In preparation for the implementation of the first phase of the Consumer Data Right (CDR) on 1 July 2019, and fresh off the consultation period for the Federal Government's draft CDR legislation, the Australian Competition and Consumer Commission (ACCC) released the Consumer Data Right Rules Framework (the Framework) on 12 September. While the Framework has a banking focus, it is intended to provide the 'in principle' position that the ACCC proposes to take when developing the specific rules for all designated sectors, moving forward. The high-level Framework includes further details about the CDR regime's features – a number of which are contentious, or likely to impose more onerous compliance obligations on participating businesses than initially anticipated.
The ACCC has been seeking feedback on the Framework to 12 October, and intends to publish the draft of the first version of the CDR rules, which will cover matters that are essential to the commencement of Open Banking, in December this year. Future versions of the rules will cover additional matters relevant to the banking sector, as well as other sectors that are still to be designated, such as energy and telecommunications.
- The Framework provides a much more detailed snapshot of how the CDR regime is likely to work in practice than does the draft CDR legislation, including the following new, or clarified, details:
- The energy sector may be designated sooner than anticipated, with the ACCC suggesting it will conduct consultations on the application of the CDR to the energy sector in late 2018.
- No fees will be payable for access to, or transfer of, CDR data under the first version of the rules.
- The rules are likely to contain detailed requirements of how consent must be obtained for the collection, use and disclose of CDR data, including that organisations must obtain express, informed, unbundled consent for each specific collection, use or transfer.
- The rules are likely to contain a blanket prohibition on using CDR data for direct marketing or on-selling CDR data.
- In order to become an accredited data recipient (ADR), organisations will be required to provide further detail about the sufficiency of their systems in relation to CDR data to the ACCC. Eg they will need to demonstrate that they will have: effective procedures to identify, manage and monitor risks to which they might be exposed regarding CDR data; adequate processes to comply with the privacy safeguards; and measures and tools to prevent fraud and illegal use of CDR data.
- Businesses should note the following additional obligations that the Framework contemplates:
- Data Use Plan – businesses will need to consider the ways in which they want to engage with, and use CDR data under, the regime. Businesses will have to develop a clear business plan that outlines such uses in advance of actually participating in the regime.
- CDR documentation suite – businesses will need to develop a suite of compliance and privacy documents to participate in the CDR regime, including:
- a CDR policy (eg a list of outsourced service providers, the nature of their services and the data that has been disclosed to them);
- for ADRs, a suite of specific, stand-alone CDR consent requests for each collection of CDR data that the business contemplates. These must include the period for which data is requested, when access will expire, how frequently data will be shared or accessed during the relevant time period, the names of any intermediaries or outsourced service providers the ADR uses, and the name of any third party service providers located overseas; and
- for data holders, 'authorisation requests' that outline the name of the ADR requesting data, the data requested, the period over which data was requested, when the ADR's access to the data will expire, details of the account to which access will be authorised and the period for which the transaction history has been requested.
- Accreditation – Businesses that want to become ADRs will need to ensure that they have in place appropriate:
- internal dispute resolution processes;
- systems, resources and procedures in place to comply with the CDR regime – ie information security procedures, security controls, mitigation measures, and procedures for reporting and notifying consumers about security incidents and breaches of the rules; and
- Outsourcing – ADRs will need to carefully consider outsourcing arrangements that relate to, or involve, CDR data, to ensure that those agreements impose appropriate restrictions on the service provider (to comply with CDR obligations), and that consumers are aware of, and have consented to, such outsourcing.
- De-identification – The ACCC has suggested including a right for consumers to elect whether they want their CDR data to be deleted or de-identified. If this right is adopted, businesses may need to consider ring-fencing CDR data to the extent that they regularly de-identify their records for use in analytics, insights or other purposes.
- Commercial use of CDR data – Businesses will need to ensure they have processes to prevent the on-selling of CDR data or the use of CDR data for direct marketing, including by ring-fencing CDR data from other internal databases.
- Record keeping – ADRs and data holders will be required to keep and maintain for six years records of their compliance with the privacy safeguards, consumer data rules and data standards, Application Programming Interface (API) performance and any complaints from consumers.
- Data protection – ADRs will need to ensure that their data handling practices comply with the rules the ACCC will develop in conjunction with the Office of the Australian Information Commissioner (the OAIC), which specify the steps an ADR must take to protect CDR data from misuse, interference, loss or unauthorised access, modification or disclosure.
