Top 10 things to know about the Consumer Data Right

In brief

The Government's draft Treasury Laws Amendment (Consumer Data Right) Bill 2018 (the Bill) sets up a proposed framework for the implementation of the Consumer Data Right (CDR) in Australia. While much of the detail is left to the sector-specific consumer data rules that the ACCC will develop, the Bill provides a system for designating the entities and datasets that will be subject to the right, the consumers who will benefit, how data transfers will occur, and mechanisms for recording and reporting performance – all underpinned by the key aims of consumer control, innovation and competition. This article lists our top 10 'need-to-know's about the proposed framework, including how these key aspects are likely to play out in the banking sector and what it all means for Australian businesses going forward.

Key takeaways

• Which sectors must transfer data? The Treasurer will be able to designate industry sectors to which the CDR will apply, and the ACCC will then develop consumer data rules to provide more detail around the accreditation of data recipients and requirements for disclosure, use, storage, security and deletion of CDR data. In an Open Banking context, all authorised deposit-taking Institutions (ADIs) will be subject to the regime.
• Which consumers? Consumers who will have the benefit of the right are a much larger group than individuals – the Bill extends coverage to all business customers, as well as individual customers who are 'reasonably identifiable' from the relevant CDR data.
• Which data? 'CDR data' includes information designated as CDR data for the relevant sector, as well as any information derived from that designated data and any information derived from that derived information, and so on. This, surprisingly, could capture a broad range of value-added data sets within an organisation – a much wider scope than is contemplated in the Open Banking Report.
• Data transfers The draft Bill does not stipulate how CDR data will be transferred, but provides for the establishment of a Data Standards Body that will develop technical standards for data sharing. In the banking sector, customer data is likely to be transferred via application programming interfaces (APIs).
• How to prepare There are practical steps you can take in each of the periods before the CDR applies to your business, after your sector has been designated, and then once the regime kicks in – including considering how best to leverage CDR data, reviewing operations and developing new systems to enable compliance, and implementing capability to respond to consumer directions.

1. Who will be required to transfer data?

Anybody the Treasurer designates, on a sector-by-sector basis.

Draft legislation: The Treasurer will be able to designate sectors of the economy that will be required to respond to consumer directions to transfer CDR data. The ACCC will then develop consumer data rules that will provide more detail relating to: (a) the disclosure, use, accuracy, storage, security and deletion of CDR data; (b) accreditation of data recipients; (c) reporting and record-keeping requirements; and (d) any related matters.

The Government has confirmed that it will designate the banking sector first, with the open banking regime to be introduced by 1 July 2019. The telecommunications and energy sectors will follow.

Open Banking: All ADIs (other than branches of foreign banks) will be subject to the regime, phased in over time, with the Big Four Banks required to be compliant by 1 July 2019. The Open Banking Report also recommended a principle of reciprocity of data exchange – ie any organisation that is accredited to receive consumer data (including non-ADIs) will also be required to provide access and transfer consumer data where requested, the idea being to create incentive to participate. There is no corresponding concept of reciprocity in the draft Bill, so it would appear to be an Open Banking-specific feature (at least at this stage).

2. Who will be accredited to receive data?

Anybody who the Data Recipient Accreditor accredits, based on the ACCC's accreditation criteria.

Draft legislation: The Bill provides that a Data Recipient Accreditor (DRA) will be appointed to accredit persons and businesses to receive CDR data, based on sector-specific criteria under the ACCC's consumer data rules. There will also be an electronic Register of accredited parties. The DRA (which will initially be the ACCC) will regulate accreditation, forming one of several legal mechanisms aimed at safeguarding data and 'inspiring confidence' in the data sharing framework (for more detail on these safeguards, see The devil in the detail – observations on the scope of CDR data and the new Privacy Safeguards. The Treasury is currently considering whether a decision by the DRA to reject or withdraw a data recipient's accreditation should be appealable to the Administrative Appeals Tribunal.

