You asked, they listened (mostly) - Treasury's proposed revisions to the Consumer Data Right Bill

In brief

On 24 September, Treasury released for public consultation its revised version of the exposure draft legislation that will give effect to the new Consumer Data Right (CDR) in Australia. Reflecting feedback from public consultation on the first tranche of draft legislation that was released on 15 August, the revised CDR Bill proposes to limit the scope of rule-making powers requiring access to derived or value-added data, clarify the interaction of the new Privacy Safeguards with the federal Privacy Act, refine the operation of reciprocity, and provide greater flexibility for industry to set fees for chargeable datasets. We outline the new proposals that reflect Treasury's concerted efforts to address a number of key stakeholder concerns, and consider those issues that require further attention.

Key takeaways

• Treasury has rolled back the scope of 'derived data' that the CDR may catch. The legislation has been redrafted to permit only the inclusion of data that has been enhanced, but not materially so (other than on an exceptions basis). Responsibility for determining the scope of derived data has been transferred from the ACCC (in the consumer data rules) to the Minister (in the designation instrument).
• Treasury has proposed that most of the CDR Privacy Safeguards will not apply to data holders, and only the Privacy Safeguards (and not the Privacy Act) will apply to data recipients regarding CDR data they have received.
• The principle of reciprocity is now proposed to be built more clearly into the legislation, to emphasise the ACCC's ability to make rules requiring data recipients to provide customers with access to data. The renewed emphasis seems to cut across the ACCC's comments in the draft CDR Rules Framework that decisions about the application of reciprocity would be deferred to a later date.
• New minimum consultation requirements have been recommended before a sector can be designated or rules can be made.
• Treasury has proposed that the designation instrument should identify whether a data set is fee-free or chargeable, and data holders may then adopt their own pricing for chargeable data sets.
• Together with the revised legislation, Treasury has released a draft designation instrument for Open Banking that switches on the rule-making power for the implementation of the CDR in the banking sector, and defines the data sets and data holders that will be covered.

Proposal 1: Treatment of derived data

In the first round of consultations on the draft CDR Bill, one of the biggest sticking points for industry was the exceptionally broad definition of CDR data – in particular, its ability to capture 'derived' data comprising value-added data sets, imputed information and information that is the subject of intellectual property rights (see our The devil in the detail – observations on the scope of CDR data and the new Privacy Safeguards).

Treasury has responded to these concerns by clarifying its position that the scope of data that should be included in the CDR is consistent with what the Open Banking Review recommended: as a general rule, 'data that results from material enhancement by the application of insight, analysis or transformation' should not be captured, but 'there can be exceptions to, or qualification of, this broad principle'.¹

The first draft of the CDR Bill sought to defer to the ACCC to (via its consumer data rules) narrow the scope of data that could be subject to access and transfer requests. In the revised draft, Treasury has reallocated this discretion to the ministerial level, by introducing limitations on the ACCC's rule-making power so that:

• where data relates to a CDR consumer:
  • the access and transfer rights can only attach to derived data that has been specifically called out in the designation instrument; and
  • the rules can only require such data (including any designated derived data) to be transferred to a CDR consumer or an accredited data recipient (as opposed to non-accredited entities, which the legislation had previously contemplated) – the effect being that derived data cannot be directly transferred 'out' of the CDR system (eg to an individual's accountant), although, presumably, this could be facilitated once the data is transferred to the CDR consumer themselves; and
• where data does not relate to a consumer (ie product data), the access and transfer right can only apply to data about the eligibility criteria, terms and conditions or price of a product – with the effect that data not related to a reasonably identifiable consumer, such as algorithms and anonymised results of analysis and aggregated data sets, will fall outside the scope of the access right.

On a related note, Treasury has also sought to narrow the definition of a CDR consumer to persons (including individuals and businesses) to whom CDR data relates because of a supply of a good or service to the person or its associate. This was based on stakeholder feedback that the previous remit – effectively covering any person to whom CDR relates – could apply more broadly than intended, and could theoretically include the data holder or an accredited recipient themselves. At the roundtables, Treasury indicated that this was not the legislation's intent; and the new qualifier is an attempt to clarify that consumers who will benefit from the CDR are those receiving goods or services from a data holder.

Finally, Treasury has proposed including a new express obligation for the Minister, before making any designation, to consider the likely effects of designating data that may contain intellectual property or data that is, by its nature, confidential. These considerations go beyond what was contemplated in the previous exposure draft, which drew the Minister's attention more to the effects on consumers and the designation's privacy and regulatory impacts.

The explanatory materials state that intellectual property remains potentially within the scope 'to address potential loopholes and uncertainty that could otherwise arise' (which we assume is a reference to Treasury's previous comment at the roundtables that it was looking to avoid data holders transforming data even marginally to evade the operation of the CDR regime). However, Treasury has indicated that it does not anticipate any intellectual property to be designated for most sectors – and where it is so designated, the Minister should be required to assess whether data holders may impose charges, as described in 'Proposal 5: Charges for access to and use of CDR data' below.

