Comms Alliance: Banking-focused CDR falls short of telco requirements
The Telecommunications Alliance is concerned that the legislation around the upcoming Consumer Data Right (CDR) will not be overly applicable to industries other than banking, and that the rushed through process will result in a disjointed framework that is not well thought out.
The CDR will allow individuals to “own” their data by granting them open access to their banking, energy, phone, and internet transactions, as well as the right to control who can have it and who can use it.
The first sector of the Australian economy to which the CDR is to be applied is the financial services sector, through an Open Banking regime, slated to commence July 1, 2019. There has since been a decision, however, to postpone until February, 2020 the implementation of parts of the first stage, such as the sharing of consumer data for credit and debit cards, deposit accounts, and transaction accounts so all involved can be more prepared, following concerns the Big Four banks may not be adequately prepared and the legislation will not be properly structured in time.
As a result, the Australian Competition and Consumer Commission (ACCC) revealed in September it would shape the CDR rules around the financial services sector.
Energy is the next sector in line for the CDR, with phone and internet data to soon follow.
In a submission [PDF] compiled in response to the Treasury Laws Amendment (Consumer Data Right) Bill 2019, Comms Alliance highlighted concerns that the Bill was developed with a banking focus although the legislation and Rules Framework would apply to all sectors of the economy.
“If the process to develop an Open Banking regime (as the first sector to adopt the CDR) is already rushed and raises a large number of concerns with stakeholders, as evidenced in numerous submissions, it appears almost impossible to ensure that the legislation and associated rules are appropriately considered for other sectors of the economy which follow later in the process,” Comms Alliance wrote.
“This bears the very real risk that those later sectors will be forced to operate within a legislative and regulatory framework that has a distinct ‘banking flavour’ but lacks sufficient consideration of the particularities of other industry verticals.”
In its submission [PDF], the Telecommunications Industry Ombudsman (TIO) asked that the CDR framework be simplified so industry-based ombudsman schemes like the TIO would not need to maintain dual recognition with two different regulators for privacy and CDR.
It also wanted consideration to be given to the governance implications for industry-based ombudsman schemes like the TIO if “persons outside the telecommunications sector can receive telecommunications CDR data”.
Similarly, the TIO wanted clarification on whether the proposed CDR complaints framework, largely dependent on ACCC-made rules, would sufficiently support the TIO for new CDR members who are currently not part of the telecommunications service sector.
The dates for implementation, or the specifics around what the telecommunications sector will be required to do under the CDR, have not yet been determined.
Sharing concerns similar to the Australian Privacy Foundation that the privacy safeguards currently in place for the CDR are not sufficient, and that the government has “severely” underestimated the need for more thought across the entire legislative change, the Law Council of Australia (LCA) has asked for more clarity on certain elements of the CDR Bill.
In its submission [PDF], the LCA said it remains unclear as to how the privacy safeguards division of the Bill will interact with the provisions of the Privacy Act 1988 — worried specifically that the provisions of the Bill would create unnecessary complexity through the establishment of a second legislative regime of privacy requirements in addition to the provisions of any state or territory legislation that may also apply.
Additionally, the LCA showed concern for how the privacy elements wrapped around the CDR could create a situation where the same data may be both CDR data and personal information. The consequences of which would result in the data being dealt with under separate and potentially inconsistent, privacy regimes.
“In the Law Council’s view, the proposed privacy safeguards are not adequate as currently drafted,” it wrote. “In particular, the Law Council is concerned about the potential misuse of CDR data, including de-identified aggregated CDR data, for direct marketing purposes.”