The Australian Competition and Consumer Commission (ACCC) has finalised the rules governing the Consumer Data Right (CDR).
The CDR has been touted as allowing individuals to “own” their data by granting them open access to their banking, energy, phone, and internet transactions, as well as the right to control who can have it and who can use it.
The first tranche to which the CDR and its associated rules will affect is banking, with telecommunications and energy soon to follow.
In addition to legally requiring the four major banks to share product reference data with accredited data recipients, the rules also give legislative force to consumer data sharing obligations in banking — set to become mandatory from 1 July 2020, following delays.
Product reference data includes information such as interest rates, fees and charges, and eligibility criteria for banking products like credit cards and mortgages. Banks have voluntarily made this information available via APIs since July 2019.
Consumer data relating to credit and debit cards, deposit accounts, and transaction accounts must now be made available from the start of this coming financial year; while consumer data relating to mortgage and personal loan data must be able to be shared from November 1.
A draft set of rules were published in March. The now-finalised rules still specify three different ways CDR data can be requested, with the requirements tweaked minutely: Product data requests, consumer data requests made by CDR consumers, and consumer data requests made on behalf of CDR consumers.
A product data request will allow any individual to request CDR data relating to products offered by data holders be disclosed. A specialised service provided by the data holder needs to exist, however, for this exchange to occur.
The request would have to be made in accordance with relevant data standards to be accepted, and the data would be disclosed in a machine-readable form to the person making the request.
“The data holder cannot impose conditions, restrictions or limitations of any kind on the use of the disclosed data,” the rules clarify.
A CDR consumer may also directly request a data holder to disclose CDR data that relates to them — this is known as a consumer data request.
A consumer data request that is made directly to a data holder is to again be made using a specialised online service provided by the data holder. This time, however, the data is to be disclosed in human-readable form to the CDR consumer who made the request.
A CDR consumer may request another person to request a data holder to disclose CDR data that relates to them. If the request by the third-party is made in line with relevant data standards, when using the specialised service, that person will have the data disclosed in a machine-readable form.
Under the data minimisation principle however, the accredited person may only collect and use CDR data in order to provide goods or services in accordance with a request from the CDR consumer
As promised, the rules include the right for a person to have their data deleted.
“The accredited data recipient must: (a) determine the technique that is appropriate in the circumstances to de‑identify the relevant data to the required extent; and (b) apply that technique to de‑identify the relevant data to the required extent; and (c) delete, in accordance with the CDR data deletion process, any CDR data that must be deleted in order to ensure that no person is any longer identifiable, or reasonably identifiable,” the rules stipulate.
When the draft rules were published, they weren’t received with enthusiasm.
The Australian Privacy Foundation in March said the CDR privacy safeguards were not sufficient, and that the government has “severely” underestimated the need for more thought across the entire legislative change.
“The privacy safeguards are an additional protection given to CDR data under Part IV of the Act,” the ACCC said in its final rules.
“The privacy safeguards apply only to CDR data for which there are one or more CDR consumers (such as required consumer data and voluntary consumer data); they do not apply to CDR data for which there are no CDR consumers (such as required product data and voluntary product data).”
There are 13 “privacy safeguards” that the ACCC has deemed as sufficient for protecting consumers.
Despite hearing concerns over the adequacy of the privacy safeguards within the CDR, the rushed nature of the Treasury Laws Amendment (Consumer Data Right) Bill 2019 [Provisions], the distinct banking focus the Bill will have, and whether the outcome of the CDR will serve organisations more than it will consumers, the Senate Economics Legislation Committee on 21 March recommended that it be passed.
“At the very least, it will improve on current arrangements; and it has the potential to protect and empower consumers and drive competition and innovation,” the committee wrote at the time. “The committee particularly welcomes the endorsement of the Bill from innovative high technology companies.”
The Bill was passed on August 1 and the rules will come into effect tomorrow — 5 February 2020.