On 15 August 2018, the Australian Federal Government released the exposure draft of the Treasury Laws Amendment (Consumer Data Right) Bill 2018 (the Bill) providing for the `Consumer Data Right' (CDR). The Bill intends to provide a framework to enable consumers and businesses to access certain data held in relation to them by businesses, and to direct datasets to be transferred either to themselves or to accredited third parties.
The introduction of the CDR follows the Productivity Commission's Report on Data Availability and Use published in May 2017 and the Review into Open Banking report dated December 2017 (which recommended that Open Banking be implemented within a broader CDR framework). The Bill proposes to introduce a new Part IVD to the Competition and Consumer Act 2010 (Cth), and associated changes to the Australian Information Commissioner Act 2010 (Cth) and the Privacy Act 1988 (Cth) (the Privacy Act).
The Bill intends to implement the CDR on a sector-by-sector basis, starting with the banking sector. The CDR is expected to apply to the four major national Australian banks from 1 July 2019. For the banking sector, there is also the proposed introduction of mandatory comprehensive credit reporting.
Following on from the banking sector, the CDR is to be implemented in other sectors of the economy, including the energy and telecommunications sectors. Given the impact of the CDR on data handling practices and the intention to expand the reach of the CDR over time, organisations both within and outside of these sectors are encouraged to consider and make submissions in respect of this Bill.
Public submissions on the Bill are open until 7 September 2018.
Key features of the Bill include:
- a new regulatory framework that gives consumers control of their consumer data (i.e. by enabling consumers to direct the `data holder' to transfer their data to other accredited entities including other banks, telecommunications and energy providers);
- a new set of `consumer data rules' will be designated by the Australian Competition and Consumer Commission (ACCC) for each of the banking, energy and telecommunications sectors in order to tailor how the CDR applies in these sectors;
- the CDR will incorporate a variety of privacy safeguards that provide an enhanced level of protection to consumer data. It is not yet entirely clear how these privacy safeguards will interact with the Privacy Act, however they will apply in respect of types of information not currently covered by the Australian Privacy Principles in the Privacy Act; and
- the ACCC will be responsible for oversight over the new CDR (i.e. the details of the `consumer data rules', how and who consumer data can be shared with) and the Office of the Australian Information Commissioner (OAIC) will be responsible for handling the complaints concerning the privacy of individuals and confidentiality of businesses under the CDR framework.
The introduction of the CDR is likely to have a significant impact on organisations in regulated sectors that hold `consumer data'. In particular, the scope of a `consumer' has been expanded to include large businesses together with individuals, small and medium business. Also, the scope of `consumer data' broadly includes not only raw data but information subsequently derived from that data (e.g. such as other value added or aggregated data sets).
It remains to be seen how this will apply from a practical perspective given that the type of data to be subject to the CDR will be determined on a sector-by-sector basis through the `consumer data rules' to be made by the ACCC. As such, the `consumer data rules' for each sector will ultimately determine the scope of data to which the CDR applies and the privacy safeguards which organisations in that sector will need to implement to protect that data.
The Federal Government is currently conducting roundtables in various Australian capital cities as part of the public consultation process.
The CDR aims to give consumers (both individuals and businesses) greater ability to access and control their data, with consumers initially having the ability to access their banking, energy and telecommunications data. However, for many organisations, the Bill will raise concerns as to the scope of data that is subject to the CDR framework and measures that will need to be implemented in order to comply with the new privacy safeguards which are in addition to the existing requirements of the Privacy Act.