Open Banking: The Open Banking Report recommended the automatic accreditation of ADIs, given the rigorous regulatory regimes to which such entities are already subject and to facilitate the more streamlined implementation of Open Banking. Interestingly, the Report also suggested that the historical occurrence of a data breach should impact an entity's ability to qualify for accreditation – while this would presumably relate to where an entity has breached its data security requirements (rather than where a hostile attack occurs that could not reasonably have been prevented), it nevertheless highlights the importance of having rigorous data security protocols and data breach response plans in place.

3. Which consumers will benefit from the CDR?

Any individual or business that is 'reasonably identifiable' from CDR data.

Draft legislation: A 'CDR consumer' is defined very broadly in the Bill, as a person to whom CDR data relates who is identifiable or reasonably identifiable from the CDR data – with the effect that both individual and business consumers will be able to benefit from the right. However, the explanatory materials suggest that only individual consumers and small businesses will have the benefit of privacy protections and dispute resolution processes (presumably, more detail on this aspect will be provided in the ACCC's consumer data rules developed for each sector).

Interestingly, as drafted, the broad definition of a CDR consumer could include the data holder or an accredited recipient themselves. At the roundtables, however, the Treasury indicated that this is not the intent of the legislation – and is now seeking recommendations as to how the scope could be narrowed to exclude those participants.

Open Banking: The Open Banking Report contemplated that all customers (business and consumer) with a relevant account in Australia would be able to inherit the benefit of Open Banking. The Report recommended that all businesses, regardless of size, be able to transfer and receive CDR data, largely because of the compliance costs associated with distinguishing between small and large businesses. In any case, judging by the types of banking products that the Report suggested should be subject to the CDR (see 'Which data will be caught?' below), it seems unlikely that the CDR will be particularly useful for large business consumers.

4. Which data will be caught?

Any data the Treasurer specifies, plus (potentially) data derived from that data.

Draft legislation: The Bill defines 'CDR data' as information that is specified in the Treasurer's legislative instrument or is derived from such information. The explanatory materials note that this may include de-identified or aggregate data derived from CDR data.

The concept of 'derived' data is one of the more controversial and surprising aspects of the draft Bill, as it potentially allows for value-added data to be subject to the right – despite the Open Banking Report's firm recommendation that value-added datasets not be caught. At the roundtables run in Sydney and Melbourne over the past few weeks, the Treasury has advised that the rationale for this broad coverage is to prevent organisations from 'transforming' the data (even marginally) so that it falls outside of the CDR regulatory framework. However, if value is added to a dataset beyond a certain point, it may amount to property, in which case its resumption will need to be compensated under the Australian Constitution. Keep in mind that when designating a dataset, the Treasurer can make regulations restricting the ACCC's rule-making powers. That regulation could include hardwired rules narrowing the scope of derived or value-added data that will be subject to data transfers. In the absence of that, it will be 'derived' for the purposes of the legislation.

The Bill also contemplates that the ACCC's consumer data rules may require participants to disclose other CDR data on request when it does not relate to any one consumer – i.e. when an individual or business consumer is not identifiable from the CDR data. From the Treasury's comments at the roundtables, we understand that this is meant to cover what the Open Banking Report termed 'product data', and will effectively create a mandatory product disclosure regime.

Open Banking: The Open Banking Report argued that the CDR should apply to customer-provided data transaction data stored in a digital form for specific types of accounts held in Australia, as well as product data. The Report also considered that certain types of data should not be caught – including aggregated data, transformed data and information supporting an identity verification assessment (though entities should be required to share the outcome of that assessment). At this stage, we expect that Open Banking will apply to the various types of deposit and loan accounts identified in the Government's response to the Open Banking Report. We understand from the roundtable that the only value-added datasets contemplated in the banking context are things like account balances.

5. How will transfers of data occur?

In the manner set out in the standards the Data Standards Body has developed.

