INSIGHT

Show me the data! Introducing the Consumer Data Right

By Valeska Bloch
Consumer law Cybersecurity & Privacy Data Government Japan Technology

In brief

On 15 August, the Federal Government released exposure draft legislation that, if passed, will establish an 'economy-wide consumer-directed data transfer system'. The latest sprint in a marathon of reviews, reports and recommendations over the past few years that have called for the adoption of some form of consumer data right, the proposed system will afford individual and business consumers the right to access specified categories of data about or related to them that is held by designated organisations, and efficiently transfer that data to accredited third parties. This article introduces the concept of the Consumer Data Right (CDR) and reflects on the global and local trends that have spearheaded its arrival in Australia.

Key takeaways

  • The Treasury Laws Amendment (Consumer Data Right) Bill 2018 (the Bill) sets in motion the Government’s announcement in May that it would legislate a framework for a general Consumer Data Right and allocate $20 million in the Federal Budget over the next four years to oversee its implementation.
  • In making that commitment, the Government took strong cues from the Productivity Commission's Final Report into Data Availability and Use published in March 2017 and the Treasury-commissioned Report into Open Banking released in February of this year.
  • The CDR is the culmination of a number of global and Australia-specific trends – including exponential growth in digitised data, enhanced recognition of data as a critical asset and an economy-wide focus on innovation – that have created momentum for major regulatory change in the data space.
  • Much of the detail surrounding the proposed regime is yet to come, and will be set out in sector-specific 'consumer data rules' prepared by the Australian Competition and Consumer Commission (ACCC), and rolled out as the Government designates industry sectors to which the CDR will apply. Banking will be regulated first, with the telecommunications and energy sectors the next cabs off the rank.
  • Despite the gaps, it is clear that the CDR is the biggest shakeup of data regulation in Australia we've ever seen – and, one way or another, it's going to affect all consumers and industries alike.
  • While its implementation will require new compliance regimes, the CDR also offers significant opportunities for businesses to leverage the ability to share and receive data to create more tailored products and tap into new revenue streams.

Momentum for a new way of thinking about data

A watershed in Australia's data economy, the arrival of the CDR is a product of a number of intersecting global trends and local policy developments that have transformed the way we view data accessibility and use, including the following:

  • exponential growth in the generation of digitised data – more than 90 per cent of the data in the world was generated in the last two years. There are approximately 2.7 Zettabytes of data in our digital universe – or more than 90 million 32GB USB sticks;
  • improvements in computing power and data analytics skills and technologies;
  • mainstreaming of commercialisation of data has become mainstream – spearheaded by tech giants like Google and Facebook (which generated around 98 per cent of their revenue through advertising in 2017), using data for commercial purposes is now a given in every organisation's long-term strategy;
  • widespread recognition of data as a critical asset (not just a mailing list) – sentiments around data have shifted from seeing it as a risk or overhead, to a powerful tool that, if handled well, can give businesses a competitive edge and wield market power;
  • greater emphasis on consumers wanting to control access to and use of data about them – concepts of trust and a 'social licence' in relation to data have been spattered across the media, as consumers demand a share in the value of the data they hand over to businesses; and
  • economy-wide focus on innovation – e.g. we've seen the rise of FinTech companies in the banking and financial services space – companies that, incidentally, stand to gain a lot from the implementation of the CDR (currently, they are forced to use screen-scraping technologies to access a customer's banking data, which carries security risks and is relatively inefficient and costly).

Global data governance developments

These paradigm shifts have created strong momentum for global regulatory change in the data space:

  • The most sweeping privacy and data protection laws in the world have arrived with the General Data Protection Regulation (the GDPR) in Europe. In placing the rights and freedoms of individuals at the very centre of its rules around data governance and use, the GDPR effectively creates a consumer data right based on individual control.
  • In the US, California has beefed up its privacy laws with legislation that allows consumers to control use of data that relates to them. Given California's reputation as a trend-setter for other US states in the data protection space (e.g. it was one of the first states to enact mandatory data breach notification laws), this may be a forerunner to reform on a greater national scale.
  • Even the Trump administration has indicated plans to begin consultation on a consumer data protection framework. This follows the repeal in early 2017 of the Obama-era Federal Communications Commission's privacy protections for internet users.
  • The UK has had a government-mandated open banking regime since March 2017. Pre-dating the GDPR, the UK Government first took steps towards the reform in early 2014.
  • Industry in the US, New Zealand, Japan, Singapore and India is leading the charge, setting up banking data sharing platforms, and signing up to bilateral data sharing agreements (especially between established banks and emerging FinTechs).
  • Hong Kong is consulting with banks about the use of application programming interfaces (APIs) in the banking sector and Japan has been making gradual legislative amendments in favour of the FinTech sector.

Australia's road to a Consumer Data Right

Path to CDR

The timeline above reflects the key milestones in Australia's path towards the establishment of a Consumer Data Right.

Arguably, the strongest call to action for the Government to legislate the right was the Productivity Commission's Final Report into Data Availability and Use published in March 2017.1 The report criticised Australia's historically conservative approach to data sharing and use, and proposed a 'fundamental and systematic change' to the way Australian governments, business and individuals handle and facilitate access to data.

The Productivity Commission observed that the current legal framework, policy requirements and approval processes governing access to and use of data in Australia have created an entrenched culture of risk aversion. As a result, agencies and organisations generally deny access to data by default, as the easiest way to minimise their (perceived) risk. However, the Productivity Commission reflected that this approach is out of step with competing economies like the US, the UK and New Zealand – which, in turn, is detrimental to our economy in a competitive global data sharing market.

In July 2017, only three months after the publication of the Productivity Commission's Report, the Treasury commissioned a Review into Open Banking. The Final Report of the Review was released in February this year and represents the first detailed examination of how a consumer data right regime would apply to a particular sector in practice. The Government was all ears, agreeing in May to implement the Productivity Commission's and the Review's recommendations for an overarching Consumer Data Right and its first application to the banking sector.

Now that it's arrived

As Treasury continues to refine the Bill, the establishment of a CDR marks a critical moment in the Australian data economy. This means that there's a lot of work for businesses to do to understand the right and get ready to implement it – but there's also significant scope for industry to influence the implementation process, and new opportunities for leveraging data sharing in ways that meaningfully benefit your business. For more detailed information on what the CDR framework will look like in practice and what it means for you, see our other articles below.

Footnotes

  1. For more on the Productivity Commission Report on Data Availability and Use, see our Focus: Landmark Productivity Commission report on data availability and for more on the Government's response to that report, see our Focus: Federal Government's bold vision for data availability.