Proposal 2: Interaction of the Privacy Safeguards with the Privacy Act

The next major gripe stakeholders expressed about the first exposure draft was the lack of clarity around the interaction of the CDR Privacy Safeguards and the existing Australian Privacy Principles (APPs) under the Privacy Act.

In the revised legislation, Treasury has clarified when CDR participants will need to comply with which privacy framework, as follows:

• The Privacy Safeguards will apply in full (and in substitution for the APPs) to accredited data recipients regarding CDR data they have received. In other words, the Privacy Safeguards turn on, and the APPs turn off, as and when an accredited recipient is in receipt of CDR data.
• Only certain Privacy Safeguards will apply to data holders – being Privacy Safeguards 1 (transparent management of CDR ), 10 (notification of disclosure ), 11 (quality of CDR data) and 13 (correction of CDR data). With the exception of Privacy Safeguard 1 (which will apply to data holders concurrently with APP 1, meaning that data holders will always need to have a CDR privacy policy), these Safeguards will only apply to data holders once a disclosure request has been made, and only to the particular data set that has been transferred. Otherwise, the APPs will continue to apply to data holders regarding any personal information they hold (including CDR data that has not yet been transferred).
• Data recipients, regarding CDR data they have collected or generated themselves (and not as a result of the CDR), will be considered data holders (see more on this point under 'Proposal 3: Reciprocity', below).

The amended sections of the Bill reduce the complexity, and better clarify the respective obligations that fall on a data holder and accredited data recipient. And if you're wondering how you'll remember what applies to whom and when, the explanatory materials to the revised draft provide some useful scenario-based examples – as extracted below.²

Proposal 3: Reciprocity

As discussed in our Top 10 things to know about the Consumer Data Right, the Open Banking Report recommended a concept of reciprocity – ie that any organisation accredited to receive CDR data should also be required to provide access to, and transfer, it on request (the idea being to create an incentive to participate, and a fair playing field for data holders and recipients). However, this principle was not explicitly dealt with in the first draft of the legislation, and several submissions suggested that the Bill could go further to highlight this feature for the lay reader.

In response, Treasury has proposed amended sections that give greater force to the principle of reciprocity, and the ability of the ACCC to write rules requiring data recipients to provide customers with access to data. The revised draft contemplates that reciprocity could operate in three circumstances:

• Equivalent data – designated entity: Where an accredited recipient falls within a designated class, and has itself generated or collected data falling within a designated data set, but there is no rule requiring the recipient to provide access to that designated data. The explanatory materials give the example that a rule could be written to require a small ADI to disclose banking information on a consumer's request before 1 July 2020, if it had created or received that data.
• Equivalent data – non-designated entity: Where an accredited recipient does not fall within a designated class, but has itself generated or collected data falling within a designated data set. Treasury's example is that a rule could be written to require a non-bank lender who is an accredited recipient to disclose lending information at a consumer's request.
• Received data: Where an accredited recipient has received data via the CDR regime.

Treasury has proposed that where reciprocity has the effect that an accredited recipient is required to provide consumers with the right to access and transfer equivalent data, they will be treated as a data holder regarding that data for the purpose of the rules and the Privacy Safeguards.

The renewed attention given to reciprocity in the revised exposure draft seems somewhat at odds with the ACCC's comments in the draft CDR Rules Framework that: (1) reciprocity should only apply where it would benefit consumers (and with consumer consent); and (2) decisions about its application would be reserved for further consultation at a later date. This suggests that, while the legislation may provide a clearer foundation for the setting of rules around reciprocity, it may be some time before the ACCC actually makes any such rules.

Proposal 4: Minimum consultation requirements for designation and rule-making

At the roundtables, several stakeholders expressed concern that the proposed process for sectoral designation and the development of rules did not contain sufficient checks and balances to evaluate properly the implications for the relevant industry. In particular, the first exposure draft offered limited opportunity for public consultation before the Treasurer was lawfully able to issue a designation instrument.

In response, Treasury has now proposed a much more comprehensive process and minimum timing requirements for consultation before a sector can be designated and rules can be made. In summary, it has proposed that:

• the Explanatory Memorandum will clarify that a requirement to consider the likely regulator impact is a statutory requirement to undertake a Regulatory Impact Statement, including a cost-benefit analysis;
• public consultations about the draft rules and designation of a sector must be undertaken for 28 days at a minimum;
• the OAIC will be required to provide public advice to the Treasurer on privacy impacts of the proposed designation or rules, but will be given discretion to provide confidential advice where it would impact on a person's privacy, a business's confidentiality or would otherwise compromise an ongoing investigation;
• the Minister will need to wait 60 days after the ACCC's advice about sectoral designation has been made public before making a designation instrument (note that this is contrary to the first draft of the Bill, which provided that the Minister could make a declaration before the ACCC's and the OAIC's reports are published);
• the ACCC will need to wait 60 days after its proposed rules have been made public before the rules are finalised;
• the previous provision stating that a failure to consult would not invalidate an instrument will be replaced by a statement that consultation will be deemed sufficient if it was undertaken for a minimum of 28 days, and there was at least a 60-day period between publication of advice or proposed rules and declaration of the instrument; and
• the ACCC may only make emergency rules in more limited circumstances, where it believes that they are necessary to avoid imminent risk of serious harm to consumers or to the efficiency, integrity and stability of the Australian economy.

