Imagine a world where Government regulates information sharing. Now, imagine a world where consumers can choose when and whether to share their data with third-parties.

In banking, for example, power would be removed from the big players who hold all the customer information, lending to the possibility of misuse. Should the fintech sector have access to the same data, day-to-day consumers could benefit from a raft of emerging financial services – think wealth management applications, short-term loans with much lower interest rates, instant transfers to anyone.

Actually, these worlds combined isn’t far away. New Zealand is the latest country off the ranks improving its customer-centric data protections.

The Privacy Act 2020 – A step in the right direction

The need for large-scale data security is only becoming more pressing, the global outlook on COVID-19 suggests. Almost half (40%) of international organisations experienced at least one data breach after adapting to the remote working model, while 37% of employees faced phishing attacks. These routine scares are largely preventable, but will require joint efforts from Government and business.

The new Privacy Act 2020 is progress to that effect. It requires businesses to report on harmful security breaches and equips the New Zealand Privacy Commissioner with new powers to issue and publish breach notices. It applies across borders with a stated Extraterritorial Effect, for all organisations be they onshore or offshore ‘carrying on business’ in New Zealand – even data giants, such as Google and Facebook.

Abhishek Dubey, an accredited Independent Privacy and Security Professional with advisory expertise across New Zealand management, IT governance and telecommunications, and ready observer of the Privacy Act, explains that it will see individuals gaining rights to control their data as they wish, and business must prepare themselves.

“As a customer becomes confident to share more, companies can take action that represents and responds to their needs,” he explains. “New Zealand can actually come up with a lot more sustainable options, for initiatives and products of the future. It’s already visible with MBIE’s open banking support, and many new locally-led fintechs.”

But while the Privacy Act 2020 is an important step towards enabling New Zealand’s digital economy, and changing norms around how businesses store and use data, alone, it is not enough, Dubey explains. The effectiveness of new privacy measures will compliment the success of a broader Consumer Data Right, currently being deliberated in Government.

‘Consumer is key’ – An understatement

With a growing burden of data breaches, especially online, both the Privacy Act 2020 and possibility of the Consumer Data Right shows a proactive stance from the Government that is long overdue. With both, the focus is on giving the individuals certain rights so that they can control their data as they wish.

Yet, according to Dubey, “successful solutions be multi-faceted and long-term, and will require commitment from not just business owners – but also staff, security advocates, and the communities and individuals they serve”.

Dubey stresses this is not just a call for businesses to comply, but also a chance to foster more opportunities and industry longevity in a more competitive economy.

At the end of the day, Dubey explains, “it’s customer trust that the global push towards privacy deals with”.

Even though privacy is the core element, Dubey says that equally needed is consumer awareness-raising and privacy-centric design. This is because if a consumer is not aware of business obligations with privacy, they’ll be less likely to understand how businesses are working to realise value. This limits innovation and the trust-relationships the underpin sustainable business. He explains:

“If we agree privacy is a fundamental human right, organisations shouldn’t only see this as a compliance exercise. They should design their products and services with the principle of privacy by design in mind. This will instil confidence in consumers, who will trust these organisations in their collecting and processing their data.”

Lending confidence to the cause, Dubey says, “Most of our medium and large enterprises are already quite aware on their obligations and that know they need to do something but struggle with putting it into practice.”

Nonetheless, Dubey says that whether international giants such as Google and Facebook will readily comply with the Extraterritorial Effect that is part of the Privacy Act updates is less than clear.

“Worst case scenario, organisations might at first refuse to share data because they see it as a competitive advantage, but with new laws in place regulating sharing that information, customers will take that into account about what businesses they buy from and link up with.”

A Consumer Data Right – Key benefits

The prospect of a Consumer Data Right is another powerful driver for improving New Zealand’s digital economy.

A Consumer Data Right could have expansive benefits for consumer welfare and economic development, such as expanding the range of products and services and encouraging competition, while helping build the digital economy.

Is it enough? Another law is being thought about: the Consumer Data Right to protect data sharing, and take the power away from banks, telecoms or utility providers. Its benefits would be far-spanning. / MBIE

It would in principle see consumers with the the right to decide who to share their data with.

Dubey details, “In essence, the Consumer Data Right will be a set of rules that enables secure data portability to provide consumers with lot more options that their banking, telecom or utility providers currently provide them based.”

“Think of Consumer Data Right as another legislation which organisations will need to comply with, for example, banks will have no choice but to share the consumer data with fintechs so that consumers can get the best value from their data due to increased competition.”

“Everyone processing consumer data – collecting, sharing or processing – may have to comply with a set of rules, principles or standards to provide consumers assurance on secure processing of their personal information.”

Questions for Government

Over the past several years, the Government has sought to position the New Zealand economy to harness its social and commercial benefits, but a lack of clear measures and industry understanding of innovation drivers has thus far limited its development.

And, Dubey queries, the Government has no fixed path year on where this will go and questioning internationally for reference – “Should it only apply to the financial sector first, and then roll to other sectors such as telecommunications or utilities like Australia’s CDR?”

“Or should they design it so that it applies t­­o the entire NZ economy?” The other possibility – that it “compliments the NZ Privacy Act by adding an extra provision around data portability”.

As New Zealand works to sort out what a Consumer Data Right might look like, it looks to precedents set by other jurisdictions.  In the European Union, the GDPR has had a subsequent Payment Services Derivative (PSD2) applied to enable open banking –  with implications for all organisations dealing with data held by the banks and other financial institutions.

Data is today’s currency  

Today’s global marketplace sees data taking on the high value once assigned to mineable physical properties like oil, Dubey says. With that value, comes responsibility to the customer.

To ensure that organisations are ready to provide services to individuals in compliance with both legislations, Dubey’s advice it to prepare by ensuring data is processed securely and technology in place so that individuals can exercise their rights.

“What are the best sort of way to work towards trust as a consumer? How and when do you want to share your information? Apart from just banking, what if you could also share our data around our utilities like energy or maybe a telecom data? Could that bring you more options and opportunities? Is there a company that can give you real value rather than just them making a quick buck? At the end of the day, it’s your information.”

Underneath and guiding that, he adds, are the questions of politics.

“Different countries move at different paces with various political, social and otherwise contextual landscapes to respond to. We’re still not to a level where it should be but, if we compare ourselves on the global stage, the Privacy Act 2020 is a starting point of a bigger reform. Come the Act’s enforcement on December 1^st, it’s likely we’ll see ourselves as truer players and spokespeople for privacy and security on the global stage.”

“For New Zealand and the rest of the world, there is much progress to be made.”

While it is clear that New Zealand’s new privacy legislation has significant advantages for consumers, is business aware of the implications of these changes, and ready to take full advantage of them?