- The Framework borrows various elements of the European Union's recently introduced data protection law, the General Data Protection Regulation (GDPR). However, interestingly, the ACCC has stretched certain GDPR concepts to apply more onerously to CDR data (while not adopting the overall rigour of the GDPR privacy framework) – eg strict consent requirements for ADRs, and the requirement for foreign ADRs to appoint local agents that are liable for its actions.
- With consultations open until 12 October, the ACCC has been seeking feedback on the following long list of issues:
- what metadata could be within scope, the benefits it could deliver to consumers, and any associated risks;
- whether the rules should include service levels for the authorisation and authentication process, or whether this would be better addressed by data standards;
- whether rules should be made to govern the concept of reciprocity;
- recognition of participants in other international open banking regimes (eg in the UK);
- what would be a reasonable timeframe for requiring banks to share CDR data relating to their offline customers and former customers;
- dispute resolution mechanisms for larger businesses and disputes between CDR participants (currently, the explanatory materials to the draft legislation state that only individual and small businesses will have the benefit of CDR dispute resolution processes);
- development of lower standards, or 'tiers', for accreditation and how this could be implemented;
- industry standards for protection of CDR data from misuse, interference, loss or unauthorised access, modification and disclosure;
- consent in relation to jointly held, and other complex, accounts;
- whether consumers should be able to decide if redundant data should be de-identified or destroyed by ADRs;
- whether CDR data can be on-sold or otherwise used by ADRs for direct marketing;
- rules around the provision of data to outsourced service providers and the utility of a model based on use of an intermediary; and
- the treatment of unsolicited data and particular scenarios that should be called out in the rules.
While the Framework does not contain a draft of the first version of the consumer data rules (we're told that these will follow in December), it does provides a significant amount of detail about how the CDR regime will operate in practice – at least in the early days of Open Banking.
The Framework fleshes out the draft CDR legislation, which, regarding a number of key aspects and concepts, deferred to the rules. In some cases, the Framework includes wholly new information about how the regime will function; while in others, the devil is in the detail.
What data is caught?
Under the first version of the rules:
- CDR data will capture customer data (eg customer name, contact details, account number and direct debits), transaction data (eg opening and closing balances and dates of transactions), and product data (eg product type, names and prices);
- the regime will only apply to customer data that is kept in a digital form; and
- data relating to identity verification assessments, or to authorisations given by consumers to transfer data under the CDR regime, will be excluded.
As the CDR legislation foreshadows, the new regime will capture 'Product Data' – generic product data, as well as any product data that relates to an account a customer holds (eg features such as applicable fees, charges or interest rates, customer eligibility criteria, and terms and conditions). While generic product data will not be subject to the Privacy Safeguards, any product data that relates to an account that a customer holds will be considered consumer-related data and be subject to the Privacy Safeguards.
The ACCC is seeking submissions on whether (and to what extent) transaction metadata should also be considered customer data (eg geolocation data about where a transaction occurred or the time that it took place). Australian courts have previously held that metadata is not personal information. Accordingly, the extension of CDR data to include transaction metadata will mean that metadata datasets will now be subject to collection, use and disclosure restrictions. This will be a significant departure from the status quo in Australia.
Which consumers can access data?
The first version of the rules will only apply to current customers who make use of online banking. Offline banking customers and former customers will be included in later versions.
In light of the implementation issues that banks are likely to experience, this limitation on the scope of CDR consumers was to be expected. But, in effect, it will limit the rights of individuals who have already moved to a new banking provider to access their banking history and transfer it from their old provider to their new one.
How will data be transferred?
Data sharing must occur via an API that businesses implement according to standards the Data Standards Body has developed. This requirement is consistent with the Open Banking Report's recommendation.
The draft legislation allows the ACCC to specify where a breach of a rule will be subject to a civil penalty. The ACCC's current position is that all rules imposing obligations on data holders or ADRs will be specified as civil penalty provisions.
The Framework identifies a number of additional, or more stringent, obligations that will be imposed on data holders and ADRs (ie compared with the very high-level obligations in the draft legislation, and existing privacy obligations under the federal Privacy Act). These obligations are likely to result in increased compliance and documentation costs, as well as a need for businesses to review and document their existing and proposed data handling practices. The key 'new' obligations for businesses are outlined below.
The rules will include new requirements for ADRs who outsource part of their business, to ensure that there are appropriate risk management processes in place to protect CDR data.
Upping the regulatory burden on businesses, these outsourcing arrangements must include, at a minimum:
- legally binding provisions mirroring the ADR's obligations under the rules in relation to security and management of CDR data; and
- monitoring processes in relation to the disclosure of CDR data.
