The establishment of a Consumer Data Right (CDR) marks a critical moment in the Australian data economy. This means that there’s a lot of work for businesses to do to understand the right and get ready to implement it – but there’s also significant scope for industry to influence the implementation process, and new opportunities for leveraging data sharing in ways that meaningfully benefit your business.
The exponential growth in digitised data, increases in computing power and the recognition of data as a critical asset are all reasons why governments globally are increasing their regulatory focus on data. In May 2018 the Australian Government released its response to the Open Banking Review and confirmed the introduction of a consumer data right (CDR) and a framework for its implementation. The move is set to allow for greater innovation in the designated sectors and give consumers greater control by allowing data to be safely shared with accredited, trusted recipients, such as comparison websites.
The framework will begin with bank data and then be extended to telecommunications and utilities. The Australian Competition and Consumer Commission will be responsible for an accreditation regime which would require data recipients to be “fit and proper”, have “effective” risk systems to protect information and privacy, and to take out insurance to cover potential data breaches. The ACCC said companies that fail to comply with accreditation standards could be hit with litigation and civil penalties.
Here is an overview of the key features of the CDR:
- What is CDR and who does it apply to? The consumer data right (CDR) provides consumers with the power to direct their information go to other data holders in a sector. It empowers consumers to use their data in order to get more competitive deals from within the designated sector.
- Who is a CDR consumer? Consumers are not just individuals – the Bill before Parliament extends coverage to all business customers, as well as individual customers who are ‘reasonably identifiable’ from the relevant CDR data.
- Obtaining consumer consent – The consumer’s express and informed consent will be required for each of data recipient collecting and using data. In practice these consents will likely be obtained at the same time.
- Who must transfer data? The Treasurer will be able to designate industry sectors to which the CDR will apply, and the ACCC will then develop consumer data rules to provide more detail around the accreditation of data recipients and requirements for disclosure, use, storage, security and deletion of CDR data.
- What are consumer data rules? Consumer data rules will provide the detail on compliance with the CDR for each designated sector. They will cover all aspects of a designated sector including consent to disclosure, how CDR data can be used and by whom particularly if a sector has a tiered approach to accreditation.
- Which data? The indication is that the CDR will apply to any transaction data generated after 1 January 2017.
- Will there be charges for data transfers? The idea is that the CDR system will apply to datasets for which the imposition of fees should not be required.
- What are some of the steps you should you take to get compliant?
- Ensure that you have capability to respond to consumer directions – meaning you will need to be able to provide access to data and transfer data according to the consumer data rules. Consider upgrades to IT infrastructure and customer-facing processes;
- Ensure you are able to record and report on your compliance with the framework and the consumer data rules set for your sector (e.g. the performance of your API when transferring data); and
The CDR legislation will sit within the Competition and Consumer Act 2010 (Part IVD) and the Federal Treasurer designates the sectors of the economy it will apply to while the ACCC will develop the consumer data rules and maintains the accreditation register. As is already the case, the Australian Information Commissioner, the OIAC, will enforce the privacy safeguards and data breach regime. The Privacy Act 1988 will be amended to cover all CDR data.
With significant new workloads for the ACCC and OAIC (as well as new regulatory bodies), the Government has allocated $44.6 million over four years to implement the CDR, including the appointment of a National Data Commissioner – but industry will be stuck with compliance costs and won’t receive any compensation or incentives to participate in the CDR regime.
The proposed legislation for the CDR was released in draft form 15 August 2018 and will be going through a second round of consultation after 24 September 2018 but the Open Banking timeline is already set. The 1 July 2019 is the start date for the CDR in the banking sector which will include the four major banks and apply to all credit and debit card, deposit and transaction account data. All other banks will follow suit a year later in July 2020.