Looming changes – are you ready for the Consumer Data Right?

Articles Written by Christine Ecob (Partner)

In May 2018, the Federal Government announced its intention to introduce a Consumer Data Right (CDR) across the whole economy in Australia, starting with the banking sector from 1 July 2019 and with the energy and telecommunications sectors to follow.

The CDR will oblige participants in affected sectors to share certain data they have collected about their consumer customers (i.e. “CDR Data”) with other participants (i.e. including competitors).  At present, despite the looming start date, the legislation creating the CDR has not yet been passed and the specific details of what data is caught and how it is to be securely shared has not yet been finalised.

Key Takeaways

Organisations (particularly in the energy and telecommunication sectors) should pay close attention to how the CDR is implemented in the banking sector to ensure they are ready, as the transition window for them may be short. Steps that can be taken now include:

  1. Assessing whether consumer data assets can be grouped based on a consumer, and how that data could be grouped or packaged for CDR.
  2. Evaluating system changes needed to manage and package accurate CDR Data held about a consumer and to securely send and receive such data with other industry participants.
  3. Reviewing the effectiveness and flexibility of current processes for collecting consumer consent, given that organisations will need to update and streamline consent forms and processes to automate and enable CDR compliance at scale.

Taking these steps now will enable organisations to prepare themselves for the implementation of the CDR in their industry sectors while the rule book is still being written.

What we know now

Currently, the draft Bill provides that consumers will have a right to direct their service provider to provide some or all of the designated CDR Data they hold to be shared with one or more other accredited organisations in the affected industry sector. To be entitled to receive this CDR Data, an organisation will need to be “accredited” to the level of security necessary for the relevant data. The types of CDR Data will be designated by the Minister, which means it can change quite rapidly. Currently it appears that CDR Data in the banking sector will include: personal information about each consumer; information about banking products and information about how the consumer has used those products.

Open Banking Standards

The responsibility for developing the accreditation for CDR Data recipients, and the Open Banking standard for the APIs and infrastructure facilitating transfer of CDR Data has been designated to the Consumer Data Standards team within Data61 (the CSIRO’s digital innovation arm). Working drafts of the standards are available at consumerdatastandards.org.au.

Compliance

CDR Data will be protected by 13 “Privacy Safeguards” which are based on the 13 Australian Privacy Principles and will operate concurrently. This means most CDR Data that is also personal information will need to comply with both the Privacy Safeguards and Australian Privacy Principles, though there will be some nuances in application, depending on whether the CDR Data is being held, transmitted or received and whether that CDR Data is also personal information.

As with privacy compliance, much of the Safeguards centre on the consent provided by the consumer. The effectiveness of the consent may be lost by bundled, unclear or generic consents buried in a policy or set of terms. This may be further complicated by the proposed tiered accreditation, which may limit the classes of CDR Data that can be transferred to accredited organisations in different tiers, which in turn means the consent process must accommodate those tiers.

Penalties for non-compliance

Should a CDR Data recipient or holder fail to comply with applicable Privacy Safeguards, a civil penalty may be issued against them. Treasury is considering civil penalties for breaches of the Privacy Safeguards of up to $500,000 for individuals and $10,000,000 for corporations; three times the total value of any benefits obtained; or 10% of the annual turnover of the company, which are aligned with Part VI of Competition and Consumer Act 2010 penalty amounts.

Direct Enforcement

Unlike the Privacy Act, the CDR will provide an aggrieved party with a direct right of action against a non-compliant organisation. The Treasury also notes in their CDR Privacy Impact Assessment paper that this may give rise to consumers taking class-action against entities who have breached the new Privacy Safeguards.

Important Disclaimer: The material contained in this article is comment of a general nature only and is not and nor is it intended to be advice on any specific professional matter. In that the effectiveness or accuracy of any professional advice depends upon the particular circumstances of each case, neither the firm nor any individual author accepts any responsibility whatsoever for any acts or omissions resulting from reliance upon the content of any articles. Before acting on the basis of any material contained in this publication, we recommend that you consult your professional adviser. Liability limited by a scheme approved under Professional Standards Legislation (Australia-wide except in Tasmania).

Related insights Read more insight

The emergence of climate change law in New South Wales and beyond

In the recent NSW Land and Environment Court decision of Gloucester Resources Limited v Minister for Planning [2019] NSWLEC 9 Chief Judge Preston, in performing the role of the consent authority of...

More
Johnson Winter & Slattery bolsters its corporate advisory offering

Johnson Winter & Slattery has welcomed leading corporate lawyer Amit Jois to its Brisbane team.

More
Guaranteeing payment under an unconditional bank guarantee: Santos v BNP Paribas

The Queensland Court of Appeal last week upheld a decision that a demand for payment under an unconditional bank guarantee was invalid because it failed to state expressly that it had been signed...

More