Time to Get Carried Away by Data Portability? The New Consumer Data Right Rules and What They Promise for Start-Ups, Incumbents and Consumers
The new Consumer Data Right (CDR) regime
It’s here! The bill for the CDR framework was introduced into Federal Parliament on 13 February 2019 in the Treasury Laws Amendment (Consumer Data Right) Bill 2018 (Bill). The Bill is presently listed for passage in the autumn sittings of Parliament. Although the Government’s legislative priorities may change, and the Labor Opposition has expressed discomfort with aspects of the Bill, it is reasonable to expect that a CDR framework will be passed into law either before or after the Federal election in May 2019, regardless of the outcome of that election. The legislative framework for the CDR will be primarily set out in the Competition and Consumer Act 2010 (Cth) (CCA).
What is the CDR and what does it mean for consumers?
The purpose of the CDR is to grant “consumers” (defined broadly to cover businesses as well as individuals) greater control over their data. The Government has committed to applying the CDR initially to the banking, energy and telco sectors and eventually across the economy. Broadly, the CDR will give consumers the right to access their data held by businesses in the designated sectors and require those businesses to share the consumers’ data with other trusted third parties. Whether you are an individual or a business, as a consumer under a CDR regime you will have the right to access and use more information about your use of regulated goods and services. In particular, you may direct your bank, energy company or telco to give access to that information to you or to trusted third parties. This right is intended to enable you to:
- make more informed decisions about your use of those goods and services;
- make it easier for you to switch from one service provider to another; and
- use innovative services provided by third parties, relying on analysing information about your use of regulated goods or services.
But doesn’t this happen already, we hear you ask. It is true that there are comparison and aggregator sites operated by third parties that presently leverage off data about your use of banking, energy and telco services to provide you with additional services (for example, helping you to invest surplus funds or to choose the best service for you based on your use profile). However, the risk allocations for data loss, corruption or misuse between you, the third parties and your bank, energy company or telco are not clear. Further, these risk allocations cannot readily be regulated by contract as the third parties usually won’t be party to a contract with your service provider about the collection and handling of your data. In addition, your contract with your service provider may seek to prohibit you from sharing your access credentials (like a PIN) with a third party to enable the third party to provide a value-added service to you. The CDR will establish clearer permissions and risk allocation rules, as well as technical standards for data portability.
Implementing the CDR
The CDR will be applied to a sector of the economy by the responsible Minister designating that sector under the CCA and the Australian Competition and Consumer Commission (ACCC) developing the CDR rules for that designated sector. Those CDR rules must be consistent with the CDR framework in the CCA. The ACCC is the lead regulator because the CDR is in general driven by the need to encourage competition between service providers. In addition to developing the CDR rules for each designated sector, the ACCC is responsible for consumer education and enforcement. The ACCC will work closely with the Data Standards Body (hosted by Data61 at the CSIRO) and the Office of the Australian Information Commissioner (OAIC) in developing the CDR for each sector designated by the Minister.
The CDR will be first implemented in the banking sector by a measure that is known as “open banking”. In December 2018, the ACCC published the ‘Rules Outline’ which provides insight into the rules that are likely to apply to the banking sector, re-released with corrections in January 2019. According to that Rules Outline, third parties must be accredited before they are able to receive consumer data of the type specified in the Rules Outline (CDR data). This will ensure that the third parties have satisfactory security, privacy and confidentiality safeguards before they receive CDR data.
Under the Rules Outline, data recipients must also obtain a consumer’s consent to collect and use CDR data and data holders must obtain a consumer’s consent to share that data. That consent must be voluntary, express, informed, specific as to purpose, time-limited and easily withdrawn. Consent to use CDR data can only be granted to a data recipient, and consent to share that data can only be granted to a data holder, either once or for a specified continuing period of not more than 12 months. A data recipient must provide a consumer-facing electronic dashboard that provides details of the consumer’s current and historical consents. In addition, a data recipient must remind consumers every 90 days that an ongoing data sharing arrangement is in place.
CDR data will also be subject to other privacy and confidentiality safeguards. We analysed privacy and confidentiality in open banking when the final report of the review into open banking in Australia was released early in 2018. The issue was that privacy laws protect the personal information of individuals only but the open banking reforms extended to consumers which were not individuals. The Bill and the Rules Outline now provide more clarity about how Australian Privacy Principle-type protections will be extended to protect consumers which are not individuals. In particular, the Bill sets out 13 Privacy Safeguards that broadly parallel the 13 Australian Privacy Principles but cover “CDR data” generally, even where that CDR data is not “personal information” under the Privacy Act 1988 (Cth) (Privacy Act). The Bill also imposes data breach notification obligations in relation to CDR data on accredited data recipients and designated gateways that parallel the notification obligations imposed in relation to personal information under the Privacy Act. The Rules Outline supplements the Bill by including more specific compliance requirements in relation to many of the Privacy Safeguards.
Under the Bill, the OAIC is responsible for analysing the likely impact of the CDR rules proposed for a designated sector on the privacy or confidentiality of consumers’ information. The OAIC is also responsible for making guidelines about privacy safeguards and developing educational programs about those safeguards.
What data portability promises to deliver
- If you are a fintech or other start-up, now is the time to develop innovative business and technical models for using CDR data in particular sectors, as and when they are designated under the CCA.
- If you are an incumbent service provider in the banking, energy or telco sector, monitor the proposed implementation of the CDR in your sector (in conjunction with your industry peak bodies) and consider what new value-added services you may be able to offer your consumers (and consumers serviced by your competitors). These services may involve CDR data from your own transactions with consumers or from your competitors’ transactions with consumers. You may need to enter into partnerships with accredited third parties with the technical know-how to identify and exploit new opportunities.
- If you are a consumer, look for a range of new services made available to you by accredited third parties seeking to use data about your transactions with your bank, energy company or telco – this will probably include investment management services advising you how to best deploy your money in real time based on your banking transactions , comparison services to identify the best telco and energy deal for you and a range of other innovative data-based services.
By David Kreltszheim, Emily Sahhar, Brianna Date and Sebastian Gratz
This article is general commentary on a topical issue and does not constitute legal advice. It references Consumer Data Rights and Open Banking. If you are concerned about any topics covered in this article, we recommend that you seek legal advice.
The information included in this article is up to date as of 12/03/2019