Consumer Data Right back on track

On 1 August 2019, the Senate passed the Treasury Laws Amendment (Consumer Data Right) Bill 2019 to introduce amendments to the Competition and Consumer Act 2010, the Privacy Act 1988, and the Australian Information Commissioner Act 2010 to form the framework for the Consumer Data Right (CDR). The bill followed a relatively quick turnover after it was re-introduced to parliament on 24 July 2019. In our earlier article, we provided an outline of the key components of the CDR regime. As anticipated, the timetable to implement the reforms by 1 July 2019 was ambitious, with a number of the key components of the CDR yet to be finalised.

Following the passing of the bill, we provide a timely summary of the significant updates to the key components of the CDR to date.

CDR legislation

The key requirement of the CDR regime will be that at a consumer’s direction, a data holder (for example a bank) must electronically share the consumer’s data with:

• an accredited data recipient to which the consumer has given their consent (for example another bank, or a comparison service); or
• the consumer.

“Consumer” in this context will have a broad meaning and will include small, medium and large businesses as well as individuals.

The original bill introducing the CDR lapsed on 11 April 2019. However, following the re-election of the Government in May, we anticipated that a new bill would be re-introduced soon after.

The legislation does not incorporate any substantial amendments from the original bill, despite concerns raised by Labor regarding the development of the legislation in parallel with the CDR rules and technical standards within a ‘compressed’ timeframe. However, Labor has flagged that it will seek an amendment to the legislation after the winter break to reflect the commitment from the Government to include a right for consumers to have their data deleted.

Another concern raised by Labor relates to the rise of screen scraping technology. This is used by many FinTech companies whereby they ask for customers’ logins and then scrape their data. While this is an important tool for FinTech companies, there are concerns with respect to security and potential for fraud. The question of whether or not to prohibit screen scraping technology has been a contentious one. The introduction of the CDR could reduce the need to use such technology by accredited data recipients in any case, but it may continue to be used by entities who are not accredited under the CDR regime.

CDR Rules

Banking sector

The Australian Competition and Consumer Commission (ACCC) released the exposure draft of the CDR rules for the banking sector on 29 March 2019. Since that date, the ACCC has received more than 40 submissions from banks and other industry bodies in relation to the exposure draft.

The exposure draft included a staged application of the CDR rules to the banking sector, indicating that by 1 July 2019, consumers would be allowed to:

• make ‘product data requests’ (being a request to a data holder to disclose CDR data relating to products offered by the data holder);
• to an ‘initial data holder’ (being ANZ, CBA, NAB, and Westpac);
• for the disclosure of CDR data relating to a ‘phase 1 product’ (being a savings account, call account, term deposit, current account, cheque account, debit card account, transaction account, personal basic account, GST or tax account, credit and charge card (personal) account, and credit and charge card (business) account).

We anticipate that this staged application will be implemented with an updated timetable following the passing of the legislation.

Energy sector

The ACCC released its consultation paper for the data access models that will be applicable for energy data on 24 February 2019 and held forums in Sydney on 18 March 2019. Thus far, the ACCC has received nearly 40 submissions in relation to the data access models for the energy sector.

Consumer Data Standards

As we noted in our earlier article, Data61 will initially take the role of the Data Standards Body. Data61 has been developing the draft Consumer Data Standards since November 2018, including in relation to the development of application programming interface (API) standards and the information security profile to support the implementation of the Consumer Data Standards. These standards will be very important in fleshing out how the Consumer Data Right will work in practice – for example, how a consumer may make a data request and how an entity must disclose the data.

On 11 June 2019, the ACCC initiated consultation on the technical design of the CDR register using GitHub, starting with the consultation for the CDR register API.

On 17 July 2019, Data61 released an updated working draft of the Consumer Data Standards (with a summary accessible here). Data61 expects this release to be the final draft of the Consumer Data Standards, subject to any changes in the legislation, and this will be a suitable version for pilot testing the CDR implementation. Data61 indicate that they will continue to take on ongoing comments on the Consumer Data Standards, which may be incorporated in subsequent releases of the Consumer Data Standards.

The Office of the Australian Information Commissioner (OAIC) is working closely with Data61 and the ACCC to build the Privacy Safeguards set out in the legislation into the Consumer Data Standards and the CDR’s data portability infrastructure. The OAIC plans to release the first stage of its first draft of the Privacy Safeguard Guidelines for comment in the coming month.

What next?

We anticipate that following the passing of the legislation, the finalisation of the CDR rules for the banking sector will be next on the agenda, to be followed by the finalisation of the staged application of the CDR rules as foreshadowed in the exposure draft.

If you require further guidance on how the CDR can impact on your business, please contact our team.

Authored by:

Hazel McDwyer, Partner

David Smith, Partner

Raisa Blanco, Associate