03 March 2020
Next regulatory steps taken for Australia’s consumer data right
The Treasury Laws Amendment (Consumer Data Right) Act 2019 (Cth) (CDR Act) was passed by the Australian Parliament on 1 August 2019 and became law on 12 August 2019. The CDR Act amends the Competition and Consumer Act 2010 (Cth) (CCA), and other legislation, to introduce Australia’s statutory consumer data right (CDR) regime. The CDR sets up a framework for the disclosure of specific types of data in nominated sectors of the economy, including:
The CDR is being rolled out in stages starting with the banking sector (known as ‘Open Banking’) from July 2020. Consumer data relating to credit and debit cards, deposit accounts and transaction accounts for the major banks will be made available from 1 July 2020. Other consumer data will be made available over time. CDR will also be rolled out in other sectors, with the next sector being retail energy.
On 24 February 2020 the Office of the Australian Information Commissioner (OAIC) published its CDR Privacy Safeguard Guidelines (OAIC Guidelines). This marks the next regulatory step in the implementation of Australia’s CDR.
The OAIC Guidelines and the CDR privacy safeguards
The Guidelines follow closely the format used for the OAIC’s separate guidelines regarding compliance with the Australian Privacy Principles (APPs). It is assumed this approach has been adopted given that the CDR privacy safeguards, as now contained in Part IVD of the CCA, reflect the Australian Privacy Principles.
The OAIC Guidelines are not legally binding, but nonetheless they provide very good guidance to businesses as to the OAIC’s expectations and best practice for compliance with the privacy requirements of CDR.
The CDR privacy safeguards requirements include (and this is far from a complete list):
Businesses should bear in mind that the regulatory framework for CDR is complex – in addition to taking the Guidelines into consideration, businesses must comply with the ACCC’s CDR Rules (which were released earlier in February) and the technical standards for transmitting consumer data, as released by Data61 (which is part of the Australian Government’s CSIRO). Data61 performs the role of the Data Standards Body under CDR.
A co-regulator regime
The issue by the OAIC of the Guidelines is a reminder that there are two regulators with responsibility for CDR. The ACCC is the lead regulator with the bulk of the responsibility in relation to CDR – not only in relation to the development of the CDR Rules but also in terms of, for example, accrediting potential data recipients who may access consumer data under the regime and recommending to Government other sectors in which CDR should be rolled out.
The OAIC’s responsibilities for CDR, unsurprisingly, relate to privacy issues. It is also the primary regulator that consumers may make complaints to. Privacy, and the protection of information that is able to be shared under CDR, is of course a key issue under CDR and it is expected that the OAIC will be kept very busy from 1 July 2020, which is the time that banking customer data is first able to be shared under the regime. Ultimately regulatory issues may arise under the CDR for which the OAIC and the ACCC both have responsibility – each of the regulators has publicly committed to working closely to ensure there is no inconsistency in approaches. Cooperation between the regulators is supported by information sharing powers and the ability to delegate certain functions to each other.
What’s next for CDR?
2020 will be a big year for CDR.
The ACCC’s consultation on how the CDR Rules can best facilitate participation by third party services providers (for example, that act as intermediaries or in circumstances where a consumer consents to their CDR data being disclosed from an accredited person to a non-accredited person) closed on 3 February 2020. That consultation will inform draft rules the ACCC is proposing to consult on in March 2020 with a view to finalising the rules by the middle of the year.
In addition, the ACCC is consulting on the implementation of CDR in the retail energy sector. The ACCC announced its chosen model for sharing consumers’ data in August 2019, following a discussion paper published in February 2019. Under the model proposed for this sector, the Australian Energy Market Operator (AEMO) will act as a gateway and provide data on a consumer’s current electricity arrangements from their current provider to trusted third parties when authorised by the consumer. The ACCC is developing rules to accommodate energy-specific arrangements, including appropriate authorisation and authentication models, which it will consult on in due course.
The government itself is also undertaking further consultation on CDR. Notwithstanding that the CDR rollout is only in its infancy, in January 2020 the Australian Treasurer announced a new review of the CDR to determine how CDR can further support innovation and competition. It seems very likely that the recommendations from that review will result in enhancements to the regime. For example, one of the tasks of that review is to look at how CDR may be used to overcome behavioural and regulatory barriers to allow consumers to switch between products and providers. Although undertaking such a further review in 2020 may be considered to be premature, it indicates the importance the government places on CDR and the benefits it may bring to Australians and the Australian economy. Even businesses in sectors which are outside those targeted for CDR in the short term should already be considering how they may benefit (and help their customers benefit) from CDR.
Authors: Angela Flannery & Sarah Cass
The information in this publication is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, we do not guarantee that the information in this newsletter is accurate at the date it is received or that it will continue to be accurate in the future.