The proposed legislative framework for the Consumer Data Right (CDR), including its interaction with existing privacy laws, can be difficult to follow. In this article, we explain how the proposed framework has developed, some of the key concepts, including the roles of the key participants and obligations and what to expect next.
If the CDR operates according to plan, consumers and businesses can expect to gain more control over their data held by organisations in designated sectors of the economy, to enable them to more effectively choose where to take their custom and business.
The framework applies to ‘consumer’ data. A 'consumer' is defined more broadly than individuals and also covers organisations, including businesses and trusts receiving goods and services from a data holder.
To establish and facilitate the exercise of the CDR, a data handling and sharing framework, consisting of rules and technical standards which will apply to participants, is being developed by Treasury, the ACCC, the OAIC and Data61.
The Exposure Draft Treasury Laws Amendment (Consumer Data Right) Bill 2018 (Cth) (Draft Legislation) sets out the proposed regulatory framework for the new CDR. The new legislation provides a framework within which consumers can access certain data held about them by various service providers. The regime is due to come into effect on 1 July 2019 for the 'big four' banks with the energy and telecommunications sectors to follow.
Consumers and businesses can expect to gain more control over their data that is held by organisations in designated sectors of the economy, to enable them to more effectively choose where to take their custom and business.
Participants in the banking, energy and telecommunications sectors need to be aware of, and prepare for, these changes. However, the CDR will eventually apply to business across all designated sectors that hold consumer data.
Banks and other financial institutions should be aware of the deadlines for implementation of the CDR – 1 July 2019. Those organisations should already be considering the proposed framework and, in broad terms, how compliance arrangements will be implemented (based on what we know so far). Those organisations who wish to be Accredited Data Recipients (ADRs) should also be considering how to meet the accreditation requirements. Internal preparations may include identifying relevant consumer data, uplifting current privacy and data management frameworks to meet the new privacy and data security standards, developing consumer consent forms, and reviewing arrangements with vendors who might handle the consumer data.
The Federal Government has already flagged that the energy and telecommunications industries are likely to be the next sectors to be designated after the banking sector. Organisations within these sectors should also be taking steps to understand the data sets they hold that could be subject to the CDR, as well as the status of their current data protection compliance and arrangements generally. These organisations may also wish to involve themselves in the consultation processes.
Further information about the CDR can be found in our earlier update, The Consumer Data Right – opening data access to drive competition which discusses the announcement of a framework for the CDR, and in Empowering consumer choice – ACCC to regulate the Consumer Data Right.
The Bill creating the CDR laws is expected to be introduced into Parliament in November/ December this year. Following that, the ACCC expects to release the draft CDR Rules. The ACCC anticipates the Bill to pass in early 2019, and the final CDR Rules following that. Important dates that are worth noting:
Following this, the CDR implemented for energy and telecommunications sectors – though the timing is unknown.
The regulatory framework for the CDR will be incorporated into the Competition and Consumer Act 2010 (Cth) (CCA) by the Draft Legislation.
Oversight of the CDR will be split between the Australian Competition and Consumer Commission (ACCC) and the Office of the Australian Information Commissioner (OAIC).
Some of the key concepts in the Draft Legislation are as follows.
The proposed definition of 'CDR data' in the Draft Legislation is broad and includes information within a class of information in a designation instrument, extending to information wholly or partly derived from this information. The Draft Designation Instrument proposes to cover customer-provided data, transaction data, and product data. Examples of the kinds of data that is proposed to be designated are set out below.
While Treasury has attempted to restrict the application of 'derived data' in the second version of the Draft Legislation by including a requirement that information must be 'wholly or partly' derived from data specified in a designation instrument, concern remains that the definition of CDR is still very broad. It is therefore unclear the extent to which derived data could extend to data that has been materially enhanced or manipulated by data holders.
