The Australian Consumer Data Right will empower consumers but will increase regulatory burden and compliance for businesses. What privacy and data systems will your business need to comply with the new regime?
On 1 August 2019, the Federal Government passed the Treasury Laws Amendment (Consumer Data Right) Bill 2019, giving Australians greater control and to access their data in certain designated sectors. The Bill has had a tumultuous history – in 2017 the Government announced its intention to create the Consumer Data Right (CDR) following the Productivity Commission’s inquiry into the use of data, however the bill lapsed ahead of the Federal Election. With its reintroduction, the CDR is touted as one of the greatest moves by the Government towards empowering consumers.
The CDR will allow consumers to access their data held by service providers and share it with trusted and accredited third parties (such as banks and comparison sites). The data under the CDR regime will include:
- Transaction Data – such as data relating to balances, date of transactions;
- Customer Data – data relating to customer details such as name, account number, mobile phone and direct debit account;
- Product Data – data such as the product type, name and price.
The CDR will improve competition, consumer choice and convenience as data can be communicated with third party comparison sites to increase the consumer’s negotiation power, allowing them to compare products and providers to seek out the best deal for their money. Service providers are required to give customers open access to data on their product terms and conditions, forcing businesses to be more transparent, innovative and price competitive on the products offered to consumers.
Where will the CDR apply?
The CDR has a broad geographic application, covering data generated or collected within Australia and outside Australia. The CDR will apply to data collected outside of Australia if it is by an Australian company (registered under Parts 21.2 or 5B.1 of the Corporations Act 2001 (NSW)) or an Australian citizen or permanent resident.
Who will the CDR apply to?
The CDR will initially apply to the banking sector, before phased into the energy and telecommunications sectors. After that, it will gradually apply to other industries on a sector by sector basis. The additional sectors required to implement CDR will be designated by the Treasurer based on advice from the Australian Competition and Consumer Commission (ACCC) and the Office of the Australian Information Commissioner (OAIC).
When will the CDR apply?
The ACCC announced on 20 December 2019 that its plans to roll out the CDR in the banking sector will go live from 1 July 2020, enabling consumers to direct major banks to share their data in relation to credit and debit cards, deposit accounts and transaction account data to accredited recipients of CDR data. Mortgage and personal data will be able to be shared after 1 November 2020, however the ACCC has made it clear that it will continue to consult with various stakeholders, including industry, consumer and privacy groups, which may alter these intended roll out dates.
Who will regulate the CDR?
Given that the CDR inherently intersects competition and consumer law as well as privacy law, the CDR will be jointly governed by the ACCC and the OAIC. The ACCC will take the lead when it comes to issues revolving around the designation of new sectors of the economy to be subject to the CDR and the establishment of the relevant rules, whereas the OAIC will regulate on matters concerning privacy and confidentiality, as well as to ensure compliance with the supplementary CDR Privacy Safeguards, discussed below.
What about Privacy?
CDR Privacy Safeguards data have been specifically designed to include further protection not covered by the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth) (Privacy Act). For this reason, the APPs will be “switched off” and substituted with the CDR Privacy Safeguards for accredited data recipients (i.e. those who are ‘licensed’ to receive data through the CDR system) of CDR data. However, the APPs will continue to apply to CDR data held by data holders (holders of the original data that the right to transfer applies to) and to designated gateways (entities designated as responsible for facilitating the transfer of information between data holders and accredited persons).
What does this mean for your business?
The CDR will initially affect businesses within the banking, energy and telecommunications sector meaning there will be an increased regulatory burden on these organisations. If your business is in the banking, telecommunications and energy sectors or has clients in those sectors, then you should be prepared for these changes.
Ensure your privacy safeguards and measures are in place by reassessing your compliance arrangements and checking the status of your current data protection systems to meet the new standards. Businesses should have an adequate functional system in place to respond to consumer data directions when they request access to or transfer of their data. As both consumers and the ACCC can bring action against you for not complying with the CDR, having a well-established process for dealing with complaints and privacy issues is crucial for the compliance and growth of your business.