the CDR
1. Banking proposed to be the first sector designated under the CDR:
-
The Government considers the banking sector to be the natural starting point for rolling out New Zealand's CDR regime, particularly given the significant investment some banks have already made towards open banking.
-
Government has advised that banking data standards will build on the work already undertaken by the New Zealand API Centre.
-
Other sectors that ranked highly for designation were financial services, energy and health. These sectors are therefore likely to be the next in-scope for designation, after banking.
2. MBIE to be the CDR administering department responsible for most CDR functions:
-
Government has proposed MBIE as the best functional fit to administer the CDR.
-
As the administering department, MBIE would be responsible for advising on secondary legislation (including designations), licensing data recipients, providing registry services, establishing data standards for designated sectors, and promoting the CDR.
3. Commerce Commission to enforce the CDR:
-
The Government proposes that CDR enforcement be carried out by the Commerce Commission. The Commerce Commission is proposed to be given a full range of compliance and enforcement powers under the CDR Bill, ranging from those aimed at supporting compliance through to sanctioning participants for non-compliance.
-
Under the proposed structure, the Commerce Commission would not address privacy-related matters, which would instead fall within the jurisdiction of the Privacy Commissioner.
-
It is proposed that the two regulators enter into a memorandum of understanding to clarify their respective roles and responsibilities in relation to the CDR.
4. Privacy Commissioner to address privacy-related breaches of the CDR:
-
It is proposed that the Privacy Act 2020 (Privacy Act) would apply to all data holders and data recipients under the CDR and that the Privacy Commissioner would be able to exercise its existing functions and powers in relation to participants in the CDR regime.
-
The Privacy Commissioner would also have enforcement and redress powers over any obligations in the CDR Bill that relate to privacy. The Government proposes to implement this by providing that Part 5 of the Privacy Act applies to breaches of certain CDR obligations as if they were breaches of the relevant information privacy principles under the Privacy Act.
-
Under this proposed approach, the Privacy Commissioner would only address privacy-related complaints from individual consumers. Consumer complaints relating to non-privacy related matters, and complaints from legal entities, would need to be lodged with the Commerce Commission (or via applicable existing industry dispute mechanisms).
5. Significant penalties for breach of the CDR regime:
-
The Government has proposed significant penalties for breaches of the CDR regime, with the most egregious breaches (involving deliberate or reckless behaviour) potentially constituting criminal offences.
The proposed tiers for enforcement are as follows:
TIER |
PENALTY |
EXAMPLES OF BREACH |
One |
Infringement notices up to $20,000 and infringement offences up to $50,000. |
For basic breaches of compliance obligations such as failure to maintain transaction records. |
Two |
Penalties of up to $200,000 for an individual, and $600,000 for a body corporate plus compensation orders. |
Applies to breaches that are more serious than just infringement offences such as a failure by the data holder to properly authenticate the identity of a consumer or data recipient. |
Three |
Penalties of up to $500,000 for an individual and $2,500,000 for a body corporate plus compensation orders. |
Applies to breaches that are more serious than Tier Two offences such as a failure by a data holder to provide a CDR service to consumers and accredited persons. |
Four |
Imprisonment of up to 5 years and/or a fine of up to $1,000,000 for an individual. |
Applies to the most egregious breaches such as a person knowingly misleading or deceiving another person into believing that they are a CDR consumer for the purposes of obtaining CDR data. |
6. Accreditation fees and tiers:
-
The Government has acknowledged that designing, implementing and enforcing the CDR regime will come with significant costs. The Government has proposed that some of these costs should be met by the Crown and that others should be recovered via CDR levies and accreditation fees, to be determined on a sector-by-sector basis.
- The Government has advised that there is likely to be some form of "tiered" accreditation, which will be based on risk, but has not yet provided any further details.
Next Steps
The Russell McVeagh team will be monitoring the developments and will provide a further update when the exposure draft of the CDR Bill is released. In the meantime, if you would like any advice regarding how the New Zealand CDR might affect you and organisations in your industry, please do not hesitate to contact us.
This article is intended only to provide a summary of the subject covered. It does not purport to be comprehensive or to provide legal advice. No person should act in reliance on any statement contained in this publication without first obtaining specific professional advice. If you require any advice or further information on the subject matter of this newsletter, please contact the partner/solicitor in the firm who normally advises you, or alternatively contact one of the experts listed below.