A Game Changer in Data Economy: Australian Consumer Data Right Law
Data Is An Asset, Not A Threat
Thanks to the digital economy, everything you do on the internet creates data. Be it clicking a video link, booking a restaurant or making an online purchase. This information is in the hands of companies, who have captured data for free when customers opted for their services.
It’s high time we empowered consumers with more choices and bargaining power by giving them control over their own data.
With thousands of products and service providers flooding the market, consumers will experience myriad of choices with comparing and selecting the many different offers. This is how companies take advantage of imperfect information to retain customers and delude them into signing on for cruddy deals, even when there are optimal choices out there somewhere in the ether.
Facing multiple options, which look similar but are fundamentally different, what is the key to identifying the one that fits you best?
For example, to pick the cheapest telecom operator, you need information on your own personal usage patterns before you can effectively weigh the pros and cons of different data plans. This is exactly how consumer data can provide valuable insight for consumers.
In light of this, the Australian Government introduced the Treasury Laws Amendment (Consumer Data Right) Bill 2019.
The Bill contains the legislative framework for the implementation of a consumer data right (CDR).
Before the CDR was introduced, consumer data was an under-utilised resource. Owing to risk aversion and mistrust in the commercial use of data, the law was not oriented to encourage consumers’ participation in data collection and transfer.
The birth of the CDR turns this around.
What Is The CDR?
In a nutshell, it offers consumers the right to instruct their suppliers to disclose information relating to them and to share it with accredited third parties in a convenient, safe and efficient manner.
In order to promote an effective product disclosure regime, the CDR also allows consumers to access information about specific products and those pertaining to other consumers so long as they stay unidentified.
It is hoped that these initiatives can facilitate more informed choices and stimulate market competition.
The Consumer: this is the person or entity that has the right to instruct the transfer of their information from the data holder to the accredited data recipient (ADR). “Consumer” defined under CDR rules is more extensive than that under the Competition and Consumer Act 2010 (Cth). Both individual consumers and business consumers, including SMEs, are deemed consumers in the new regime.
The Data Holder: this is the original entity that holds the data and shall transfer data upon a consumer’s request, e.g. the consumer’s bank.
The Accredited Person/ Data Recipient: an “accredited person” is a person who is authorised to receive data through the CDR system. Once obtaining such data, they become an ADR and are subject to the privacy regulations under the CDR rules.
What Data Is CDR Data?
It includes any data designated as CDR data by the Australian Treasurer and any data derived from it, whether created and collected inside or outside Australia. This data should be provided in a machine-readable format.
There is a groundswell of concern for such wide coverage. Some argue that it should only apply to raw, directly-collected data in order to respect the intellectual property of data holders.
Nonetheless, the Treasurer adhered to a broad definition to prevent organisations from dodging the rules by converting their data so that it falls outside the regulation. In this aspect, the CDR is more extensive than many foreign regimes, such as the European Union’s General Data Protection Regulation, which only includes data that is ‘provided by’ the consumer to the data holder.
The Australian Competition & Consumer Commission has the power to designate industry sectors for the application of CDR.
First in line is the banking industry, which is why CDR is also known as the “Open Banking” legislation. The four major banks in Australia and other authorised deposit-taking institutions will follow a timeline in preparing the availability of their data.
The first deadline is fixed for 1 July 2019, when the four major banks will have to make their data on credit and debit card, deposit and transaction accounts available.
The telecommunications and energy sectors are next, though the precise dates have not been announced yet. The Australian Government has also foreshadowed that the CDR will take effect economy-wide sector by sector.
How To Retrieve Your Data?
There are three different ways to retrieve your data: product data requests (PDRs), consumer data requests, and consumer data requests made on behalf of CDR consumers.
Taking the banking industry as an example, consumers will have access to a specialised bank portal where they can request a copy of their data free of charge. Consumers can then freely use their data “as they see fit”. Third parties such as accountants or financial advisors can also be appointed by consumers to lodge a request on their behalf.
How Will Consumers Be Protected?
The CDR obviously has many potential benefits – giving consumers more influence over how value is created and extracted from their data hence promoting an effective, fair and competitive market. However, there is overwhelming concern over the risks associated with privacy.
Privacy safeguards are in place to protect consumers once a request is lodged to transfer that data to an accredited third party. These protections are wider than those currently provided in the Privacy Act 1988 (Cth), imposing restrictions on the possible use of the data.
For instance, direct marketing is prohibited, unless with the consumer’s consent. This is important because otherwise, marketers can exploit vulnerable groups by marketing high-risk products to them after acquiring their personal data. Moreover, consumers will be notified every time their data is being disclosed. These privacy safeguards will apply to all data designated as ‘consumer data’, not only data relating to identifiable individuals.
Failing to comply with the CDR “civil penalty provisions” creates criminal offences. One example of attracting such penalty is when an entity fraudulently represents that it is entitled to receive CDR data. The Australian Privacy Principles and the EU General Data Protection Regulation will operate alongside the CDR, therefore it is essential for companies to watch out for the three different regimes and ascertain the obligations relevant to them.
What Should Companies Do Now?
Service providers in the banking, telecommunications and energy sectors should be busy mapping out policies and systems for compliance with the new regime at the moment. From developing new arrangements and technologies to setting up efficient data managing and transferring platforms to training staff on compliance matters, companies in these industries should start equipping themselves early on so they won’t be caught off guard when the deadlines loom closer.
This article does not constitute legal advice.
The opinions expressed in the column above represent the author’s own.