As digital identity services become more accessible and technically sophisticated, it’s easier than ever for New Zealanders to verify who they are online. With the Digital Identity Services Trust Framework Act 2023 (Trust Framework) now in force, we’re entering a new era of digital trust. But as with any emerging technology, adoption brings legal risks that must be carefully managed.

At MinterEllisonRuddWatts, our privacy and technology team is deeply engaged in helping clients navigate the fast-evolving digital identity landscape. While accreditation under the Trust Framework offers assurance around privacy and security, it’s not a complete shield. Two key legal risks continue to surface in our work with providers and relying parties: unfair contract terms and consent validity.

These aren’t theoretical concerns, they’re practical issues that could undermine the very trust the framework is designed to build. Legal compliance doesn’t stop at accreditation. The way digital identity services are offered in particular through contracts and consent mechanisms, can still expose providers to significant risk.

Unfair contract terms

Under the Fair Trading Act 1986, businesses must not include unfair contract terms in standard form consumer contracts. Unfair contract terms are terms that create a significant imbalance in the parties’ rights and obligations, would cause detriment if enforced, and are not necessary to protect the legitimate interests of the advantaged party. 

In the digital identity space, the risk is increased by: 

• Complexity: Users may not clearly understand what they’re agreeing to, due to a lack of understanding of the technical capability of the service.
• Power imbalance: Providers will typically offer the terms on a ‘take it or leave it’ basis.
• Hidden liabilities: Terms may unfairly shift responsibility for security and data breaches or misuse onto users or relying parties. While the Trust Framework provides immunity to providers in certain circumstances – this immunity is limited and should be carefully considered in the context of user and relying party contractual terms. 

The types of terms that may give rise to unfair contract terms risks include: limitation of liability clauses, indemnities, disclaimers, restrictions on use of intellectual property, implied consents, broad and vague data use rights, exclusion of implied rights.   

Tip: Providers should draft and review their terms and conditions of use with a fairness lens. If a clause feels one-sided, it probably is. Transparency and plain language go a long way.

Consent Validity

The Privacy Act 2020 does not include any specific requirements in relation to what constitutes ‘consent’ but generally we recommend consent must be informed, specific, and freely given. Therefore, digital identity providers need to ensure they do not rely on:

• Bundled consents: Users agree to multiple uses of their data in one click.
• Pre-ticked boxes: Which don’t meet the commonly understood threshold for valid consent.
• Unclear purposes: Users aren’t always told exactly (with detailed specificity) how their data will be used and for what purposes.

While the Trust Framework layers additional obligations on accredited providers in relation to user consent, there will also be providers operating outside of the accreditation framework so ensuring a consistent, secure and fair approach to obtaining valid consent in the broader digital identity eco-system is critical to its uptake and success. The presence of rogue providers and poorly designed consent processes could threaten to erode trust in the digital identity ecosystem, potentially jeopardising the credibility and stability of the broader sector.

Tip: Break down consent into clear, separate steps. Use plain language and give users real choices. If they can’t say no to a particular use, it’s unlikely to constitute genuine consent. The key is then to ensure operations are set up correctly to give effect to those specific consents. 

Final Thoughts

The Trust Framework is a major step forward for digital identity in New Zealand,  but it’s just that: a framework. Real trust is built through reliable, secure technology, transparent practices and the reputation and respect the providers establish and garner in our communities. A significant part of building that trust is for providers and relying parties to go beyond mere legal compliance by thinking critically about how their contracts and consent processes affect users.

If you’re a provider or relying party imposing terms and conditions on users seeking to adopt digital identity services, ask yourself: Would I sign this contract? Is the balance of risk fair and reasonable? Would I understand this consent? If the answer is maybe or no, it may be time to rethink.

If you would like assistance with digital identity or guidance on the topics discussed in this article, please contact our experts.