On 15th August 2018, the Australian Government released draft legislation to introduce a data portability right in Australia, to be known as the 'Consumer Data Right' (CDR). The new right will give consumers the power to gain access to and direct their information to accredited businesses in a particular economic sector. This information must be supplied in a format that complies with standards to be set by the forthcoming Data Standards Body.
The scope of the CDR is wider than the 'data portability' right recently introduced by the EU's General Data Protection Regulation (GDPR). It is also broader than the Privacy Act in key respects, including because it extends beyond information about a reasonably identifiable individual. The new right will apply to both individual and business consumers, with no monetary limit on the size of business consumers.
The Australian Government has already confirmed that the CDR will be introduced in the banking, telecommunications and energy sectors. The Australian Competition and Consumer Commission (ACCC) will be responsible for advising the Minister on any further sectors to designate.
Businesses should start thinking now about the practical implications of the CDR to ensure that they are well placed to reap the benefits it might bring as well as manage the business risks and compliance issues that arise from it.
Why have a CDR?
The purpose of the CDR is to give consumers better control over their data and to enhance competition. The CDR is a response to the Australian Productivity Commission's recommendations in its 'Data Availability and Use' report released on 8 May 2017 (the Report).
Key benefits identified in the draft legislation and the Report include:
- Benefiting consumers by enabling them to provide data to suppliers who can then tailor products and services to meet their needs;
- Reducing the costs to consumers of switching between providers of products and services;
- Lowering barriers to entry for new entrants to markets where incumbents have data that gives them market power, and thereby expanding consumer choice;
- Promoting linked services and interoperability of technology and providing a knowledge basis for innovation;
- Making markets more efficient by addressing information imbalances.
What kinds of data will be affected by the CDR?
There are 3 broad categories of data that will be the subject of the CDR:
- Data that relates to a consumer or has been provided by a consumer;
- Data that relates to a product; and
- Data that is derived from these sources.
Data that ‘relates’ to a consumer is broader than the definition of ‘personal information’ in the Privacy Act 1988 (Cth) in at least two ways. First, it extends to businesses as well as individuals. Second, it extends beyond information ‘about’ an individual. In the Privacy Commissioner v Telstra Corporation Limited  FCAFC 4, the Federal Court found that ‘personal information’ in the Privacy Act is confined to information ‘about’ an individual. In that proceeding, a distinction was drawn between information ‘about’ an individual and, for example, information ‘about’ their car where it has been provided for repair. The CDR will apply to information about the car and its repair, and not just to information about the person who or that owns the car.
The CDR will also apply to data that is collected or generated outside of Australia if it has been commissioned by an Australian registered corporation, citizen or a permanent resident. In the context of banking, the right will therefore capture data generated through overseas transactions using Australian issued bank cards.
What will the CDR look like?
The draft CDR legislation is designed around 3 key players: data holders, CDR consumers, and accredited data recipients. Each of these players will be subject to a set of forthcoming Consumer Data Rules (the Rules), which will operate as a binding contract between them. The Rules will be drafted and enforced by the ACCC, and will likely cover:
- Disclosure, use, accuracy, storage, security and deletion of CDR data;
- Accreditation of data recipients;
- Reporting and record keeping; and
- Any other matters incidental to the CDR system.
Only accredited entities and individuals are able to receive CDR data. This process ensures that data recipients have met various security and privacy safeguards before receiving CDR data. The forthcoming Data Recipient Accreditor will be responsible for managing this accreditation process.
The Rules will include sectoral variances to account for the different attributes and needs of different economic sectors. The draft legislation also contemplates the classification of CDR data into different categories, with the view to imposing more rigorous data security standards on some categories than on others. The categories may also be used to establish fees in relation to the disclosure of certain categories of data to acknowledge the value-added nature of some data. This acknowledges the impact that free data may have on the incentives for businesses to collect value-added data.
Who will be responsible for regulating the CDR?
The ACCC and the Office of the Australian Information Commissioner (OAIC) will be jointly responsible for implementing and enforcing the CDR. The ACCC will have its existing enforcement tools at its disposal to enforce various CDR rights and obligations, including civil penalty provisions. Furthermore, the forthcoming Data Standards Body will be initially housed within CSIRO's Data61, and will be responsible for setting technical standards for the format, security and transmission of data.
How does the CDR interact with the Australian Privacy Principles (APPs)?
CDR data will be subject to its own set of privacy protections, to be known as the 'CDR Privacy Safeguards'. Generally, the APPs will continue to apply to data holders, who will be subject to additional requirements once a request for CDR data is made by a consumer. Accredited data recipients will be subject to the CDR Privacy Safeguards in substitution for the APPs. Each safeguard mirrors (but provides a higher standard than) each APP, covering the following topics:
- Open and transparent management of CDR data;
- Anonymity and pseudonymity;
- Collecting solicited CDR data;
- Dealing with unsolicited CDR data;
- Notifying the collection of CDR data;
- Use or disclosure of CDR data;
- Use or disclosure of CDR data for direct marketing by accredited data recipients;
- Cross-border disclosure of CDR data;
- Adoption or disclosure of government related identifiers;
- Quality of CDR data;
- Security of CDR data; and
- Correction of CDR data.
Which sectors will be affected by the CDR?
The CDR will first be rolled out in the banking sector, with the energy and telecommunications sectors to follow. The ACCC's newly established Access to Data Unit is tasked with making recommendations to the Minister on any further sectors to implement the CDR.
The ACCC's timeline for implementation in the banking sector is as follows:
- July 2019: all major banks to have data available on credit and debit cards, transaction and deposit accounts;
- February 2020: all major banks to have data available on mortgages;
- July 2020: all major banks to have data available on all remaining products.
These timeframes are subject to extension by the ACCC. All other banks are to be given an additional 12 months for each implementation stage. The timeframes for the energy and telecommunications sectors have yet to be announced.
Interoperability challenges in implementing the CDR
One of objectives of the CDR is to reduce the cost to consumers of comparing and switching between providers of products and services. This is to be achieved through the implementation of data standards, which seek to promote data interoperability.
However, the current design of the CDR does not place any obligations on businesses to either a) become accredited data recipients, or b) use the data that is transferred to them by a consumer. This raises questions as to the likely extent to which businesses will elect to become accredited so as to receive data. The usefulness of the CDR to consumers could be limited if take up is low.
It is worth noting that a consideration for some businesses in relation to whether to seek is that interoperability rules for data could affect data security risks through the standardisation of information storage and format.
How can businesses become 'CDR ready'?
Although the CDR has not come into force yet, businesses in Australia should start thinking about:
- Whether their IT systems are able to produce copies of data about consumers in a machine-readable format;
- What the business' internal procedures for handling requests for access to, or the transfer of, consumer data may look like;
- What the business' internal notification procedures for the trading or disclosure of consumer information may look like;
- Whether the CDR will affect any commercial arrangements around consumer data held by the business (whether created or acquired by a third party), and how the costs of fulfilling CDR requests will be dealt with; and
- What impact the legislation may have in the business' sector, including any opportunities that access to consumer data held by other businesses which serve the same consumers could bring, and how best to realise those opportunities.