In May 2018, the Federal Government announced its intention to introduce a Consumer Data Right (CDR) across the whole economy in Australia, starting with the banking sector from 1 July 2019 and with the energy and telecommunications sectors to follow.
The CDR will oblige participants in affected sectors to share certain data they have collected about their consumer customers (i.e. “CDR Data”) with other participants (i.e. including competitors). At present, despite the looming start date, the legislation creating the CDR has not yet been passed and the specific details of what data is caught and how it is to be securely shared has not yet been finalised.
Organisations (particularly in the energy and telecommunication sectors) should pay close attention to how the CDR is implemented in the banking sector to ensure they are ready, as the transition window for them may be short. Steps that can be taken now include:
Taking these steps now will enable organisations to prepare themselves for the implementation of the CDR in their industry sectors while the rule book is still being written.
Currently, the draft Bill provides that consumers will have a right to direct their service provider to provide some or all of the designated CDR Data they hold to be shared with one or more other accredited organisations in the affected industry sector. To be entitled to receive this CDR Data, an organisation will need to be “accredited” to the level of security necessary for the relevant data. The types of CDR Data will be designated by the Minister, which means it can change quite rapidly. Currently it appears that CDR Data in the banking sector will include: personal information about each consumer; information about banking products and information about how the consumer has used those products.
The responsibility for developing the accreditation for CDR Data recipients, and the Open Banking standard for the APIs and infrastructure facilitating transfer of CDR Data has been designated to the Consumer Data Standards team within Data61 (the CSIRO’s digital innovation arm). Working drafts of the standards are available at consumerdatastandards.org.au.
CDR Data will be protected by 13 “Privacy Safeguards” which are based on the 13 Australian Privacy Principles and will operate concurrently. This means most CDR Data that is also personal information will need to comply with both the Privacy Safeguards and Australian Privacy Principles, though there will be some nuances in application, depending on whether the CDR Data is being held, transmitted or received and whether that CDR Data is also personal information.
As with privacy compliance, much of the Safeguards centre on the consent provided by the consumer. The effectiveness of the consent may be lost by bundled, unclear or generic consents buried in a policy or set of terms. This may be further complicated by the proposed tiered accreditation, which may limit the classes of CDR Data that can be transferred to accredited organisations in different tiers, which in turn means the consent process must accommodate those tiers.
Should a CDR Data recipient or holder fail to comply with applicable Privacy Safeguards, a civil penalty may be issued against them. Treasury is considering civil penalties for breaches of the Privacy Safeguards of up to $500,000 for individuals and $10,000,000 for corporations; three times the total value of any benefits obtained; or 10% of the annual turnover of the company, which are aligned with Part VI of Competition and Consumer Act 2010 penalty amounts.
Unlike the Privacy Act, the CDR will provide an aggrieved party with a direct right of action against a non-compliant organisation. The Treasury also notes in their CDR Privacy Impact Assessment paper that this may give rise to consumers taking class-action against entities who have breached the new Privacy Safeguards.
The Australian Energy Regulator will review the form of regulation – a ‘scheme’ or ‘non-scheme’ – of gas pipelines around Australia (excluding Western Australia). The outcome of a review has the...
In proceedings brought in the Federal Court of Australia, ASIC has successfully established that one of the world’s largest investment managers contravened the ASIC Act when it made a series of...
2024 is off to brisk start in the cyber, privacy and data space – regulatory developments in cyber security and artificial intelligence (AI) continue at pace.