The Australian Government has recently introduced a Consumer Data Right (CDR). The CDR gives consumers the ability to choose who they share their data with.
The Australian Competition and Consumer Commission (ACCC), who has a new role in determining the rules that will govern the CDR regime as well as enforcing it, [1] has released the Consumer Data Right Rules Framework (September 2018) () for consultation with the public.
Under the Rules Framework a data holder will be required to share CDR data with the consumer themselves or accredited data recipients (ADR), as discussed in more detail below.
Sharing data with the consumer
The ACCC proposes to make rules allowing consumers to:
request their CDR data from a data holder using (a) an online mechanism such as a website or application if the customer uses that same platform to perform actions on their account or (b) an open application programming interface (API );
nominate specific CDR data in their request; and
receive their CDR data in a variety of electronic formats.
Sharing data with ADRs
The ACCC proposes to make rules so that data is shared with ADRs in the following way:
| Step 1 | Consent | The consumer gives express and informed consent for the ADR to collect and use the consumer’s data. The consent should cover issues like the scope of data involved, the intended use or purpose and the time period over which the data is made available. |
| Step 2 | Authentication | When an ADR seeks to access a consumer’s data from the data holder, the data holder must then authenticate the identity and accreditation status of the ADR. |
| Step 3 | Authentication | When an ADR seeks to access a consumer’s data from the data holder, the data holder must also authenticate the identity of the consumer. |
| Step 4 | Authorisation | A consumer must then authorise the data holder to disclose their data to the ADR. The authorisation should reflect the scope of data consented to by the consumer in Step 1 (but not include the ADR’s intended use of that data). |
| Step 5 | Data Sharing | A consumer’s data is then shared between a data holder and an ADR via an API. |
The parties involved in data sharing
CONSUMERS
The definition of “CDR consumer” in the draft legislation is broader than the definition of “consumer” under the Competition and Consumer Act 2010 (Cth). As a result, the CDR regime will apply to individuals, businesses and trusts. The ACCC is proposing that current customers of a bank who have access to and use online banking can rely on the CDR regime. The ACCC is seeking views on when it would be appropriate to extend CDR to former or offline bank customers.
DATA HOLDERS
The Rules Framework states that all Authorised Deposit-Taking Institutions (ADIs), other than foreign bank branches, will be specified as data holders. The ACCC proposes to make rules creating a phased implementation of the CDR regime to Open Banking.
| Phase 1 will see the obligation to share CDR data applied to the “four major banks”: ANZ, CBA, NAB and Westpac (but not their related brands). Their related brands will be captured by Phase 2. |
| Phase 2 will see the obligation to share CDR data applied to all other ADIs (except for foreign bank branches) 12 months later. |
Phase 1 will see the obligation to share CDR data applied to the “four major banks”: ANZ, CBA, NAB and Westpac (but not their related brands). Their related brands will be captured by Phase 2.
Phase 2 will see the obligation to share CDR data applied to all other ADIs (except for foreign bank branches) 12 months later.
The ACCC will allow for exemptions from some or all of the obligations in certain cases.
ACCREDITED DATA RECIPIENT
Under the Rules Framework, an applicant will only be an ADR after it has satisfied the criteria in the rules and has been granted accreditation from the Data Recipient Accreditor. Initially, the ACCC will be the Data Recipient Accreditor and there will only be a single general tier of accreditation. A different streamlined accreditation process will apply for ADIs who are data holders and wish to be registered as ADRs.
Data captured by the CDR regime
Under the Rules Framework, CDR data captures customer data, transaction data and product data relating to an account a customer holds.
Other
There are two other important points to note from the Rules Framework.
| No Fee for Consumers | A Civil Penalty for Non-Compliance |
| Although the draft legislation allows the ACCC to specify a fee for the disclosure or use of specified CDR data, the ACCC has chosen not to specify a fee. | The Rules Framework does not currently identify which rules will be subject to a civil penalty. However, the ACCC’s view is that rules imposing obligations on data holders and ADRs will have civil penalty provisions. |
No Fee for Consumers
A Civil Penalty for Non-Compliance
Key dates
Submissions on the Rules Framework are due by 5pm on 12 October 2018. The ACCC will also be holding a number of stakeholder forums in person in Melbourne, Sydney and online. Further details are available here .
The ACCC expects that draft rules will be published in December 2018. The ACCC does not have legal authority to make the rules until draft legislation outlining the legislative framework has passed Parliament. This is expected to occur in early 2019.
[1] Government’s exposure draft legislation released on 14 August 2018.