ADRs must also obtain a consumer's consent to any outsourcing arrangements involving CDR data. This may mean that entities will be required to obtain new consent if they appoint or change service providers after receiving a consumer's consent to receive and use their CDR data for a particular purpose, or that businesses will need to retain internal functions to deal with CDR data where a consumer does not provide their consent.
An ADR will be required to maintain in its CDR policy a list of outsourced service providers, the nature of their services and the data that has been disclosed to them. The Framework suggests that this must be a specific list, as opposed to a generic statement that sets out the types of entities to whom personal information is disclosed (as the Privacy Act 1988 (Cth) currently requires).
Outsourced service providers may only use CDR data in line with their authorisation and not for any other purposes. This restriction is similar to the restrictions placed on data processors under processor arrangements under the GDPR.
Accreditation of data recipients
- Accreditation criteria – In order to become accredited to receive CDR data under the new regime, prospective ADRs will have to demonstrate that they:
- are a 'fit and proper person' (with consideration given to criminal history, insolvency, dishonesty, and any allegations that the entity has breached the Privacy Act – including data breaches – or the CDR regime);
- have appropriate systems, resources and procedures in place to comply with the CDR regime – including information security procedures, security controls and mitigation measures, and procedures for reporting incidents and notifying consumers;
- have appropriate insurance in place; and
- have appropriate internal dispute resolution procedures in place, and are a member of an external dispute resolution body (which, for the banking sector, will be the Australian Financial Complaints Authority).
- Business plan – As part of the accreditation process, applicants will need to provide a business plan to the ACCC that includes descriptions of the services the applicant intends to provide to consumers through the use of CDR data, with template consent screens and descriptions of security controls and mitigation measures, and procedures for the reporting of incidents and notification processes to consumers.
The creation of this business plan will require applicants to generate a significant amount of detailed information upfront (including making key determinations about the business of the entity, going forward). It is unclear to what extent an entity will be able to update its business plan after it has been accredited, as is the impact that any change would have on such accreditation.
- Accreditation application fees – Application fees will be payable as part of the accreditation process, but the Framework does not set out the quantum of these fees.
- Revocation of accreditation – The ACCC will have the ability to revoke accreditation where it believes on reasonable grounds that an ADR has breached a civil penalty provision (including the privacy safeguards and consumer data rules). Where an ADR's accreditation is revoked, it will be required to delete or de-identify all CDR data that it holds.
- Intermediary accreditation – There may also be some potential for an intermediary accreditation level, where entities will not collect CDR data but will able to access or use subsets of CDR data or insights from CDR data to provide services to consumers. The ACCC is seeking input on this point.
The Framework indicates that collection, use and disclosure of CDR data by CDR participants will require express consent from consumers. Comparisons have been made to the rigorous consent requirements under the GDPR. However, the new CDR regime actually appears to go beyond the GDPR's 'lawful basis' test, by requiring express consent without permitting entities to rely on any other basis for using data (eg where necessary to perform a contract with the relevant individual).
- Express and specific – Under the Framework, consents obtained from consumers should permit the consumer to specify their consent to:
- the scope of data provided;
- the uses to which the data is put; and
- the duration of time over which the data is made available and held (eg entities will not be able to seek an ongoing, indefinite consent to access and use a consumer's data, with the ACCC suggesting it could limit this period to 90 days – similar to the EU's Revised Payment Service Directive, known as 'PSD2').
- Unbundled – The rules will include a specific prohibition on bundling CDR consent with any other direction, permission or agreement. This reflects the recent, global legislative shift towards specific, unbundled consent. However, it is also likely to increase the cost and difficulty for entities in preparing consents (as consumers will need to be shown, and agree to, a greater number of consents), and will require that businesses consider all of their intended uses of CDR data in advance.
- Opt-in model – The Framework suggests that the rules will prohibit the use of 'opt-out' style consents (eg use of pre-ticked boxes or default settings) and specifies that implied consent will not be sufficient to satisfy an ADR's obligation to obtain consent.
- Withdrawal process – The ACCC will develop rules to provide consumers with a simple process to withdraw consent. ADRs and data holders will be required to develop an interface or dashboard that outlines historical and current consents and authorisations, to permit individuals to easily withdraw consents. Once a consumer's consent is withdrawn, all CDR data that an ADR (or its contractors or service providers) holds must be deleted or de-identified.
De-identification of data
The ACCC is seeking consultation on whether individuals should have the right to request that their CDR data be deleted by ADRs (as opposed to merely de-identified). The ACCC's justification is that merely de-identifying information (and allowing businesses to continue to use and disclose insights derived from that de-identified data) is not consistent with the consumer-centric aims of the CDR.