Proposal 5: Charges for access to and use of CDR data

The first draft of the CDR legislation stated that the ACCC's consumer data rules (but not the ministerial designation itself) could prescribe fees that participants may levy for the disclosure and use of specified categories of CDR data. However, during roundtable discussions, we were told that no fees would be charged for datasets in the initial stage; and that afterwards, fees would be permitted on an exceptions basis only. Treasury was also firm on the point that the ACCC, and not data holders, would have discretion to set the quantum of any fees (as giving such discretion to data holders would undermine the spirit of the regime).

In perhaps the biggest 180 from the first to second draft of the legislation, Treasury has now proposed that the designation instrument itself should identify whether a data set will be fee-free or chargeable. Data holders will then be able to impose their own fees for access and use of chargeable data sets, taking market-based pricing as the initial pricing approach. The ACCC will only be able to step in to determine a reasonable price for access where a data holder is found to be imposing excessive fees.

In determining whether to designate a chargeable data set, the Minister will need to consider the following factors (in addition to the other general factors to be considered when designating data sets):

• whether the data set constitutes property under the Constitution;
• whether the data holder currently charges customers for access to the data set;
• the impact on incentives for data holders to generate, collect, hold or maintain the data set if access rights were provided free of charge; and
• the marginal costs to data holders in disclosing the data.

Data holders, who may adopt their own charging strategy for chargeable data sets, will be required to make information about such charges publicly available, according to the consumer data rules. Access and transfer prices for data that constitutes intellectual property will always need to reflect, at least, just terms for that data.

In formulating a test that existing pricing arrangements are unreasonable (satisfaction of which would enable the ACCC to step in to regulate price), Treasury proposes that the ACCC must consider whether:

• existing charging arrangements are unreasonable;
• the CDR's objects would be promoted by issuing a pricing declaration;
• pricing arrangements would promote the public interest; and
• the effect of imposing pricing arrangements on investment on collecting, generating, holding and maintaining the data set, and on markets that depend on access to the service that underlies the data set.

Moreover, any pricing arrangements will need to:

• reflect efficient costs and risks of proving access to and use of the data;
• allow price discrimination where it aids efficiency;
• prevent vertically integrated data holders discriminating in favour of their downstream operations; and
• offer proper incentives to reduce costs, or otherwise improve productivity.

Open Banking Designation Instrument

Alongside the revised legislation that will provide the statutory framework for the CDR, Treasury has released for public comment the draft Consumer Data Right (Authorised Deposit-Taking Institutions) Designation 2018 – its proposed designation instrument for Open Banking.

Codifying banking as the first sector of the Australian economy to fall subject to the CDR, the draft instrument sets out the classes of information that will be caught by the CDR and the data holders – Authorised Deposit-Taking Institutions (ADIs) – who will be required to respond to access and transfer requests.

Consistent with the findings of the Review into Open Banking, three categories of banking data are proposed to be included in the designation:

• customer-provided data (eg information about the identity of, and contact details for, the consumer or their associate, or about their eligibility to receive a product);
• transaction or product use data (ie the type of information typically seen on a customer's bank statement, like their account balance, debts and credits and when they occurred, and who payments were made to); and
• product data (ie public information about fees and charges, interest rates, terms and conditions and eligibility criteria).

The draft instrument confirms (per the Open Banking Report) that all data an ADI holds from 1 January 2017 onwards will be subject to access and transfer requests.

The passing of the instrument will trigger the ACCC's power to create rules for the banking sector (including the tiered timing for when the Big 4 Banks, and then other ADIs, will begin to be caught by the CDR).

Notably, the draft instrument does not reflect Treasury's proposed approach to chargeable data sets described above – ie it doesn't distinguish between free data sets and those where charges may be imposed. The explanatory materials indicate that this will be incorporated following this round of consultation; however, as per the Open Banking Report, it is expected that banking data sets will remain fee-free in most cases.

Where to from here?

Formal submissions on the draft legislation and the Open Banking designation instrument as well as on the CDR Rules Framework (see The ACCC's Consumer Data Right Rules Framework) are due by 12 October. This represents the final opportunity for public consultation on the draft Bill and the banking instrument.

The final Bill is expected to be introduced into Federal Parliament by November or December this year, and passed in February or March 2019.

The ACCC is progressing its rules framework documents in parallel, and has acknowledged that some changes may be required to align with the underlying CDR legislation wherever it lands. The ACCC is expecting to release draft CDR rules for the banking sector in December 2018.