Consumer Data Right regime – what does it mean for you?
Over the past two years you may have heard about a new Consumer Data Right (CDR). The Federal Government initially announced the introduction of the CDR in November 2017, as part of a strategy to give consumers more power over their data while also improving competition amongst service providers.
While the CDR hasn’t yet been implemented, the latest news is that it will be phased into the banking sector from 1 July 2020 (subject to any delays caused by COVID-19 disruptions).
More and more onerous obligations are being placed on businesses to deal with how they are to collect and receive data. We recommend that businesses, in responding to such regulatory demands, develop and implement modern data governance policies to cover data access, portability and transparency, and complaint-handling procedures to deal with data requests by customers.
While there will be additional requirements and costs for businesses in taking these preparatory steps, the CDR system can also offer opportunities. The biggest being the opportunity for businesses to demonstrate their value to existing and new customers.
If your business isn’t already doing so, it needs to start thinking about the data it collects more seriously – including, how the data is collected, where it is stored, how it is used or disclosed and how it will make consumer data available to its customers and their nominated recipients in a cost efficient and compliant way.
To understand more what CDR is we have provided answers to some frequently asked questions from our clients.
- What is a Consumer Data Right?
- What are the key features?
- Who is going to be affected?
- What are the Consumer Data Right Rules?
- What are the privacy safeguards?
- What are the data standards?
- Why do we need a CDR regime?
The CDR is basically what its name suggests – a right for consumers to access their data. CDR includes the following components:
- data access - customers, whether individuals or businesses, will have a right to access data held about them, and the products and services provided to them, by businesses in specific industries;
- data portability - customers will have the ability to direct that their data be transferred to and shared with accredited third parties, including other service providers and comparative services;
- data transparency - businesses will be required to allow public access to information about specific products and services they have on offer.
The CDR has some similarity to Australian Privacy Principle (APP) 12. It gives individuals a right to access their ’personal information’, and the right of ‘data portability’ found in the European General Data Protection Right (GDPR).
However, CDR is broader in scope. It gives both individuals and businesses the right to access their data, as well as data in relation to specific products and services offered by service providers (not just personal information).
The introduction of a CDR in Australia has been years in the making. The need for ‘data portability’ was contemplated in various reports as early as 2015. Draft legislation was first introduced in 2018, but it wasn’t until 1 August 2019 that the Treasury Laws Amendment (Consumer Data Right) Bill 2019 was finally passed.
Some key features of the legislation include:
At this stage, the new regime will not be uniformly adopted across the whole economy. Instead, the legislation gives the Treasurer power to designate sectors of the economy the CDR will be applied to.
The Treasurer determined that the CDR will first apply to the banking sector, followed by the energy sector. The telecommunications sector is currently proposed to follow.
The CDR will be introduced into the banking sector in phases. The ACCC recently announced that:
consumer data relating to credit and debit cards, deposit accounts and transaction accounts will be made available from 1 July 2020; and
consumer data relating to mortgage and personal loan data will be able to be shared after 1 November 2020.
However, it is possible that the CDR roll out may be delayed given the market disruptions caused by the COVID-19 pandemic.
The ACCC formally made the Competition and Consumer (Consumer Data Right) Rules, which came into effect on 6 February 2020. They set out the principles, requirements and outcomes of the CDR regime for all sectors as well as sectors in specific, including the:
use and disclosure of CDR data;
requirement to delete CDR data on request;
process for dispute resolution; and
rules in relation to the Privacy Safeguards and the data standards.
If a person does not comply with the rules, they may be issued an infringement notice by the ACCC or be subject to a civil penalty (if that rule is subject to one).
A key part of the rules are the disclosure requirements of data holders for a ‘product data request’ and a ‘consumer data request’. The rules establish what is ‘required’ data and ‘voluntary’ data, and that a data holder is only required to disclose required data, which includes:
Schedule 3 of the rules provide the rules relevant to the banking sector, and the ACCC has released a phasing timetable to implement those rules. The ACCC is currently considering how the rules will be revised for additional sectors to be designated (such as the energy and telecommunication sectors).
The security and integrity of the CDR system will be maintained by 13 privacy safeguards, which are set out in the legislation.
The privacy safeguards broadly mirror the APPs, although overall they are more restrictive.
The privacy safeguards prevail over inconsistent consumer data right rules, and replace the APPs in relation to the processing of CDR data by an accredited data recipient. However, the privacy safeguards do not replace the APPs in relation to the processing of CDR data by businesses or a designated gateway (except where otherwise specified).
Determining which of the APPs or CDR Privacy Safeguards apply to a particular data set will present a challenge for participating organisations, as it will depend on the role of that organisation in the CDR regime.
This new privacy regime will have a significant impact on ‘small businesses’ (being businesses with an annual turnover of less than $3 million), because they are generally exempt from any obligations under the APPs.
However, under the new CDR framework, an accredited small business recipient of CDR data will in effect lose its right to rely on that exemption, because all ‘personal information’ held by an accredited small business CDR recipient will be covered by the CDR Privacy Safeguards.
The data standards establish the technical and security processes for the sharing of consumer data as it generally applies across all sectors and specifically applies to those designated sectors. This will cover:
obtaining authorisations and consents, and withdrawal of authorisations and consents;
the collection and use of CDR data, including requirements to be met by CDR participants in relation to seeking consent from CDR consumers;
authentication of CDR consumers; and
the types of CDR data and descriptions of those types to be used by CDR participants in making and responding to requests.
The new Data Standards Body’s version 1.2.0 release of the Consumer Data Standards is expected to become the binding baseline for implementation of phase 2 of the CDR regime in accordance with the rules and phasing timetable published by the ACCC.
Most importantly, any standard which is required to be made by the rules will apply as a contract between a data holder and an accredited data recipient and will be legally binding. It can also be enforced by any aggrieved person as well as the ACCC.
The growth of data generation and its use has caused concern for many about how personal information is going to be protected. The European Union’s adoption of the GDPR has been especially influential in establishing what will be the new data protection standards going forward, affecting individuals and businesses in and outside the EU.
The CDR regime is a clear example of Australia incorporating these new ideas about data governance.
Similar policies are being implemented around the world with England also introducing their own Open Banking scheme. To this end, we can see that there is a global movement for stronger governance regimes and protocols around data. Interestingly, this is not about protecting privacy by restricting use - rather, the new regime intends to encourage the sharing of data so people and businesses can realise its value as it continues to be generated and digitised.
Author: Lucinda Borg
Contributing partner: Michael Cossetto