There are obviously concerns associated with the imposition of data deletion requirements under the CDR, including that such a requirement would create compliance difficulties where it conflicted with data retention requirements under other Australian laws. Similar concerns have arisen in relation to the 'right to be forgotten' under the European Union's General Data Protection Regulation (the GDPR). However, unlike the GDPR, it is proposed that the CDR regime will operate based on the consent of the individuals concerned. Under the GDPR, there are exception to data deletion requirements under the 'right to be forgotten', including where an entity processes relevant data on a lawful basis other than consent and is under a legal obligation to retain that data. However, where an entity holds data based purely on an individual's consent, the removal of that consent makes it difficult to justify the ongoing storage and use of that data based on separate legal obligations.
A rule requiring deletion has the potential to have enormous impact on businesses – as, in practice, it would mean that a business must not de-identify CDR data at any point until the data is redundant (ie once consent expires or is withdrawn). This is because once CDR data has been de-identified, if a consumer were then to request that their data be deleted, the business would not be able to comply. The inability to de-identify and use CDR data is likely to impact the value of analytics and an entity's ability to develop insights through the use of de-identified data. This rule would be a significant departure from the requirements under the Privacy Act (which do not apply once personal information is de-identified and any reasonable risk of re-identification is mitigated), and may require ring-fencing of CDR data from other personal information or business data.
This potential consequence is not directly contemplated in the Framework, and we think it likely is an unintended one – especially as the preclusion of businesses conducting analytics in a competitive commercial environment appears at odds with the ACCC's very function. It remains to be seen how stakeholders will respond to this issue and how it will then addressed in the rules themselves.
High-risk uses of CDR data
The ACCC has stated that it intends to make rules that the on-selling and use of CDR data for direct marketing will be prohibited (but is seeking consultation on this point). This kind of determination would categorically prevent entities from seeking an individual's consent to undertake these practices (which is currently permitted under the Privacy Act, provided consent is obtained or the individual would otherwise have a reasonable expectation that their personal information would be used for direct marketing, and a functional opt-out mechanism is always provided). Again, this appears to be an exceptionally onerous outcome of the CDR, and may require ring-fencing of CDR data from other data.
Mandatory collection and authorisation notifications
As part of the consent process, ADRs will be required to provide a statement to CDR consumers similar to a collection notice under the Privacy Act, but with more categories of, and more specific, information. Specifically, the notice will need to include:
- the name of the ADR requesting the information;
- the name of any intermediary via whom the ADR proposes to collect the data;
- the name of any third party service providers the ADR proposes to use to assist in providing the service;
- the data that has been requested, including the type of data and, where relevant, the period of time the data covers;
- the purpose of the data request and uses to which data will be put, including specifying in detail the role of any accredited intermediary or third party provider who will assist in providing the service;
- the period for which any transaction data is requested;
- when the ADR's access to the data will expire;
- whether the request is one-off or recurring and, if recurring, how frequently data will be shared or accessed;
- the names and locations of any third party service providers located overseas; and
- a statement that the consumer can withdraw consent at any time, to terminate the sharing of data.
Data holders will also need to provide individuals with authorisation notifications, which summarise the name of the ADR requesting data, the data requested, the period over which data was requested, when the ADR's access to the data will expire, details of the account to which access will be authorised and the period over which the transaction history has been requested. This will result in an increased administrative burden.
The ACCC expressly states in the Framework that the first version of the consumer data rules will not include any rules in relation to reciprocity, as, in its view, this concept raises complex issues requiring further consideration. Reciprocity encompasses either 'quid pro quo' reciprocity – where ADRs would be required to provide equivalent data sets; or the more generic reciprocity discussed in the Treasury's roundtables – where the ACCC could make rules that certain sub-sets of designated CDR data that ADRs hold would be subject to the CDR regime.
However, the ACCC has given some indication of how it may approach reciprocity in the future, stating that it does not approve of the quid pro quo approach, and that any reciprocity concept would still need to be based on a consumer directing and consenting to an ADR sharing their data.
This was a key point of discussion during consultation on the draft CDR legislation, and the approach in the Framework is likely to be a significant concern for established players – particularly the major Australian banks – as they will not necessarily be able to take the full benefit of the regime. That is, they will need to transfer CDR data but not necessarily be entitled to receive it from ADRs who are not otherwise subject to the Minister's designation.
That said, the Treasury's revised draft of the CDR legislation, released on 24 September, indicates that the rule-making power for achieving reciprocity may be more expressly laid out in the legislation itself (see You Asked, They Listened (Mostly) – Treasury's Proposed Revisions To The Consumer Data Right Bill. So, going forward – and as in many respects – it looks like there will need to be some realignment between the Treasury and its chief appointed regulator.