The Federal Government's proposed Consumer Data Right regime is the biggest shake-up in data regulation that we've seen in Australia.
On 15 August 2018, the Federal Government released exposure draft legislation that, if passed, will establish an 'economy-wide consumer-directed data transfer system'. This is the biggest shake-up of data regulation that we've seen in Australia – and it's hurtling towards us at breakneck speed. We've worked through this complex new proposal to answer the key questions and extract the need-to-knows. What is the new consumer data right? How will it be enforced? And most importantly, what does it mean for your business?
The new CDR framework
- What is it? At its heart, the Consumer Data Right (CDR) will allow consumers to access certain information held about or related to them by designated organisations, and direct that information to be transferred to accredited third parties.
- How will it be implemented? The draft legislation, which involves the insertion of a new part in the Competition and Consumer Act 2010 (Cth) (CCA), creates a regulatory framework for the implementation of a CDR that will largely be administered by the Australian Competition and Consumer Commission (ACCC) – along with a complex web of other agencies (both old and new).
- Who will regulate it? Roles and responsibilities for administering the regime will cascade down from the Treasurer (who will designate sectors to which the CDR applies), the ACCC (that will develop consumer data rules) and the OAIC (that will handle privacy complaints and enforce breaches of the privacy safeguards), to a new Data Standards Body (that will create transfer and security standards) and a Data Recipient Accreditor (that will accredit recipients of CDR data).
- Where is the detail? Most of the detail for entities' participation in the regime as data holders and accredited recipients will be a matter for the ACCC to determine as part of the consumer data rules, which will govern the disclosure, use, accuracy, storage, security and deletion of CDR data, the accreditation of recipients, and reporting and record-keeping requirements.
- What's the timing for rollout? Consultation on the draft legislation ends on 7 September 2018 and the ACCC's rules framework (which will outline the structure and content of the proposed rules) is expected to be released around 10 September 2018. The Government's intention is that the final version of the legislation will be released in December 2018 and receive Royal Assent in March 2019.
- Which sectors will be designated? Open banking is scheduled to commence from 2019, with major banks being required to make credit and debit card, deposit and transaction accounts data available by July 2019. After open banking, the CDR regime will be rolled out to the energy and telecommunications sectors. Treasury has not yet confirmed which other sectors will follow – but based on the high quantity of regulated information and friction involved in transferring providers, the sectors could include superannuation, insurance, digital platforms or health.
- What does it mean for you? Long-term, the CDR is going to affect all businesses and industries. While its implementation will certainly require new compliance regimes, the CDR also offers significant opportunities for businesses to leverage the ability to share and receive data to create more tailored products and tap into new revenue streams.
- What should you do to prepare? There are practical steps you can take in each of the periods before the CDR applies to your business, after your sector has been designated, and then once the regime kicks in – including considering how to best leverage CDR data, reviewing operations and developing new systems to enable compliance, and implementing capability to respond to consumer directions.
our recent articles on CDR
- The ACCC's Consumer Data Right Rules Framework
- You asked, they listened (mostly) – Treasury's proposed revisions to the Consumer Data Right Bill
- Show me the data! Introducing the Consumer Data Right
- A tangled web – the regulatory framework and its power players
- Top 10 things to know about the Consumer Data Right
- The devil in the detail – observations on the scope of CDR data and the new Privacy Safeguards
- Risky business – remedies and enforcement powers for CDR breaches
- What's next?