The Government has agreed to establish a consumer data right framework for New Zealand, Commerce and Consumer Affairs Minister David Clark said.
"Consumers should be in the driver's seat when it comes to how their personal information is used by third parties," Clark said.
A consumer data right, as defined by the minister, is a mechanism that requires data holders, such as banks and electricity retailers, to gain consent from a customer before sharing their data with third-parties, like fintech companies.
Assurances must be gained that the third-party will securely store the data, and only use it for the purpose intended.
Clark says the "data portability" element of the proposed reforms will make it easier for consumers to switch between providers or gain access to new services, given its new safeguards and rules for the likes of banks and power companies when they share information with another service provider, or you hop between providers.
Privacy Commissioner John Edwards, who tried and failed to get "take your data with you" data portability reform included in a Privacy Act update that came into force in December, welcomed Clark's announcement this morning - even if the Council For Civil Liberties has its qualms (keep reading).
"This is effectively data portability as provided for in Europe in the GDPR [the General Data Protection Regulation - generally regarded as the gold-standard for privacy] and as has been in place in Australia for the past couple of years," Edwards told the Herald.
"In fact, it has potential to go even further in consumers' favour than the European version," Edwards said.
"We have been working with officials for some time and are very supportive. It is an enhancement of the existing Privacy Act right of access to personal information.
"We've had something that looks very much like data portability in the health sector since 1993. There are a number of details to work through with the design and implementation but overall it is a very positive initiative," Edwards said.
'Your data shared everywhere it suits us'
Council for Civil Liberties chair Thomas Beagle was more cautious and saw potential problems.
"Being able to easily share your data according to a defined standard provides people obvious benefits, and we are pleased to see that it will only be done with the consent of the individual," Beagle told the Herald.
"What concerns us is that consent is too often forced or assumed. We're all familiar with insurance companies demanding full medical records, or companies including compulsory checkbox 'agreement' before you can use their service."
There is also an organisation tendency to over-request and over-store personal data, to be a data-hoarder in case it's needed in the future, Beagle said.
"Consent isn't enough. The Government needs to set standards to make sure that consent is not unreasonably coerced or assumed, that the data shared is the minimum required, and that there are procedures for deleting the data or access when it is no longer needed."
Otherwise, it would be too easy to let this slide into a "your data shared everywhere it suits us" regime, Beagle said.
Clark today promoted a consumer data right discussion paper put together by MBIE , which in turn acknowledges that Edwards first pushed for data portability reform back in 2017.
The Government aims to make a second round of detailed policy decisions on the consumer data right framework later in 2021, and will look to introduce legislation in 2022, Clark said.
"The consumer data right will be rolled out on a sector-by-sector basis to ensure that the detailed requirements work in practice. We will look to align our system with the Australian model introduced in 2019," Clark said.
Officials are carrying out work to identify which sectors should be considered for designation first.
In the meantime, there have been private efforts to enhance informed consent around data sharing and tracking. Edwards - more often a Big Tech critic - recently gave strong backing to a new Apple initiative that requires apps to gain user consent before sharing tracking profile data with third parties, or selling it to data brokers.