Draft legislation: The Bill does not stipulate how data will be transferred. It does, however, provide for the establishment of a Data Standards Body (and chairperson) that will develop technical standards for data sharing under the CDR framework, which may be sector-specific or apply more generally across sectors. These standards may be either mandatory (if they are adopted in the ACCC's consumer data rules) or voluntary – and if mandatory, will have the effect of a multi-lateral contract as between data holders and accredited recipients (although the ACCC and any aggrieved person may also apply to a court to enforce the data standards).

Open Banking: The Open Banking Report recommended that customer data be transferred via APIs (software intermediaries that allow two applications to talk to each other), which should be built according to the Data Standards. The Standards should determine the frequency of API calls by third parties (including whether push functionality should be available). The Standards should allow data access for intermediaries such as middleware providers.

6. Will there be charges for transferring data?

If the ACCC says so (but not for Open Banking).

Draft legislation: The Bill specifies that the ACCC's consumer data rules may set out any fees that participants may levy for the disclosure and use of specified categories of CDR.

At the Treasury's roundtable, we were told that there will be no fees charged for datasets in the initial stage, and that beyond that time, fees will be on an exceptions basis. The idea is that the CDR system will apply to datasets for which the imposition of fees should not be required.

That said, the legislation provides flexibility that fees could be charged. For example, if a dataset is not currently required to be collected by regulated entities under statute, fees might be payable. There may be an assessment of whether fees can be charged at the sector-designation stage or at the ACCC rule-making stage.

Open Banking: The Open Banking Report recommended that transfers of customer-provided and transaction data be provided free of charge. The Report also noted that restrictions should be placed on charges for the conduct of identity verifications – given the outcome of those assessments can be transferred under the new regime.

7. How will CDR data be safeguarded?

Through new, enhanced 'Privacy Safeguards' and various other checks and balances, including the consumer data rules, the data standards and the accreditation process.

Draft legislation: The proposed Bill introduces a new set of 'Privacy Safeguards' that will be incorporated under the CCA and apply to accredited data recipients (in lieu of the Australian Privacy Principles (APPs)), and to data holders (who will be bound by the APPs, and then the Privacy Safeguards once a request for a data transfer is made). More consent-driven than the APPs, these safeguards provide enhanced protections for CDR data – including limiting the collection of CDR data by an accredited data recipient to circumstances where the customer has expressly requested that collection, and use of disclosure of CDR data to where the consumer has consented to that specific use or disclosure (or it is otherwise authorised by law). CDR participants will also be required to destroy or de-identify CDR data (including deriving data) if they are no longer using it for the purpose for which it was received.

The ACCC may also prescribe additional safeguards in relation to CDR data or CDR consumers; the data standards developed by the Data Standards Body will contain more detail as to the technical requirements for transfer; and the Data Recipient Accreditor will provide checks and balances on the parties that are accredited to receive CDR data.

Open Banking: The Open Banking Report recommended that all participating data holders and accredited recipients be subject to the Privacy Act for any data transferred or received under the regime (irrespective of whether these entities would otherwise fall under one of the exempt categories of entities under that Act: e.g. small businesses). This has effectively been translated under the draft legislation – the APPs have been replicated as 'Privacy Safeguards' for CDR data, and all accredited participants will have to comply (even small businesses).

(For more detail on the Privacy Safeguards and other safeguards under the proposed framework, see The devil in the detail – observations on the scope of CDR data and the new Privacy Safeguards.)

8. How will performance be monitored and what are the consequences of non-compliance?

Through participants' maintenance and provision of transfer records and performance reports, as the ACCC's consumer data rules requires. The Bill proposes a range of criminal and civil penalty offences relating to CDR data and consumers, and breaches of the new Privacy Safeguards.

Draft legislation: The various bodies created under the Bill – the Data Recipient Accreditor, the Accreditation Registrar and the Data Standards Chair – will be required to report to the ACCC and/or the OAIC on various matters. Additionally, the ACCC's consumer data rules will contain provisions requiring CDR participants to provide performance reports to relevant CDR consumers, as well as the ACCC and OAIC.

