It appears the COVID-19 pandemic even has the ability to slow the inexorable march of the Consumer Data Right (CDR) regime in Australia. Last month, the Australian Competition and Consumer Commission (ACCC) announced that it was granting temporary exemptions to financial service providers who would otherwise be required to share product data under the regime by 1 July this year. The exemptions will last until 1 October and apply to non-major authorised deposit institutions, including non-major banks, building societies, credit unions and non-primary brand products of the major banks. Despite the postponement in another CDR milestone, as the financial services industry slowly but inevitably embarks on the implementation of the CDR, participants in the regime should be aware of the implications of the privacy and confidentiality obligations in relation to the handling of “CDR data” which, in many respects, go beyond the Privacy Act 1988 (Cth) (Privacy Act).
Last year, we reported on regulatory amendments establishing the CDR, a new set of rights and obligations that provides CDR consumers a right to access specified data that businesses hold about them, and control the disclosure of that data to certain accredited third parties (known as ‘Accredited Data Recipients’ or ADRs). The banking sector is the first industry to be covered by the CDR through the Open Banking regime, before an intended roll out of the CDR across other industries.
In this article we focus on the privacy and confidentiality rights and obligations under the CDR, and how they expand on and interplay with existing privacy laws. Our more general overview sets out how the CDR operates in the Open Banking context, including its scheduled implementation and the process for requesting and executing data requests.
The CDR regime establishes, in Division 5 of Part IVD of the Competition and Consumer Act 2010 (Cth) (CCA), a set of legally binding privacy and confidentiality rights and obligations in relation to “CDR data” through a set of principles known as the “Privacy Safeguards”. There are 13 Privacy Safeguards, which are supplemented by a set of rules (the CDR Rules) which outline what is needed to comply with each Privacy Safeguard.
The CDR is designed to make it easier for businesses and individuals to gain access to their CDR data, while the Privacy Safeguards impose strict obligations on participants in the regime (particularly ADRs) as to how they can use and disclose CDR data. Generally, the Privacy Safeguards apply in respect of an entity’s handling of CDR data instead of the Privacy Act and the Australian Privacy Principles (APPs). The privacy protections under the CDR are stronger than that available under the APPs and the Privacy Act. This is because:
- the Privacy Safeguards cover a broader range of data than ‘personal information’ under the Privacy Act;
- the Privacy Safeguards impose more onerous obligations in some respects than the equivalent APP; and
- a breach of the Privacy Safeguards is subject to the more extensive rights and remedies available under the CCA than are currently available under the Privacy Act.
CDR data covered by the Privacy Safeguards
The Privacy Safeguards apply to CDR data (that is data that relates to one or more CDR consumers). Where no consumer is identifiable (or reasonably identifiable) from CDR data, the Privacy Safeguards do not apply.
In Open Banking, CDR data can be generally divided into the following categories:
- Customer Data: Information that identifies or is about a consumer (e.g. an individual or business name);
- Account Data: Information that identifies or is about the operation of the account (e.g. account number, balance, authorisations)
- Transaction Data: Information that identifies or describes the transaction (e.g. the date of the transaction, amount credited/debited)
- Product Specific Data: Information that identifies or describes the product (e.g. product type, name, standard price and features etc.).
Customer data, account data and transaction data are types of CDR consumer data to which the Privacy Safeguards apply. Product data may also be CDR consumer data where that product data has been negotiated individually with a particular consumer. Where the product data does not relate to a specific consumer (such as standard product prices or features) it is not considered CDR consumer data to which the Privacy Safeguards apply.
Importantly, unlike the APPs, the privacy protections afforded through the Privacy Safeguards apply to CDR data of all CDR consumers who are identifiable, or reasonably identifiable, from the CDR data, including that of businesses as well as individuals. In comparison, the Privacy Act only captures personal information in respect of which an individual is identifiable or is reasonably identifiable – it is not applicable to information from which a business is identifiable.
