Next regulatory steps taken for Australia’s consumer data right

The Treasury Laws Amendment (Consumer Data Right) Act 2019 (Cth) (CDR Act) was passed by the Australian Parliament on 1 August 2019 and became law on 12 August 2019. The CDR Act amends the Competition and Consumer Act 2010 (Cth) (CCA), and other legislation, to introduce Australia’s statutory consumer data right (CDR) regime. The CDR sets up a framework for the disclosure of specific types of data in nominated sectors of the economy, including:

  • standardised product data – the rationale for requiring this type of data to be made available is to allow any third party, for example comparison service providers, to more easily compare products and services offered by different businesses
  • customer data – this is information held by an entity in a regulated sector in relation to those individuals and businesses who transact with those regulated entities. For convenience, these groups are referred to in this article as “customers”. 

The CDR is being rolled out in stages starting with the banking sector (known as ‘Open Banking’) from July 2020. Consumer data relating to credit and debit cards, deposit accounts and transaction accounts for the major banks will be made available from 1 July 2020. Other consumer data will be made available over time. CDR will also be rolled out in other sectors, with the next sector being retail energy.

On 24 February 2020 the Office of the Australian Information Commissioner (OAIC) published its CDR Privacy Safeguard Guidelines (OAIC Guidelines). This marks the next regulatory step in the implementation of Australia’s CDR. 

The OAIC Guidelines and the CDR privacy safeguards

The Guidelines follow closely the format used for the OAIC’s separate guidelines regarding compliance with the Australian Privacy Principles (APPs).  It is assumed this approach has been adopted given that the CDR privacy safeguards, as now contained in Part IVD of the CCA, reflect the Australian Privacy Principles.

The OAIC Guidelines are not legally binding, but nonetheless they provide very good guidance to businesses as to the OAIC’s expectations and best practice for compliance with the privacy requirements of CDR.

The CDR privacy safeguards requirements include (and this is far from a complete list):

  • all CDR entities (being accredited data recipients, data holders and designated gateways, essentially those entities which are authorised or required under the CDR regime to collect, use or disclose CDR consumer data) need to have a clearly expressed and up to date policy about how they manage CDR data. This CDR policy can be incorporated into an organisation's existing privacy policy or can be a separate policy. Either way, the CDR policy must be underpinned by appropriate internal processes and practices. The OAIC Guidelines provide examples of practices, procedures and systems that CDR entities should consider implementing, such as embedding a culture of privacy, for example, by appointing a member of senior management to lead on strategy and management of CDR data, appointing officer(s) with day-to-day responsibility for managing and advising on privacy safeguard issues, and implementing appropriate reporting processes on management of CDR data
  • informed and express consent from consumers is required. The OAIC Guidelines set out in detail the process and requirements for obtaining consent and key concepts such as the data minimisation principle, which limits the data that can be collected and used to only that which is reasonably needed in order to provide the requested goods or services to the consumer
  • consumers must be provided with a consumer dashboard, which is an online service through which consumers can manage and view their data requests and consents. The dashboard is a key feature of compliance with the privacy safeguards. For example, consumers must be able to withdraw consent and elect for their data to be deleted once it’s no longer needed by the business.  Notification requirements also apply at specified stages when the data is shared. All of these functionalities must be built into the dashboard. 
  • accredited data recipients must have an information security policy, as well as specified other controls and processes designed to protect CDR data. The OAIC Guidelines highlight the risks associated with poor information security and the steps that must be taken to manage the information security of CDR data (such as security governance and capability, defining the CDR data environment, formal controls assessment and managing and reporting of security incidents)
  • CDR data must be destroyed or de-identified once it is no longer needed. The OAIC Guidelines explain how to determine whether data is ‘redundant’ and how to decide whether the data should be deleted or de-identified. 

Businesses should bear in mind that the regulatory framework for CDR is complex – in addition to taking the Guidelines into consideration, businesses must comply with the ACCC’s CDR Rules (which were released earlier in February) and the technical standards for transmitting consumer data, as released by Data61 (which is part of the Australian Government’s CSIRO). Data61 performs the role of the Data Standards Body under CDR.

A co-regulator regime

The issue by the OAIC of the Guidelines is a reminder that there are two regulators with responsibility for CDR. The ACCC is the lead regulator with the bulk of the responsibility in relation to CDR – not only in relation to the development of the CDR Rules but also in terms of, for example, accrediting potential data recipients who may access consumer data under the regime and recommending to Government other sectors in which CDR should be rolled out. 

The OAIC’s responsibilities for CDR, unsurprisingly, relate to privacy issues. It is also the primary regulator that consumers may make complaints to. Privacy, and the protection of information that is able to be shared under CDR, is of course a key issue under CDR and it is expected that the OAIC will be kept very busy from 1 July 2020, which is the time that banking customer data is first able to be shared under the regime. Ultimately regulatory issues may arise under the CDR for which the OAIC and the ACCC both have responsibility – each of the regulators has publicly committed to working closely to ensure there is no inconsistency in approaches. Cooperation between the regulators is supported by information sharing powers and the ability to delegate certain functions to each other.

What’s next for CDR?

2020 will be a big year for CDR.

The ACCC’s consultation on how the CDR Rules can best facilitate participation by third party services providers (for example, that act as intermediaries or in circumstances where a consumer consents to their CDR data being disclosed from an accredited person to a non-accredited person) closed on 3 February 2020. That consultation will inform draft rules the ACCC is proposing to consult on in March 2020 with a view to finalising the rules by the middle of the year. 

In addition, the ACCC is consulting on the implementation of CDR in the retail energy sector. The ACCC announced its chosen model for sharing consumers’ data in August 2019, following a discussion paper published in February 2019. Under the model proposed for this sector, the Australian Energy Market Operator (AEMO) will act as a gateway and provide data on a consumer’s current electricity arrangements from their current provider to trusted third parties when authorised by the consumer.  The ACCC is developing rules to accommodate energy-specific arrangements, including appropriate authorisation and authentication models, which it will consult on in due course.

The government itself is also undertaking further consultation on CDR. Notwithstanding that the CDR rollout is only in its infancy, in January 2020 the Australian Treasurer announced a new review of the CDR to determine how CDR can further support innovation and competition. It seems very likely that the recommendations from that review will result in enhancements to the regime. For example, one of the tasks of that review is to look at how CDR may be used to overcome behavioural and regulatory barriers to allow consumers to switch between products and providers. Although undertaking such a further review in 2020 may be considered to be premature, it indicates the importance the government places on CDR and the benefits it may bring to Australians and the Australian economy. Even businesses in sectors which are outside those targeted for CDR in the short term should already be considering how they may benefit (and help their customers benefit) from CDR.