Last month, the Federal Government made public the Productivity Commission’s (PC) final Data Availability and Use Inquiry Report (the Report). In this Report, the PC has called for the wholesale reform of Australia’s existing data frameworks, urging a rethink of the role played by consumers in the ‘data-supply chain’ and the introduction of new rules to inspire confidence and transparency in data processes. The Government has established a taskforce to respond to the Report and, as part of the 2017 Budget, announced that it was moving to introduce an “open banking regime” from 2018.
Our detailed update below explains the key recommendations in the Report and considers what this may mean for competition policy more broadly.
Competition policy on the digital frontier – why does it matter?
The importance of data to the modern economy was neatly described in a recent edition of The Economist:
“Data are to this century what oil was to the last one: a driver of growth and change. Flows of data have created new infrastructure, new businesses, new monopolies, new politics and – crucially – new economics. Digital information is unlike any previous resource; it is extracted, refined, valued, bought and sold in different ways. It changes the rules for markets and it demands new approaches from regulators. Many a battle will be fought over who should own, and benefit from data.”
Anxieties about data are not limited to traditional concerns around privacy and security (though these concerns are, evidently, real). Data also represents an acute challenge to competition policy and the business-as-usual approach of regulators. For example, sufficient volumes of high quality data potentially may be a source of market power – a challenge, in particular, for merger control regulations. The risk that other kinds of anticompetitive conduct could be carried out by companies in possession of unrivalled datasets or sophisticated algorithms, has further prompted regulators and policy makers around the world to revisit existing frameworks.
Faced with such challenges, it can be tempting to view data solely as a risk to be managed. However, we consider it more appropriate to consider data as an asset capable of generating significant value for the original data-holder, as well as the consumer and other third parties. The data held by businesses and government in Australia is indeed a very valuable asset and, if implemented appropriately, measures to enhance its availability may have a positive impact for consumers and the broader economy.
It has been suggested that key benefits of a competition policy that encourages data availability and use may include:
- more informed consumer choices, boosting competition between service providers based on the customer’s actual consumption patterns and requirements; and
- greater opportunities for innovation, potentially including downstream innovation beyond that directly attributable to the data (for example, greater access to health data could assist researchers to identify factors contributing to illness and lead to the development of safer, more effective treatments).
The Productivity Commission has proposed an economy-wide framework for data access and use
A Comprehensive Right for consumers …
Central to the PC’s proposed framework is the introduction of a new “Comprehensive Right” for active digital data use by Australian consumers (Recommendation 5.1).
The Comprehensive Right is proposed to be an economy-wide measure applicable to all private sector businesses, not-for-profit organisations and government agencies in Australia; no industry would be exempt. Its availability would also extend beyond individual consumers (small to medium sized businesses with annual turnover under $3 million would be classified as consumers for the purposes of the Comprehensive Right).
... to access and use …
The Report recommends that the Comprehensive Right provides consumers with the capacity to exercise greater control over their data, embodying the following five specific rights:
- The right for consumers to access a copy of their data;
- The right for consumers to request edits or corrections to their data for reasons of accuracy;
- The right for consumers to instruct the direct holder of their data to copy it into a machine-readable form, and either provide it to the consumers directly or to a nominated third-party;
- The right for consumers to be informed about the trade of any element of their data to third parties; and
- The right for consumers to be advised of disclosures of their data to third parties.
While the proposed reforms represent a step-change in thinking about consumer data, the Comprehensive Right does not mean that consumers would have any new capacity to assert ownership over their data. In Australia no one ‘owns’ data, and the PC preferred a model based on rights capable of being balanced against competing interests, rather than attempting the difficult task of untangling data from overlapping copyright laws.
... their consumer data
The Report recommends a broad, outcome-based definition of “consumer data” – that is, as an overarching objective, data that is sufficient to enable the provision of a competing or complementary service for product a consumer (Recommendation 5.2).
Importantly, the Comprehensive Right applies only to digital consumer data. That is, businesses and other entities would not be required to digitise paper records in order to supply consumer data. Further, data that is not able to be re-identified to a consumer in the “normal course of business” by a data holder would not be considered consumer data for the purposes of the Comprehensive Right.
