After approval in the Senate on 1 August 2019, the Consumer Data Right (CDR) Bill has been passed in both houses of parliament. Based on consumer choice in the context of data, the CDR has, at its heart, an increase in competition flowing from a person’s right to control their data.

The ‘Big Four’ banks have already voluntarily implemented the CDR in relation to certain product data available on credit and debit card, deposit and transaction accounts, and must provide access to data related to mortgage accounts by 1 February 2020. The CDR will also be implemented in the energy and telecommunications sectors, followed by other sectors that are yet to be determined.

The CDR is not just relevant to businesses in the sectors noted above, however – all businesses that collect and handle consumer data should familiarise themselves with key aspects of the CDR.

As Australia reforms its privacy regime in a manner that reflects aspects of the European General Data Protection Regime (GDPR), the CDR is likely to be used as the mechanism to achieve data portability across a range of sectors.

Essentially, the CDR empowers customers to access and use data that businesses hold about them. Consumers can obtain their data held by third parties for themselves or authorise the secure sharing of their data to accredited third parties (such as comparison services who provide consumers with tools to make more informed choices).

Who does the CDR apply to?

The four key players in the CDR system are:

  1. Data holders. Data holders are entities within a particular class of persons and who hold CDR data within a prescribed class of information.
  2. Accredited data recipients. Accredited data recipients must be licensed to receive data through the CDR system.
  3. Designated gateways. Designated gateways are responsible for facilitating the transfer of information between data holders and accredited persons.
  4. Consumers who exercise the rights under the CDR. CDR consumers are identifiable or reasonably identifiable persons, including a business enterprise, to whom the CDR data relates because of a supply of a good or service to the person.

The principle of ‘reciprocity’ applies to accredited data recipients. Under this principle, accredited data recipients can also be classified as data holders for certain data (e.g. where they provide similar services to an entity listed in the designated class), meaning they will be required to share data with other recipients. Organisations that wish to become accredited recipients in order to improve their particular customer service offerings should be aware of their obligations as data holders under this principle. This principle creates a network of back and forth sharing between all entities within the CDR system creating greater opportunities for consumers.

Given that organisations also qualify as ‘consumers’, businesses (especially those entities that maintain large data repositories) should contemplate the ways in which they might take advantage of their data rights. Equally, if large organisations make requests for transfers of their data and the costs and infrastructure required to engage in such transfers, businesses should be aware of the need to facilitate potentially significant transfers of data.

What data does it apply to?

Only data that qualifies as ‘Consumer Data’ may be transferred under the CDR system. Data will only be considered Consumer Data if it is:

  • data generated or collected in Australia by an Australian person; or
  • data generated or collected by an Australian person and the data relates to an Australian person or products/services offered to an Australian person.

‘Consumer Data’ includes all types of data that meet the above requirements, not just personal information. Businesses will need to take steps to identify and categorise the various datasets which fall under the CDR system.

It could also be comprised of following types of data:

  • Data under designation instruments. The CDR only applies to data that has been specified under a designation instrument (e.g. product data available on credit and debit card, deposit and transaction accounts). As noted above, the CDR will be rolled out across relevant sectors in stages, and businesses may have an opportunity to take incremental steps to uplift their systems, depending on the approach adopted under each sectors’ designation.
  • Third party data. It is possible that third party datasets could fall within the definition of ‘Consumer Data’, as entities commonly collect information about their consumers from third party providers. If such information is subject to proprietary restrictions or confidentiality arrangements, data holders could be requested to share information for which they have no contractual right to disclose. Businesses should be alert to this potential conflict if engaging third party data providers that limit the use and disclosure of the relevant data.
  • Derived data. CDR data includes data that is ‘directly or indirectly derived from other CDR data’, meaning that data which has been transformed in the hands of the data recipient or data holder is subject to the regime. This means that where an organisation takes steps to create unique insights about data in relation to a consumer, they may be required to share those insights under the CDR system.

This issue was raised by a number of organisations as part of the CDR consultation process, and as a result, data that has been materially enhanced (e.g. data whose value has largely been generated by the actions of the data holder) will not be subject to disclosure with regards to the first tranche of banking data. Instead, only collected data (e.g. raw transaction data) and immaterially derived data (e.g. fees charged, calculated account balances and interest accrued on accounts) are subject to the CDR. However, the issue needs to be addressed on a sector by sector basis.

  • Chargeable data.Organisations may charge fees for the use and disclosure of certain datasets, to be determined by the regulator. In determining where data is ‘chargeable’, the regulator must consider whether:
    • the data includes intellectual property or would be an acquisition of property;
    • organisations currently charge fees for disclosing data;
    • the incentive to generate data would be reduced; or
    • the marginal cost of disclosure would be significant.

This clearly contemplates the situation in which value-added data is designated under the CDR system and attempts to provide organisations with compensation for data which they transform for commercial purposes. However, chargeable data is subject to various restrictions and organisations should be aware of how their current costing structures will be affected.

Privacy safeguards

The consumer data rules establish privacy safeguards which are additional privacy protections offered to consumers, enforced by the Office of the Australian Information Commissioner (OAIC). These safeguards provide consumers with avenues to seek remedies for breaches of their privacy or confidentiality (including access to internal and external dispute resolution and direct rights of action), and also establish obligations to provide anonymity and pseudonymity to consumers, and destroy or de-identify redundant data.

Organisations will need to be aware of the intersecting relationship between the privacy safeguards and the Australian Privacy Principles (APP):

  • For data holders, some of the privacy safeguards apply concurrently to the APPs whilst others do not apply.
  • For accredited data recipients, the privacy safeguards will largely substitute the APPs but only in respect of CDR data.
  • For accredited persons, the two regimes apply concurrently but with the more specific privacy safeguards prevailing.

The implementation of privacy safeguards as an additional set of privacy obligations was met with criticism through the public consultation process. In particular, there was significant concern regarding the multiplicity of obligations that data holders and data recipients would be subject to under the CDR, the APPs and, for entities operating in the EU, the GDPR.

The overlapping application of these regimes will mean that organisations may need to consider segregating their data into specific categories so that the various regulatory requirements under each can be managed and complied with.

All organisations that collect and handle consumer data should monitor the implementation of the CDR across the banking, energy and telecommunications sector and consider the practical measures that can be implemented in order to future-proof their own operations (including accurately auditing and categorising existing, and potential future, data assets).