14 August 2019
After approval in the Senate on 1 August 2019, the Consumer Data Right (CDR) Bill has been passed in both houses of parliament. Based on consumer choice in the context of data, the CDR has, at its heart, an increase in competition flowing from a person’s right to control their data.
The ‘Big Four’ banks have already voluntarily implemented the CDR in relation to certain product data available on credit and debit card, deposit and transaction accounts, and must provide access to data related to mortgage accounts by 1 February 2020. The CDR will also be implemented in the energy and telecommunications sectors, followed by other sectors that are yet to be determined.
The CDR is not just relevant to businesses in the sectors noted above, however – all businesses that collect and handle consumer data should familiarise themselves with key aspects of the CDR.
As Australia reforms its privacy regime in a manner that reflects aspects of the European General Data Protection Regime (GDPR), the CDR is likely to be used as the mechanism to achieve data portability across a range of sectors.
Essentially, the CDR empowers customers to access and use data that businesses hold about them. Consumers can obtain their data held by third parties for themselves or authorise the secure sharing of their data to accredited third parties (such as comparison services who provide consumers with tools to make more informed choices).
The four key players in the CDR system are:
The principle of ‘reciprocity’ applies to accredited data recipients. Under this principle, accredited data recipients can also be classified as data holders for certain data (e.g. where they provide similar services to an entity listed in the designated class), meaning they will be required to share data with other recipients. Organisations that wish to become accredited recipients in order to improve their particular customer service offerings should be aware of their obligations as data holders under this principle. This principle creates a network of back and forth sharing between all entities within the CDR system creating greater opportunities for consumers.
Given that organisations also qualify as ‘consumers’, businesses (especially those entities that maintain large data repositories) should contemplate the ways in which they might take advantage of their data rights. Equally, if large organisations make requests for transfers of their data and the costs and infrastructure required to engage in such transfers, businesses should be aware of the need to facilitate potentially significant transfers of data.
Only data that qualifies as ‘Consumer Data’ may be transferred under the CDR system. Data will only be considered Consumer Data if it is:
‘Consumer Data’ includes all types of data that meet the above requirements, not just personal information. Businesses will need to take steps to identify and categorise the various datasets which fall under the CDR system.
It could also be comprised of following types of data:
This clearly contemplates the situation in which value-added data is designated under the CDR system and attempts to provide organisations with compensation for data which they transform for commercial purposes. However, chargeable data is subject to various restrictions and organisations should be aware of how their current costing structures will be affected.
The consumer data rules establish privacy safeguards which are additional privacy protections offered to consumers, enforced by the Office of the Australian Information Commissioner (OAIC). These safeguards provide consumers with avenues to seek remedies for breaches of their privacy or confidentiality (including access to internal and external dispute resolution and direct rights of action), and also establish obligations to provide anonymity and pseudonymity to consumers, and destroy or de-identify redundant data.
Organisations will need to be aware of the intersecting relationship between the privacy safeguards and the Australian Privacy Principles (APP):
The implementation of privacy safeguards as an additional set of privacy obligations was met with criticism through the public consultation process. In particular, there was significant concern regarding the multiplicity of obligations that data holders and data recipients would be subject to under the CDR, the APPs and, for entities operating in the EU, the GDPR.
The overlapping application of these regimes will mean that organisations may need to consider segregating their data into specific categories so that the various regulatory requirements under each can be managed and complied with.
All organisations that collect and handle consumer data should monitor the implementation of the CDR across the banking, energy and telecommunications sector and consider the practical measures that can be implemented in order to future-proof their own operations (including accurately auditing and categorising existing, and potential future, data assets).
The content of this publication is for reference purposes only. It is current at the date of publication. This content does not constitute legal advice and should not be relied upon as such. Legal advice about your specific circumstances should always be obtained before taking any action based on this publication.