At its broadest, the definition of consumer data would include, in machine-readable format, all: 
- personal information (as defined in the Privacy Act 1988 (Cth)), that is in digital form;
- information posted online by the consumer;
- data curated from consumers’ online transactions, internet-connected activity, or digital devices;
- data purchased or obtained from a third party that is about the identified consumer; and
- other data associated with transactions or activity that is relevant to the transfer of data to a nominated third party.
Acknowledging that the costs and benefits of the Comprehensive Right may vary considerably across different sectors, the Report proposes that industry participants should be involved in determining the exact definition of consumer data relevant to their particular industry. Industry members would also be given the opportunity to reach agreement on the appropriate data transfer mechanisms and security protocols, and the requirements necessary to authenticate a consumer request prior to any transfer of data.
Once established, the industry-agreed definition of consumer data and related protocols – or ‘data-specification agreements’ – would be registered with the ACCC, whose role it would be to assess whether that agreement was consistent with the broad outcome-based definition. If a data-specification agreement was not reached in an industry, all data referred to in the broad default definition would be required to be provided to a consumer in the event of a request. The ACCC may also offer interim approval where an industry agreement has been reached but other industry agreements have been prioritised for approval.
A technology agnostic approach
It is notable that the PC has taken a technology agnostic approach toward facilitating what it considers to be the important ‘data transfer right’ of consumers.
Taking financial services as an example, the Report considers the benefits and detriments of an approach that would involve the mandatory use of Application Programme Interfaces (APIs) to enable the sharing of bank held consumer data to third parties. In its Report the PC stated its “strong desire to avoid locking in a particular technology”, noting that so long as the data is transferred in a machine-readable format, industry should be free to determine how the data is transferred.
New responsibilities proposed for the ACCC
The proposed consumer data access model would require governance and oversight primarily from the ACCC, including the following new responsibilities:
- approving and registering industry data-specification agreements and standards;
- handling complaints arising from data holders’ failure to meet the Comprehensive Right;
- assessing the validity of any consequential charges levied by data holders; and
- educating consumers in relation to their rights and responsibilities under the new system.
The Office of the Australian Information Commissioner (OAIC) would continue to have overall responsibility for privacy compliance and enforcing privacy complaints. Together with any relevant industry ombudsmen, the OAIC would also coordinate closely with the ACCC to ensure a ‘no wrong door’ approach to consumer engagement (Recommendation 5.4).
What the Government has announced
The Department of the Prime Minister and Cabinet has announced the establishment of a Data Availability and Use Taskforce (Taskforce) to prepare the Government’s response to the Report. The Taskforce expects to operate for 4 to 6 months to deliver a Cabinet Submission that seeks the Government’s agreement to a negotiated whole-of-government response to the Report (including Commonwealth, State and Territory governments).
In addition, two days after the release of the Report in this year’s Federal Budget, the Government announced that it was moving to introduce an “open banking regime” from 2018, intended to “give customers greater access to their own data, empowering them to seek out better and cheaper services”. Just what data is intended to be captured by the open banking regime is not yet clear. It is also unclear whether the use of APIs for transferring data will be mandated or if a technology agnostic approach will be adopted.
Treasury has been allocated $1.2 million to conduct an independent review regarding the implementation of the open banking regime, with the report due at the end of 2017. Potentially, this may coincide with the release of an Exposure Draft of the Taskforce’s Cabinet Submission to the Government.
In considering the gravity of reforms concerning access to and control over consumer data, it is clear that politically motivated decision-making should be avoided, including, for example, sector specific regulation. The consequences that would flow from a serious security failing or breach of privacy would be disastrous for consumer confidence in digital services, and the magnitude of the negative impact on the economy would be significantly greater than the positive impact potentially arising from opportunities for enhanced competition and innovation.
Equally, there is a risk that hastily implemented reforms could have a “chilling effect” on Australian businesses who, when faced with greater compliance costs and new regulations, may prefer to defer or cancel new investments. In our view, this is a compelling reason for extensive consultation and education prior to the introduction of the Comprehensive Right, which may require an extension to the PC’s proposed timeline for the introduction of new legislation by the end of 2018.