The definition of consumer is expansive, being a person who is identifiable, or reasonably identifiable, to whom CDR data relates because of a supply of a good or service to the person or their associate. This is broader than the definition under the CCA as it includes business consumers as well as individuals. According to the Explanatory Memorandum, data that 'relates' to a person is broader than the definition of personal information in the Privacy Act, because it includes information such as meta-data, an identifier or information about their use of a product.
Treasury has indicated that only consumers receiving goods or services from a data holder are intended to benefit from the CDR. However definition of a CDR consumer can be narrowed on a sector by sector basis, so most large businesses who will benefit from open banking may not always fall within the definition for other industry sectors.
The geographic reach of the CDR is also extensive, applying not only to CDR data generated or collected in Australia, but also CDR data generated or collected outside Australia by or on behalf of a company registered under Parts 21.2 or 5B.1 of the Corporations Act or an Australian citizen or permanent resident.
A Data Recipient Accreditor (DRA), currently the ACCC, will accredit individuals and businesses to receive CDR data based on specific criteria to be included in the ACCC's Rules. The current proposal for this criteria requires prospective ADRs to show that they:
The Draft Legislation includes a number of 'Privacy Safeguards' which set minimum standards for privacy protection in relation to CDR data. These privacy standards adopt the same structure as the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth) (Privacy Act). Each APP will have a corresponding (but more restrictive) privacy safeguard (except for APP12 Access to Personal Information).
Depending on whether an organisation is a data holder, an ADR or is a reciprocal or receiving data holder also, different privacy safeguards will apply in addition to or in place of the APPs.
In addition to being more onerous, the privacy safeguards are broader than the APPs, because they apply to all data designated as 'consumer data', not only data relating to identifiable individuals. The privacy safeguards will also bind all data holders and ADRs, even if they are currently not regulated by the Privacy Act.
The Draft Legislation indicates that a failure to comply with any of the privacy safeguards may attract a civil penalty. In contrast, the Privacy Act has more limited civil penalty provisions in relation to credit information and for repeated or serious breaches of the APPs.
Treasury has clarified, in the second exposure draft of the Draft Legislation, that the privacy safeguards will apply in place of the APPs to all ADRs in relation to CDR data that they hold.
However, only the following privacy safeguards (PS) will apply to data holders:
In addition, these privacy safeguards will only apply to a data holder after a disclosure request has been made, and only in respect of the specific set of data requested to be transferred. Otherwise, the APPs (under the Privacy Act) will apply to the data holder.
Data recipients are considered to be data holders in relation to CDR data they have collected directly from consumers or generated internally.
Our National Privacy and Competition teams can help you review your data, systems and contractual arrangements, and also assist you to develop a compliance plan to meet applicable CDR requirements.
Department of Treasury: responsible for drafting the CDR legislative framework and consulting with industry and the public about the draft laws; designating future sectors to be covered by the CDR
ACCC: responsible for developing rules that will govern the application of the CDR; accrediting data recipients; consulting with the Department of Treasury about the future designation of sectors
OAIC: responsible for consulting with the ACCC about the development of the Privacy Safeguards; enforcement of the CDR rules
Data Standards Body (CSIRO's Data 61 is the interim Data Standards Body): responsible for developing technical standards
CDR consumers: a person to whom the CDR data relates. CDR consumers can be identifiable or reasonably identifiable individuals, as well as small, medium or large businesses, depending on the breadth of the definition in the designation and rules (which may changes for different sectors)
Data holders: are in a designated sector and hold CDR data that falls within a class of information set out in a designation instrument (which is currently limited to the major banks) who collect, generate or hold the CDR data and must comply with rules mandating the disclosure of CDR data.
Accredited Data Recipients (ADRs): these data recipients must go through an accreditation process (managed by the ACCC) to be separately authorised by a consumer to receive CDR data from a data holder and can be required to disclose CDR data to accredited persons. An ADR can also be a reciprocal data holder for other CDR data (eg currently a credit licensee) or a receiving data holder because they generate or collected a certain class of data outside the CDR data which they use in the ordinary course of business