Scope of the Privacy Safeguards
There are 13 Privacy Safeguards that are structured to follow the data lifecycle, and largely mirror the equivalent APP. However, there are some important differences where the obligations under the Privacy Safeguards are stronger than that under the equivalent APP.
Source: ‘A Guide to Open Banking’.
Examples of the increased strength of the Privacy Safeguards compared to the equivalent APP are:
- The collection of CDR data requires express consent, and unsolicited CDR data must be destroyed under the CDR regime. Privacy Safeguard 3 (PS 3) prohibits an ADR from seeking to collect CDR data unless it is in response to a valid request. This means that PS 3 requires express consent from consumers for the collection and use of their CDR data. Privacy Safeguard 4 requires CDR data collected otherwise than in accordance with PS 3 to be destroyed as soon as practicable. Conversely, under APP 3 an entity can collect personal information (other than sensitive information) if the information is reasonably necessary for one or more of the entity’s functions. That is, it can be collected without consent so long as it is not sensitive information. Where consent is required because the information is sensitive, consent may also be express or implied under the Privacy Act.
- CDR data must only be used for the purpose for which the express consent was provided. Once collected, Privacy Safeguard 6 (PS 6), prevents an ADR from disclosing or using CDR data unless it is in response to a valid request. By comparison, APP 6 allows for the use of personal information for purposes other than the primary purpose of collection, provided the alternative purpose would be reasonably expected and related to the primary purpose. This principle similarly applies to direct marketing, where the ‘reasonable expectation’ exception available under APP 7 is not available under the equivalent Privacy Safeguard 7.
- PS 6 also requires an ADR to keep a written record of any disclosure in response to a valid request. There is no requirement to keep a record of disclosure under APP 6.
Generally, small businesses - that is, those that have an annual turnover of $3 million or less - are not bound by the Privacy Act. However, under the CDR regime, ADRs that are small businesses will be subject to the Privacy Act in respect of personal information (which is not CDR data). This means that all ADRs (regardless of size) will be required to treat personal information that is not CDR data in accordance with the Privacy Act. In respect of CDR data, the Privacy Safeguards will apply.
The mandatory data breach notification provisions in the Privacy Act also apply to CDR data held by ADRs.
For organisations looking to fully understand all the privacy implications of the Open Banking regime, the Office of the Australian Information Commissioner (OAIC) has released the Privacy Safeguard Guidelines. Earlier this month, the ACCC and the OAIC also jointly released the Compliance and Enforcement Policy for the CDR. The Policy outlines the approach that the ACCC and the OAIC will adopt to encourage compliance with, and address breaches of, the CDR regulatory framework.
Consequences of breach
A significant consequence of the CDR being enacted under the CCA is that breaches of the Privacy Safeguards will attract the remedies under the CCA. A summary of how the rights and remedies compare under the CCA and Privacy Act are set out in the table below. As can be seen, the risk exposure of handlers of CDR data is greatly increased under the Privacy Safeguards than the APPs, not only in terms of the maximum penalties but also the availability of making direct claims by consumers (being a broader set of potential claim makers than under the Privacy Act).
Last year, amendments were floated to the Privacy Act which, once enacted, would increase the penalties for misuse of personal information under the Privacy Act in line with the civil penalty provisions under the CCA regime. There is no current draft legislation before parliament in relation to these amendments.
In 2018-19, the finance industry was subject to 418 privacy complaints, representing 13% of total privacy complaints and a 5% increase on the figures from 2017-18 (OAIC Annual Report 2019-2019). These complaints were made in relation to the handling of personal and sensitive information governed by the APPs. Of those complaints, almost 30% related to the use or disclosure of personal information (APP 6). Given the finance industry has been subject to the highest number of privacy complaints under the existing APPs, it remains to be seen what impact the impending roll-out of the CDR and Open Banking will have on the management of data and other privacy considerations in that industry moving forward. CDR participants will need to determine and manage which APPs or Privacy Safeguards apply to data they collect and hold at different times, and decisions made as to whether to ring-fence CDR data from other personal information that an entity collects and holds about its customers or apply the higher and more onerous standards of the Privacy Safeguards across the board.