On 29 March 2019, the Australian Competition and Consumer Commission (ACCC) released the Exposure Draft for the Consumer Data Right (CDR) draft rules for the Banking sector. As reported in previous editions of Legal Bytes, the CDR is an Australian reform announced back in May 2018 which will allow consumers to require a company (such as their bank) to share their data with another accredited service provider in order to receive more tailored, competitive services.
Under the draft rules, there are three ways to request CDR data:
1. Product Data Requests
Any person may request a data holder to disclose CDR data that relates to products offered by the data holder.
2. Consumer Data Requests made by CDR Consumers
CDR consumers may directly request that data holders disclose CDR data that relates to them. This is made using a specialised online service provided by the data holder.
3. Consumer Data Requests made on behalf of CDR Consumers
CDR consumers may request that an accredited person request a data holder disclose CDR data that relates to the consumer. This data is disclosed to the accredited person in machine-readable form. Under the data minimisation principle, the accredited person may only collect and use CDR data in order to provide goods or services under a CDR contract with the CDR consumer.
Initially, the rules will only apply to the banking sector in relation to certain products. They will apply to a progressively broader range of data holders and products in the future. The rules also outline what minimum information security controls must be in place to limit the risk of inappropriate or unauthorised access to a CDR data environment, including multi-factor authentication, unique IDs, limited physical access, encryption and security patching requirements.