Go to our Contact page for our office details.
The ACCC releases Rules Framework for the Consumer Data Right
The Australian Government has recently introduced a Consumer Data Right (CDR). The CDR gives consumers the ability to choose who they share their data with.
The Australian Competition and Consumer Commission (ACCC), who has a new role in determining the rules that will govern the CDR regime as well as enforcing it, has released the Consumer Data Right Rules Framework (September 2018) (Rules Framework) for consultation with the public.
Under the Rules Framework a data holder will be required to share CDR data with the consumer themselves or accredited data recipients (ADR), as discussed in more detail below.
Sharing data with the consumer
The ACCC proposes to make rules allowing consumers to:
- request their CDR data from a data holder using (a) an online mechanism such as a website or application if the customer uses that same platform to perform actions on their account or (b) an open application programming interface (API);
- nominate specific CDR data in their request; and
- receive their CDR data in a variety of electronic formats.
Sharing data with ADRs
The ACCC proposes to make rules so that data is shared with ADRs in the following way:
|Step 1||Consent||The consumer gives express and informed consent for the ADR to collect and use the consumer’s data. The consent should cover issues like the scope of data involved, the intended use or purpose and the time period over which the data is made available.|
|Step 2||Authentication||When an ADR seeks to access a consumer’s data from the data holder, the data holder must then authenticate the identity and accreditation status of the ADR.|
|Step 3||Authentication||When an ADR seeks to access a consumer’s data from the data holder, the data holder must also authenticate the identity of the consumer.|
|Step 4||Authorisation||A consumer must then authorise the data holder to disclose their data to the ADR. The authorisation should reflect the scope of data consented to by the consumer in Step 1 (but not include the ADR’s intended use of that data).|
|Step 5||Data Sharing||A consumer’s data is then shared between a data holder and an ADR via an API.|
The parties involved in data sharing
The ACCC will allow for exemptions from some or all of the obligations in certain cases.
ACCREDITED DATA RECIPIENT
Data captured by the CDR regime
Under the Rules Framework, CDR data captures customer data, transaction data and product data relating to an account a customer holds.
|CUSTOMER DATA||TRANSACTION DATA||PRODUCT DATA|
|The ACCC proposes to make rules specifying what customer data will include at the very minimum (e.g. customer name, contact details, account number, direct debits). The obligation to share customer data will only apply where it is kept in a digital form. The ACCC is considering including authorisations to share data under the CDR regime (as per Step 4 above) as customer data in later versions of the rules.||The ACCC proposes to make rules specifying what transaction data will include at the very minimum (e.g. opening and closing balance, date of certain transactions). The ACCC is considering whether metadata should be included.||The ACCC proposes to make rules requiring generic product data (e.g. product type, names and prices) to be made generally available via an API. The obligation to share product data to a customer will apply where the data relates to an account that a customer holds (e.g. applicable fees, charges or interest rates on that account).|
There are two other important points to note from the Rules Framework.
|Although the draft legislation allows the ACCC to specify a fee for the disclosure or use of specified CDR data, the ACCC has chosen not to specify a fee.||The Rules Framework does not currently identify which rules will be subject to a civil penalty. However, the ACCC’s view is that rules imposing obligations on data holders and ADRs will have civil penalty provisions.|
Submissions on the Rules Framework are due by 5pm on 12 October 2018. The ACCC will also be holding a number of stakeholder forums in person in Melbourne, Sydney and online. Further details are available here.
The ACCC expects that draft rules will be published in December 2018. The ACCC does not have legal authority to make the rules until draft legislation outlining the legislative framework has passed Parliament. This is expected to occur in early 2019.
 Government’s exposure draft legislation released on 14 August 2018.