24/09/2018

The Australian Government has recently introduced a Consumer Data Right (CDR).  The CDR gives consumers the ability to choose who they share their data with. 

The Australian Competition and Consumer Commission (ACCC), who has a new role in determining the rules that will govern the CDR regime as well as enforcing it,[1] has released the Consumer Data Right Rules Framework (September 2018) (Rules Framework) for consultation with the public.

Under the Rules Framework a data holder will be required to share CDR data with the consumer themselves or accredited data recipients (ADR), as discussed in more detail below.

Sharing data with the consumer

The ACCC proposes to make rules allowing consumers to:

  • request their CDR data from a data holder using (a) an online mechanism such as a website or application if the customer uses that same platform to perform actions on their account or (b) an open application programming interface (API);
  • nominate specific CDR data in their request; and
  • receive their CDR data in a variety of electronic formats.

Sharing data with ADRs

""

 

The ACCC proposes to make rules so that data is shared with ADRs in the following way:

Step 1 Consent The consumer gives express and informed consent for the ADR to collect and use the consumer’s data.  The consent should cover issues like the scope of data involved, the intended use or purpose and the time period over which the data is made available.
Step 2 Authentication When an ADR seeks to access a consumer’s data from the data holder, the data holder must then authenticate the identity and accreditation status of the ADR.
Step 3 Authentication When an ADR seeks to access a consumer’s data from the data holder, the data holder must also authenticate the identity of the consumer.
Step 4 Authorisation A consumer must then authorise the data holder to disclose their data to the ADR.  The authorisation should reflect the scope of data consented to by the consumer in Step 1 (but not include the ADR’s intended use of that data).
Step 5 Data Sharing A consumer’s data is then shared between a data holder and an ADR via an API.

The parties involved in data sharing

""

CONSUMERS
The definition of “CDR consumer” in the draft legislation is broader than the definition of “consumer” under the Competition and Consumer Act 2010 (Cth).  As a result, the CDR regime will apply to individuals, businesses and trusts. The ACCC is proposing that current customers of a bank who have access to and use online banking can rely on the CDR regime.  The ACCC is seeking views on when it would be appropriate to extend CDR to former or offline bank customers.

""

DATA HOLDERS
The Rules Framework states that all Authorised Deposit-Taking Institutions (ADIs), other than foreign bank branches, will be specified as data holders. The ACCC proposes to make rules creating a phased implementation of the CDR regime to Open Banking.

Phase 1 will see the obligation to share CDR data applied to the “four major banks”: ANZ, CBA, NAB and Westpac (but not their related brands). Their related brands will be captured by Phase 2.

Phase 2 will see the obligation to share CDR data applied to all other ADIs (except for foreign bank branches) 12 months later.

The ACCC will allow for exemptions from some or all of the obligations in certain cases.

""

ACCREDITED DATA RECIPIENT
Under the Rules Framework, an applicant will only be an ADR after it has satisfied the criteria in the rules and has been granted accreditation from the Data Recipient Accreditor. Initially, the ACCC will be the Data Recipient Accreditor and there will only be a single general tier of accreditation. A different streamlined accreditation process will apply for ADIs who are data holders and wish to be registered as ADRs.

Data captured by the CDR regime

Under the Rules Framework, CDR data captures customer data, transaction data and product data relating to an account a customer holds.

""CUSTOMER DATA ""TRANSACTION DATA ""PRODUCT DATA
The ACCC proposes to make rules specifying what customer data will include at the very minimum (e.g. customer name, contact details, account number, direct debits). The obligation to share customer data will only apply where it is kept in a digital form.  The ACCC is considering including authorisations to share data under the CDR regime (as per Step 4 above) as customer data in later versions of the rules. The ACCC proposes to make rules specifying what transaction data will include at the very minimum (e.g. opening and closing balance, date of certain transactions).  The ACCC is considering whether metadata should be included. The ACCC proposes to make rules requiring generic product data (e.g. product type, names and prices) to be made generally available via an API.  The obligation to share product data to a customer will apply where the data relates to an account that a customer holds (e.g. applicable fees, charges or interest rates on that account).

Other

There are two other important points to note from the Rules Framework.

 

No Fee for Consumers

A Civil Penalty for Non-Compliance

Although the draft legislation allows the ACCC to specify a fee for the disclosure or use of specified CDR data, the ACCC has chosen not to specify a fee. The Rules Framework does not currently identify which rules will be subject to a civil penalty.  However, the ACCC’s view is that rules imposing obligations on data holders and ADRs will have civil penalty provisions.

Key dates

Submissions on the Rules Framework are due by 5pm on 12 October 2018. The ACCC will also be holding a number of stakeholder forums in person in Melbourne, Sydney and online. Further details are available here.

The ACCC expects that draft rules will be published in December 2018. The ACCC does not have legal authority to make the rules until draft legislation outlining the legislative framework has passed Parliament. This is expected to occur in early 2019.


[1] Government’s exposure draft legislation released on 14 August 2018.

 

""