The Situation: The Australian Government has introduced the Consumer Data Right ("CDR"). The CDR will allow individual and business consumers to access data on their own consumption of goods and services.
The Result: The CDR will enable consumers to direct custodians to share their data with accredited entities that have "satisfactory security and privacy safeguards" in place. This will increase competition between businesses.
Looking ahead: The new rules relating to the CDR will initially apply only to the banking and energy sectors but could eventually apply economy-wide. The regime imposes significant obligations related to privacy. All businesses that hold consumer data should consider how they would meet the accreditation requirements.
The CDR Regime
On 13 February 2019, the Australian Federal Government introduced the Treasury Laws Amendment (Consumer Data Right) Bill 2018 ("Bill"). The Bill sets out the regulatory framework for the new CDR, which:
- Provides consumers with access to data about their consumption of goods and services;
- Enables consumers to provide that data to accredited third parties (subject to data privacy safeguards); and
- Provides access to standardised data about goods and services in designated sectors of the economy.
The legislation seeks to facilitate informed choices by consumers and greater competition between businesses. However, there are also significant impacts that are likely to result in compliance costs.
Under the proposed CDR Regime, the Treasurer may designate the sectors of the economy to which the CDR applies. The first two designated sectors are banking and energy. However, the CDR may eventually apply economy-wide. Accordingly, all businesses that handle consumer data need to take steps towards meeting accreditation.
Once a sector is designated, the Australian Competition & Consumer Commission ("ACCC") will make rules governing the application of the CDR to that sector. These rules will cover the disclosure, collection, use, accuracy, storage, security and deletion of CDR data, as well as the accreditation of data recipients. The ACCC published the draft rules for the CDR in the banking sector on 29 March 2019 and is seeking feedback from consumers, businesses and community organisations on those draft rules. The ACCC has not yet published draft rules for the energy sector, but on 25 February 2019, the ACCC published a discussion paper to begin consultation with stakeholders on how to apply the CDR in the energy sector.
The implementation of CDR for the banking industry (referred to as the "Open Banking" initiative) will commence on 1 July 2019.
Overview of the Bill
The Bill provides that the ACCC and the Office of the Australian Information Commissioner ("OAIC") will work together to regulate the conduct of the CDR. Generally, the ACCC is responsible for sector designation, rule-making and accreditation functions. The OAIC is responsible for enforcing privacy safeguards of CDR Data.
It is important to note that the CDR gives rights of access to both individuals and businesses. The definition of CDR data is also intentionally broad, including all data that relates to the consumer. Additionally, the regime will equally apply to data created or collected inside or outside Australia.
Accredited Data Recipient
An Accredited Data Recipient ("ADR") is an organisation to which a consumer's data may be transferred following a consumer's request. The legislation contains provisions that allow for CDR rules to be specified as "civil penalty provisions". The provisions create criminal offences for misleading or deceptive conduct that leads another person to believe that a person is entitled to receive CDR data when they are not.
Interaction with Privacy Obligations
The regime incorporates privacy safeguards with which businesses will need to comply that are similar to the Australian Privacy Principles ("APPs"). The APPs expressly do not apply to an ADR in respect of CDR data.
There are some important differences between the two regimes, including that under the CDR:
- The privacy safeguards apply to small businesses.
- The use of CDR data for direct marketing is absolutely prohibited (subject to some discrete exceptions).
- Data holders and ADRs will be required to notify the consumer when they disclose CDR data.
Determining which of the APPs or privacy safeguards apply to particular data will present a challenge for participating organisations, as it will depend on the role of that organisation in the CDR Regime.
Organisations will need arrange themselves to comply with the requirements of the privacy safeguards in the same way that they are arranged to deal with the APPs. Organisations also subject to the EU General Data Protection Regulation could potentially need to operate three regimes to ensure data is managed in accordance with the applicable obligations.
Three Key Takeaways
- Compliance with the CDR will be overseen by the ACCC and the Australian Information Commissioner. The CDR will create additional obligations on businesses to share CDR data with consumers. However, it will also facilitate competition.
- Compliance with the CDR privacy safeguards is likely to be challenging for companies where compliance with the APPs and possibly other regimes is also required.
- The CDR will initially apply only to the banking and energy sectors but is to be rolled out to apply economy-wide.