On 12 September 2018, the Australian Competition and Consumer Commission (ACCC) released for public consultation the Consumer Data Right (CDR) Rules Framework (Rules Framework) following the release of the exposure draft Treasury Laws Amendment (Consumer Data Right) Bill 2018 (the Bill) which proposes amendments to the Competition and Consumer Act 2010 (Cth), the Australian Information Commissioner Act 2010 (Cth), and the Privacy Act 1988 (Cth).
The CDR regime established by the Bill enables a consumer to direct a data holder to provide data about the consumer to accredited entities.
In our earlier summary of the Bill, we noted that much of the detail was in the underlying rules. The Rules Framework does not provide the underlying rules that are required to implement the CDR. Rather, the aim of the Rules Framework is to outline the approach and substantive positions the ACCC proposes to take when making the underlying rules. Alternatively, it provides a framework for a third party to make underlying rules, which reflects the approach taken in drafting the first version of the Privacy (Credit Reporting) Code 2014.
The first sector to be “designated” for the purpose of the CDR Regime is the banking sector, so the Rules Framework has a banking focus. The Rules Framework also identifies issues upon which the ACCC is yet to form a view. Importantly, the Rules Framework does not outline the proposed drafting of the rules. It is expected that the draft rules will be published in December this year.
In addition to the CDR being layered and potentially complex, the late release of the rules, and the tight implementation timeframe will potentially present a challenge to the first adopters.
It is intended that the rules and standards will jointly address many of the issues necessary for the CDR to operate, including:
• which consumers can take advantage of the CDR;
• the data sets that are within scope;
• the criteria an entity must satisfy to be an ‘accredited data recipient’;
• requirements for consumer consent;
• requirements for authorisation and authentication; and
the limits a consumer can place around the use of their data.
The consultation period on the Rules Framework is open for comments until 5pm 12 October 2018.
If you are interested in responding to the Rules Framework, or would like further information on the CDR regime generally, please contact us.