By Lisa Whiting
Consumers are set to receive certain rights in relation to personal data held about them. These rights are provided for under exposure draft legislation released by Treasury. Submissions on the draft are due by 7 September 2018.
The Consumer Data Right (CDR) will enable a consumer to have control over how, and on what terms a person holding particular types of data about the consumer may share it with third parties. For these purposes a consumer is a person to whom the CDR data relates if the person is identifiable, or reasonably identifiable, from the CDR data. Persons affected will be defined according to designations of CDR data.
A consumer can also direct that data about them must be shared with a third party nominated by the consumer. The regime will initially apply to the banking sector, with the telecommunications and energy sectors to follow. The relevant types of data subject to CDR will be designated by the Minister.
The exposure draft Treasury Laws Amendment (Consumer Data Right) Bill 2018 (Bill) follows the Productivity Commission’s Inquiry into Data Availability and Use, and implements recommendations from a range of reviews, including Competition Policy Review 2015 (the Harper Review), the Productivity Commission’s Inquiry into Data Availability and Use 2017 and the Australia 2030: Prosperity through Innovation Review 2017.
The Bill proposes amendments to the Competition and Consumer Act 2010, Australian Information Commissioner Act 2010, and Privacy Act 1988 in the following ways:
Creation of CDRs
Under the CDR framework, there are three categories of participants: CDR Consumers, Data Holders, and Accredited Data Recipients.
The CDR will enable a consumer to direct a data holder to provide data about the consumer to accredited entities including other banks, telecommunications providers, energy companies or companies providing comparison services. Consumers can also access data about themselves without necessarily directing that the data be provided to a third party.
A consumer will be able to direct that information about him or her, for example information relating to mortgages, transaction accounts and credit cards, must be shared with third parties, potentially allowing consumers to seek better deals from banks and financial service providers.
Protection and Regulation of CDRs
The framework will create a series of consumer data rules, data standards and privacy safeguards, which will protect consumers’ data and data rights.
The Australian Competition and Consumer Commission (ACCC), with the consent of the Minister, may make consumer data rules, and determine how the CDR applies to each sector. The consumer data rules will relate to the:
- accreditation of data recipients;
- use, storage, disclosure and accuracy of CDR data;
- Data Standards Body; and
- format of CDR data and the data standards.
The amendments propose the creation of data standards, which will be made and assessed by a newly created Data Standards Chair, assisted by the Data Standards Body. CSIRO’s Data61 will be the designated Data Standards Body initially.
A new series of privacy safeguards will be created, which includes protection of information not covered by the Australian Privacy Principles (APP). The privacy safeguards provide minimum standards for the treatment CDR data. The privacy safeguards will substitute the APP in relation to the use, disclosure, storage and collection of CDR data by accredited data recipients.
The ACCC and the Office of the Australian Information Commissioner (OAIC) will regulate the framework, and will develop rules and standards. The OAIC will enforce the privacy safeguards created by the framework, and will also handle complaints, particularly in relation to privacy. In addition to creating consumer data rules and determining how the CDR applies to each sector, the ACCC will enforce other parts of the regime.