Notably, the Bill also proposes to extend the existing Notifiable Data Breaches scheme under the federal Privacy Act to apply to CDR data. This means that data breaches involving CDR that pose a risk of serious harm to CDR consumers will need to be notified to the OAIC and the relevant affected consumers.

In terms of non-compliance, new penalties of up to $420,000 (or $2.1 million for businesses) may be imposed for misleading conduct relating to the transfer of CDR data and to breaches of the new Privacy Safeguards. Additionally, various enforcement powers the ACCC has today under the CCA will be extended to breaches of the new regime. (For more on remedies and enforcement, see Risky business – remedies and enforcement powers for CDR breaches)

Open Banking: The Report recommended that customers be able to view their Open Banking interactions at all times. Participants in open banking should also be required to maintain records of data transfers and API performance, which must be provided to the regulator (presumably, the ACCC) on request. We expect that the penalties proposed under the Bill for the CDR regime will flow down to the banking sector (and the ACCC may exercise its right to create additional civil penalties for breaches of the consumer data rules).

9. What steps should you take to get compliant?

Think strategically about how to leverage CDR data; develop new systems and processes to comply with the regime; and implement functional capability to respond to consumer directions to transfer data.

With the CDR in solid implementation phase, it is critical that you start thinking about how your business needs to prepare to comply with, and benefit from, the regime once it applies to your sector.

Before the CDR applies to your business, you should:

• have considered making submissions on the draft Bill, which were due on 7 September; and
• start thinking strategically about how your business can leverage CDR data to take advantage of the new regime, and whether your business holds any unique datasets that may ultimately be required to be transferred.

Then, once your business sector has been designated, you should:

• position your business to be ready to provide input on the ACCC's consumer data rules and the Data Standards;
• review your business operations, and develop new systems and processes to enable you to comply with the CDR regime (including the development of APIs, and mechanisms for receiving and complying with customer requests); and
• develop consumer and employee awareness through education campaigns specific to your business.

Note: Any recipient of banking information will need to become a member of AFCA (the external dispute resolution body).

Finally, once the CDR actually applies to your business, you should:

• ensure that you have functional capability to respond to consumer directions – meaning you will need to be able to provide access to data and transfer data according to the consumer data rules. Consider upgrades to IT infrastructure and customer-facing processes;
• ensure you are able to record and report on your compliance with the framework and the consumer data rules set for your sector (e.g. the performance of your API when transferring data); and
• develop a publicly available CDR policy (similar to a privacy policy). The CDR policy will be able to be bundled with a privacy policy.

10. Who will bear the costs of implementation?

The Government has been allocated spend to implement the regulatory framework for the CDR – but industry will be stuck with compliance costs.

Government funding: With significant new workloads for the ACCC and OAIC (as well as new regulatory bodies), the Government has allocated $44.6 million over four years to implement the CDR, including the appointment of a National Data Commissioner, with certain buckets going to the ACCC, the OAIC and Data61 (Australia's leading digital research network, which is part of CSIRO and will oversee the new Data Standards Body) to execute their respective roles.

Industry levy: The Open Banking Report flagged a possible industry levy in the future, when the regime is more mature, but recommended against such a levy on the banks, as it would be unfair to burden one sector with the costs of initial implementation.

Compliance costs Aside from any pass-through of regulator costs, the new regime will result in various compliance costs for businesses – including to develop new systems and technologies; identify and collate relevant data and comply with consumer requests; and to support ongoing reporting and record keeping. Unfortunately, the industry won't receive any compensation or incentives to participate in the CDR regime, so costs will need to be factored into your business plan in coming years.

Remember that some costs may be recouped by charging fees associated with accessing and transferring certain categories of CDR data – but, as noted above, we wouldn't bank on it.