A new Consumer Data Right
The Australian Federal Government has issued proposals for a new Consumer Data Right. The right is similar to the right to data portability under the EU General Data Protection Regulation and is intended to give both individual and business consumers greater rights to their own data.
Brief details of the new right are set out below and a detailed report is available here.
Who benefits from the new right?
The proposed Consumer Data Right applies broadly to both individual and business. However, the explanatory materials suggest that only individual consumers and small businesses will have the benefit of privacy protections and dispute resolution processes supporting this new right.
What data is subject to the new right?
The exact types of data falling within the new Consumer Data Right will be specified by legislative instrument. However, the right will likely also extend to information derived from that data, which might even include de-identified or aggregate data.
The concept of 'derived' data is one of the more controversial and surprising aspects of the draft law, as it potentially allows for value-added data to be subject to the right. It also contrasts with the portability rights in the EU General Data Protection Regulation which do not include derived data.
Which companies must transfer data?
The legislation will give the Treasurer of Australia the power to designate sectors of the economy to be subject to the new right. The Australian Competition & Consumer Commission will then develop consumer data rules that will provide more detail relating to:
- the disclosure, use, accuracy, storage, security and deletion of data;
- accreditation of data recipients (see below);
- reporting and record-keeping requirements; and
- any related matters.
The Government has confirmed that it will designate the banking sector first, with the telecommunications and energy sectors to follow in due course.
Which companies can receive data?
In order to give consumers confidence in this new right and to prevent data misuse, companies wanting to receive data must be accredited.
There will be a Data Recipient Accreditor to provide that accreditation, a role initially fulfilled by the Australian Competition & Consumer Commission.
In relation to the banking sector, it is likely that all authorised deposit-taking institutions will be automatically accredited given they are already subject to a rigorous regulatory regime.
When will this happen?
The Government's draft Treasury Laws Amendment (Consumer Data Right) Bill 2018 was issued on 15 August 2018. Consultation on that draft legislation has now ended but consultations on other aspects of this new regime are ongoing. The Treasury has indicated that it intends to release a final form of the legislation around December, with the aim of achieving royal assent in March 2019. This timeframe is ambitious.
The timelines for the first implementation of the regime, open banking, follows a similarly ambitious timeline. The Big Four Banks are expected to be compliant by 1 July 2019, with other authorised deposit-taking institutions (other than branches of foreign banks) being phased in over time. This will be followed in due course by the telecommunications and energy sectors.
A detailed report is available here.
Allens is an independent partnership operating in alliance with Linklaters LLP. © 2018 Allens, Australia