The Exposure Draft Treasury Laws Amendment (Consumer Data Right) Bill 2018 (Cth) (Draft Legislation) sets out the proposed regulatory framework for the new CDR. The new legislation provides a framework within which consumers can access certain data held about them by various service providers. The regime is due to come into effect on 1 July 2019 for the 'big four' banks with the energy and telecommunications sectors to follow.
Consumers and businesses can expect to gain more control over their data that is held by organisations in designated sectors of the economy, to enable them to more effectively choose where to take their custom and business.
Participants in the banking, energy and telecommunications sectors need to be aware of, and prepare for, these changes. However, the CDR will eventually apply to business across all designated sectors that hold consumer data.
Impact on banks and other financial institutions
Banks and other financial institutions should be aware of the deadlines for implementation of the CDR – 1 July 2019. Those organisations should already be considering the proposed framework and, in broad terms, how compliance arrangements will be implemented (based on what we know so far). Those organisations who wish to be Accredited Data Recipients (ADRs) should also be considering how to meet the accreditation requirements. Internal preparations may include identifying relevant consumer data, uplifting current privacy and data management frameworks to meet the new privacy and data security standards, developing consumer consent forms, and reviewing arrangements with vendors who might handle the consumer data.
Impact on energy and telecommunication industries
The Federal Government has already flagged that the energy and telecommunications industries are likely to be the next sectors to be designated after the banking sector. Organisations within these sectors should also be taking steps to understand the data sets they hold that could be subject to the CDR, as well as the status of their current data protection compliance and arrangements generally. These organisations may also wish to involve themselves in the consultation processes.
Further information about the CDR can be found in our earlier update, The Consumer Data Right – opening data access to drive competition which discusses the announcement of a framework for the CDR, and in Empowering consumer choice – ACCC to regulate the Consumer Data Right.
Next steps for the CDR
The Bill creating the CDR laws is expected to be introduced into Parliament in November/ December this year. Following that, the ACCC expects to release the draft CDR Rules. The ACCC anticipates the Bill to pass in early 2019, and the final CDR Rules following that. Important dates that are worth noting:
- 1 July 2019: Version 1 of the CDR expected to commence via phased implementation for the 'big four' banks in respect of data about credit and debit cards, deposit and transaction accounts
- 1 February 2020: CDR expected to extend to mortgage products, including joint accounts, for the ''big four' banks
- 1 July 2020: implementation of CDR regime for remaining ADIs and all data
Following this, the CDR implemented for energy and telecommunications sectors – though the timing is unknown.
Key concepts of the draft legislation
The regulatory framework for the CDR will be incorporated into the Competition and Consumer Act 2010 (Cth) (CCA) by the Draft Legislation.
Oversight of the CDR will be split between the Australian Competition and Consumer Commission (ACCC) and the Office of the Australian Information Commissioner (OAIC).
Some of the key concepts in the Draft Legislation are as follows.
The proposed definition of 'CDR data' in the Draft Legislation is broad and includes information within a class of information in a designation instrument, extending to information wholly or partly derived from this information. The Draft Designation Instrument proposes to cover customer-provided data, transaction data, and product data. Examples of the kinds of data that is proposed to be designated are set out below.
While Treasury has attempted to restrict the application of 'derived data' in the second version of the Draft Legislation by including a requirement that information must be 'wholly or partly' derived from data specified in a designation instrument, concern remains that the definition of CDR is still very broad. It is therefore unclear the extent to which derived data could extend to data that has been materially enhanced or manipulated by data holders.
The definition of consumer is expansive, being a person who is identifiable, or reasonably identifiable, to whom CDR data relates because of a supply of a good or service to the person or their associate. This is broader than the definition under the CCA as it includes business consumers as well as individuals. According to the Explanatory Memorandum, data that 'relates' to a person is broader than the definition of personal information in the Privacy Act, because it includes information such as meta-data, an identifier or information about their use of a product.
Treasury has indicated that only consumers receiving goods or services from a data holder are intended to benefit from the CDR. However definition of a CDR consumer can be narrowed on a sector by sector basis, so most large businesses who will benefit from open banking may not always fall within the definition for other industry sectors.
The geographic reach of the CDR is also extensive, applying not only to CDR data generated or collected in Australia, but also CDR data generated or collected outside Australia by or on behalf of a company registered under Parts 21.2 or 5B.1 of the Corporations Act or an Australian citizen or permanent resident.
Accreditation process for ADRs
A Data Recipient Accreditor (DRA), currently the ACCC, will accredit individuals and businesses to receive CDR data based on specific criteria to be included in the ACCC's Rules. The current proposal for this criteria requires prospective ADRs to show that they:
- are a fit and proper person;
- have appropriate systems, resources and procedures to comply with the CDR framework;
- have appropriate insurance;
- have appropriate internal dispute resolution procedures in place; and
- are a member of an external dispute resolution body (for the banking sector, this is the Australian Financial Complaints Authority).
The Draft Legislation includes a number of 'Privacy Safeguards' which set minimum standards for privacy protection in relation to CDR data. These privacy standards adopt the same structure as the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth) (Privacy Act). Each APP will have a corresponding (but more restrictive) privacy safeguard (except for APP12 Access to Personal Information).
Depending on whether an organisation is a data holder, an ADR or is a reciprocal or receiving data holder also, different privacy safeguards will apply in addition to or in place of the APPs.
In addition to being more onerous, the privacy safeguards are broader than the APPs, because they apply to all data designated as 'consumer data', not only data relating to identifiable individuals. The privacy safeguards will also bind all data holders and ADRs, even if they are currently not regulated by the Privacy Act.
The Draft Legislation indicates that a failure to comply with any of the privacy safeguards may attract a civil penalty. In contrast, the Privacy Act has more limited civil penalty provisions in relation to credit information and for repeated or serious breaches of the APPs.
Treasury has clarified, in the second exposure draft of the Draft Legislation, that the privacy safeguards will apply in place of the APPs to all ADRs in relation to CDR data that they hold.
However, only the following privacy safeguards (PS) will apply to data holders:
- PS10 – notification of disclosure
- PS11 – quality of CDR data
- PS13 – correction of CDR data
In addition, these privacy safeguards will only apply to a data holder after a disclosure request has been made, and only in respect of the specific set of data requested to be transferred. Otherwise, the APPs (under the Privacy Act) will apply to the data holder.
Data recipients are considered to be data holders in relation to CDR data they have collected directly from consumers or generated internally.