While the Consumer Data Right (CDR) regime is likely to benefit businesses by increasing access to greater consumer data, and customers by increasing choice and competition, the draft legislation leaves a lot of the details to be finalised at a later date (primarily through the Australian Competition and Consumer Commission's (ACCC) consumer data rules). It also raises a number of questions that are yet to be answered, in particular: how the Privacy Safeguards will interact with the Australian Privacy Principles (APPs), how businesses will practically structure their internal systems to comply with the different requirements under the two regimes, and how the market will respond to a requirement to disclose transformed or value-added data sets. This article reflects on these more interesting and surprising aspects of the proposed legislation, and considers how they might be addressed in the coming months.
- The potential scope of CDR data is very broad. The scope of the proposed legislation is very broad and captures data that relates both to natural persons and corporations, as well as to certain information that does not relate to any identifiable person. Data holders and recipients should be conscious of this when developing any frameworks or practices around the CDR regime.
- CDR data may capture 'derived' data. CDR data under the legislation covers information specified in a designation, as well as any information derived from that information (or derived from the derived information). This broad definition could capture value-added data sets, as well as imputed information or information that is covered by intellectual property rights. The Government will need to balance the freedom for individuals to transfer and access data with the risk that requiring business to disclose valuable, transformed data sets to their competitions will stifle innovation.
- The CDR Privacy Safeguards extend beyond the APPs. The newly proposed Privacy Safeguards regime follows the same structure as the APPs under the Privacy Act 1988 (Cth) (the Privacy Act), but:
- will apply to a broader set of data (data that relates to a person, as opposed to data that is about an individual – this is intended to extend to metadata);
- will apply to a broader set of entities (including both natural persons and corporations);
- does not currently permit CDR participants to rely on reasonable expectations or implied consent; and
- does not adequately contemplate how service providers who obtain new customers will be entitled to use the customer's transferred CDR data within their business.
- The interaction between the CDR Privacy Safeguards and the APPs is not clear cut. Entities should consider how they wish to address the disconnect between the two privacy regimes when using, storing and securing personal information and CDR data, and when developing internal practices and data flows. One (albeit potentially costly and difficult) approach may be to handle all data that an entity holds in accordance with the Privacy Safeguards (in particular, the stricter consent requirements) to ensure CDR data does not have to be ring-fenced from other records.
The draft legislation raises a number of questions about how the regime will operate in practice, which are currently unanswered.
Derived and value-added data
As discussed in Top 10 things you need to know about the Consumer Data Right, the scope of CDR data under the legislation is very broad and covers information specified in an instrument designating a sector or any information derived from such information (or derived from the derived information). Treasury has indicated that the broad scope is to ensure there is no loophole to exclude CDR data from the protection of the CDR regime by transforming the data in an immaterial way. While the scope of CDR data and consumers is likely to be narrowed under specific sector designations and data rules, this is not, and will not be, certain until the designations and rules are published. There is an inherent difficulty in defining data in a way that is sufficiently clear so participants know what data is subject to the regime and is also flexible enough to allow for different applications in different sectors, but this difficulty is not reduced by deferring the decision to a later date.
A key sticking point with industry during the process of the Productivity Commission's (PC) Data Availability and Use Report was the application of the CDR regime to value-added data sets. The PC's final report recommended that CDR data include derived data, and (subject to appropriate fees) value-added data, but not include data that is subject to intellectual property rights or imputed data about customers. Neither of these categories of data, nor data that have been purchased by entities, have been expressly excluded under the draft legislation. While fees could potentially be charged for both access to data sets and for certain uses of data by accredited data recipients (ADRs), Treasury has indicated that fees will not be imposed for initial data sets under Open Banking. Treasury has indicated their intention that the CDR regime will only apply to categories of data sets that should not require the payment of fees, and, accordingly, that the imposition of fees will be the exception not the rule, with the quantum of fees likely to be set by the ACCC, not market participants.
In failing to exclude these kinds of data or clarify what fees will be payable for such data, there is a risk that the regime will have the opposite effect to what was intended, reducing entities' incentives to clean and synthesise their data sets, or to consolidate and data across multiple areas of their business to generate new insights, on the basis that they could be required to disclose this valuable data to their competitors.
Non-consumer CDR data
The legislation also contemplates a second category of CDR data that does not relate to any CDR consumer. While we expect that this category is intended to capture the product information discussed in the Open Banking Report (eg average interest rates across a particular market), the legislation does not place any limits on the scope of non-consumer-related CDR data, and does not expressly exclude commercially sensitive information, intellectual property or trade secrets.
It is unclear how this category aligns with the underlying premise of the consumer data right: ie that individuals should be entitled to access, and transfer, certain information about themselves for the purpose of enabling competition, and receiving improved and personalised products and services. The inclusion of the category may promote overall innovation in the relevant sector, in turn benefiting consumers, but this purpose should be reassessed once we know the breadth of non-consumer CDR data under the data rules.
