On 9 May 2018, the Australian Government announced its plans to create the Consumer Data Right (CDR) in Australia.
The CDR is a regulatory scheme which confers a right on consumers to access their personal data as held by businesses and authorise access to their data by accredited third parties. This was intended to give consumers more control of their consumer data, improving their ability to compare and switch between products and services.
On 15 August 2018, the government released a consultation draft of the new legislation which will introduce the CDR – the Treasury Laws Amendment (Consumer Data Right) Bill 2018, with the consultation period having finished on 7 September 2018.
The ACCC is responsible for developing the rules, framework and accreditation scheme to govern its implementation. The scheme is set to begin its application in the banking sector under the Open Banking regime from 1 July 2019 onwards and it will likely be rolled out in the telecommunication and energy sectors over time.
While the ACCC will be the primary regulator for the CDR, it will do so in conjunction with the Office of the Australian Information Commissioner (OAIC) with the latter taking the lead in relation to protection of privacy and confidentiality and compliance with the CDR privacy safeguards.
The ACCC, on 12 September 2018, released its CDR Rules Framework setting out the parameters it proposes to take in establishing rules for the Open Banking regime, with a consultation period until 12 October 2018.
What kind of data is covered?
The kinds of data subject to the CDR in each field will be specified by the Treasurer. In the Open Banking context, this is proposed to include information about credit and debit cards, deposit and transaction accounts, mortgages and other financial products.
Who does it apply to?
The three main parties within the CDR scheme are:
- CDR Consumer: Individuals and businesses which are reasonably identifiable from the CDR data;
- Data Holders: Entities to which the CDR scheme applies who have collected, generated or held CDR data. In the banking sector, this includes all Authorised Deposit-taking Institutions (ADIs); and
- Accredited Data Recipients: Persons and businesses with the appropriate accreditation to receive CDR data. Accreditation will be given based on a set of sector-specific criteria under the ACCC Consumer Data Rules.
How will it apply?
The CDR will deal with privacy and data collection through the following mechanisms:
- Consumer Data Rules: Rules will be developed by the ACCC to govern aspects such as disclosure, use and storage of CDR data, the accreditation of data recipients and reporting and record keeping requirements;
- Data Standards: A Data Standards Body will be tasked with developing technical standards dealing with matters such as format, transfer and security which will be enforceable by the ACCC; and
- Privacy Safeguard Rules: Obligations will be imposed on data holders and accredited data recipients to comply with a set of privacy safeguard rules to ensure a minimum level of privacy protection for the CDR scheme.
While the creation of the new CDR right proposes to give consumers greater control of their personal data and promote competition between service providers, it is also likely to increase costs and regulatory burdens on organisations within sectors subject to this right. Businesses and entities which fail to comply with the new rules and privacy safeguards may incur civil penalties under the CDR scheme or be subject to additional penalties which may be specified in the Consumer Data Rules to enforce the scheme.
With the banking sector to be the first industry subject to the CDR, financial institutions will shortly need to ensure that they are in a position to provide requested data to consumers on request and in accordance with the rules specified. Businesses should also consider whether the proposed data portability will assist them in offering new services to current and prospective customers.
If you have any queries on how the CDR scheme might affect your business, please feel free to contact a member of our IP, Technology & Media or Privacy, Data Protection & Cyber Security teams to discuss possible solutions and next steps.
This article was written by Luke Dale, Partner, James Moore, Partner and Stephanie Leong, Law Clerk.
P: +61 8 8205 0580
P: +61 2 9334 8686