Interaction of APPs and Privacy Safeguards
The interaction between the APPs in the Privacy Act and the new Privacy Safeguards to be incorporated in the Competition and Consumer Act 2010 (Cth) is still unclear. As currently drafted:
- The Safeguards impose stricter obligations. The Privacy Safeguards (which are loosely based on the APPs, other than APP 12) will apply to CDR data that relates to an individual or corporation.
- As CDR data is information that relates to an individual or corporation, as opposed to information that is about an individual, it will be much more difficult in practice for entities to properly de-identify information (and therefore remove such de-identified information from the ambit of the Privacy Safeguards).
- The Safeguards are more restrictive than the APPs, and require express consent and the use or disclosure to be required or authorised under a data rule, as opposed to the APPs, which permit use and disclosure on the basis of implied consent or a reasonable expectation.
- The Safeguards largely remove 'reasonableness' qualifiers in the APPs: eg Privacy Safeguard 11 requires entities to take steps specified in the data rule to protect CDR data, as opposed to taking 'reasonable steps' to protect CDR data. This means the obligations will be harder for businesses to comply with.
- Treasury appears to have justified this higher bar by reference to the definition of 'consent' under the European Union's General Data Protection Regulation (the GDPR), but has not adopted the other lawful grounds of processing under the GDPR, such as the processing being necessary for the performance of a contract between an entity and the individual.
- Continued application of APPs. While the Privacy Safeguards will apply to all ADRs, they will only affect a data holder once a request has been made for disclosure of data, and only to the data the subject of the request. The APPs will continue to apply to CDR data holders who have not been requested to disclose CDR data and to non-accredited recipients of CDR information, to the extent that the information is 'about' an individual. This is a slightly unusual outcome, in that data holders are not required to have a CDR policy or to comply with the stricter obligations under the Privacy Safeguards until a request is made, but then must fully comply when responding to that request. In practice, businesses should ensure that their internal processes are capable of complying with the Privacy Safeguards from the commencement of the regime in their sector.
- Inconsistency. Where there is inconsistency between the Privacy Safeguards and the APPs, the Safeguards will apply to exclude the application of the APPs. This is effected by the Safeguards stating that permitted uses and disclosures will include use or disclosure required or authorised under law other than the Australian Privacy Principles.
- Data breach notification. The mandatory data breach notification obligations under the Privacy Act are extended to capture unauthorised access, disclosure or loss of CDR data that ADRs hold. The data breach provisions are not extended to CDR data held by the original data holder.
Treasury has indicated that this section of the regime could change between the exposure draft and the final form of legislation to be released in December, and the final legislation could provide that either:
- all CDR participants will be subject to the Privacy Safeguards and the APPs will be excluded in respect of CDR data; or
- the Privacy Safeguards will apply only to ADRs, and data holders will remain subject to the APPs in respect of CDR data.
The interaction between these two regimes is likely to be difficult for a number of reasons, including:
- Mandatory application of Privacy Act to ADRs. Before a small business becomes an ADR, it will need to consider that while it is accredited (and in addition to the Privacy Safeguards), it will be required to comply with the Privacy Act (and the APPs) for all personal information it holds that is not CDR data.
- Integration of CDR data in existing records. Businesses will need to consider whether and how they integrate CDR data into their records and databases, and whether they will need to distinguish between CDR data that is transferred to them for incoming customers (which will be subject to the Privacy Safeguards) and data they generate about customers (which will largely be subject to the APPs). The legislation seems to contemplate that businesses may need to ring-fence CDR data from their other records, to ensure that they are compliant with the strict consent, use and deletion obligations under the Safeguards. The explanatory materials suggest that the data rules could provide that recipient service providers can treat all received CDR data as if they were the data holder; however, this is not enshrined in the legislation.
Two potential solutions are:
- altering collection practices to obtain express specific consent for all CDR data and all personal information, in order to handle all information in accordance with the higher standard. This is likely to be costly and reduce the permitted ways in which businesses can utilise personal information they hold; and
- ring-fencing CDR data from other records, and ensuring that they have appropriate capability and processes to de-identify information, so that it no longer 'relates' to a consumer when the consumer withdraws their consent or moves to an alternate service provider.
- ADRs and businesses that could be data holders should update internal privacy guidelines and practices, particularly those for direct marketing, de-identification and deletion of customer data, overseas disclosure and data analytics, to ensure that they address the stricter requirements under the CDR regime and the data rules, including express consent and the higher standard for de-identification.
- ADRs should update their data breach response plan, to contemplate unauthorised access, misuse or loss of CDR data.
- Extension of privacy protection to businesses. Businesses will need to ensure their current privacy practices and safeguards extend not only to the protection of the CDR data of natural persons but also to the 'privacy' and data of businesses. This is a step-change in legislation and appears to be at odds with the traditional justification of privacy as being a human right of individuals. The Government's justification that it is too difficult to delineate between natural persons and sole traders or small businesses is at odds with:
- the fact that a CDR consumer is not limited to small businesses and could include a corporation of any size; and
- the fact that existing legislation (including the Privacy Act) regularly delineates between natural persons and businesses, and between large and small businesses.