On 15 August 2018, the Government released the Exposure Draft of the Treasury Laws Amendment (Consumer Data Right) Bill 2018 (Bill).
The Bill provides a legislative framework for implementation of the consumer data right in accordance with the recommendations of Treasury's Review into Open Banking in Australia 2017 (Review) and will amend (among others) the Competition and Consumer Act 2010 (CCA), and the Privacy Act 1988 (Privacy Act).
As recommended by the Review, the Bill provides a dual regulator model under which both the ACCC and the Office of the Australian Information Commissioner (OAIC) play key roles. The ACCC will lead strategic enforcement with a focus on consumer and competition issues, including designating sectors to be subject to the regime and establishing the consumer data right rules (CDR rules), and will have primary responsibility for enforcing the majority of the regime. The OAIC will be responsible for enforcing the privacy safeguards under the CCA. Either body may delegate to the other any relevant enforcement functions as necessary to support their role.
What is the consumer data right?
The consumer data right provides individuals and businesses (CDR consumers) with a right to efficiently access specified data relating to them when held by businesses (data holders) and to direct that the information be provided to trusted and accredited third parties (data recipients), with a view to increasing competition in various markets.
Note that a person will be a data holder in respect of CDR data which is held by, or on behalf of that person. Therefore, an entity (e.g. an authorised deposit-taking institution for the purposes of open banking) will be a data holder in respect of CDR data even if the data is held on its behalf by a third party under an outsourcing arrangement.
The consumer data right will apply to specific sectors of the Australian economy as designated by the Treasurer, on advice from the ACCC. The Bill will initially apply to the banking sector ("open banking") from 1 July 2019. The consumer data right will subsequently be extended to the energy and telecommunications sectors, with others to follow.
The scope of CDR data will vary by sector and will be specified in sector-specific rules. Nevertheless, the definition of CDR data in the Bill is broad and could potentially include aggregated data and "value-add" data generated by a data holder, derived from underlying personal and transaction data, both of which the Review recommended should be excluded from the scope of CDR data.
The jurisdictional reach of the consumer data right is broader than that of the Privacy Act. The regime applies to CDR data "collected or generated in Australia" but is not limited to entities carrying on business in Australia and could therefore capture foreign companies generating or collecting CDR data in Australia. CDR data generated or collected outside of Australia by, or on behalf of, an Australian registered corporate entity or an Australian citizen or permanent resident will also be captured by the scheme, allowing CDR consumers to direct the transfer of data about transactions occurring overseas (provided that the bank is registered in Australia).
How does the law work?
The Bill provides a legislative framework for the consumer data right. As the first stage of the new scheme, the scope and operation of the consumer data right will be determined following the passage of the legislation, including the relevant CDR rules and data standards including technical standards (Standards), to be released in the future.
Although the Bill does not detail how the CDR rules will operate in practice, it provides the ACCC with a broad power to make CDR rules for designated sectors, addressing matters including:
- the disclosure, use and storage of CDR data (including consent requirements);
- accreditation of data recipients;
- reporting and record keeping; and
- incidental or related matters (including data standards).
The Bill establishes a data standards body responsible for making Standards which set out the technical requirements and specifications for CDR data, including the format and process by which the data must be transferred. This function will initially be undertaken by Data61, the data innovation arm of the CSIRO. The Standards will create an enforceable contractual right between CDR participants, facilitating access to data in the format and manner prescribed.
Spotlight on privacy
Privacy safeguards are a key feature of the Bill, forming part of the primary legislation under the amended CCA. They include enhanced privacy protection for CDR data that relates to a CDR consumer, and provide the minimum standards for treatment of CDR data under the regime. The prescribed safeguards will be supplemented through the rule-making and standard-setting process.
The range of data caught under the consumer data right, and subject to these privacy protections, is broader than the Privacy Act. The privacy safeguards under the amended CCA will apply to CDR data for which there are one or more CDR consumers. A "CDR consumer" is defined as any "person" to whom CDR data relates. The Explanatory Memorandum (EM) confirms that a CDR consumer can include any individual or small, medium or large business enterprise for whom CDR data has been created or to whom it relates. The description of CDR data as data that "relates" to a CDR consumer also broadens the application of the regime by creating a lower threshold for the kind of information that will be protected under the Bill. The Privacy Act, by comparison, applies to a narrower class of data that is about an identified or reasonably identifiable natural person.
The privacy safeguards are based on the Australian Privacy Principles (APPs) under the Privacy Act as modified for the purposes of the CDR regime.
The safeguards are intended to apply to accredited data recipients, and, in circumstances where a request by a CDR consumer for disclosure of CDR data has been made, a data holder. The EM sets out that in respect of data recipients, the privacy safeguards will "substitute" for the APPs.
The position is less clear for data holders. The EM explains that the Privacy Act and APPs will continue to apply to data holders under the CDR, "placing additional requirements on data holders once a request for CDR data has been received". Assuming this means that the applicable privacy safeguard is to apply in parallel to the APPs, there is little guidance as to how that would work in practice.
Penalties and enforcement
Penalties under the new regime can be significant. In addition to imposing criminal and civil penalties, regulators will also have recourse to various other powers including compensation orders, infringement notices, injunctions, adverse publicity orders and enforceable undertakings. Separate pecuniary penalties will apply in respect of breaches of the legislation, breach of each of the privacy safeguards, and may additionally apply in respect of breach of particular CDR rules.
The Bill and open banking
As noted above, the Bill provides the framework intended to apply to all designated sectors. The precise scope of data comprising open banking CDR data, Standards to be applied for data transfers and the privacy safeguards as they relate to open banking will be set out in the CDR rules and Standards, which are yet to be published. Certain concerns raised by the banking sector in the Review have not been addressed in detail in the Bill and it remains to be seen whether these will be clarified, or the recommendations implemented, in the CDR rules.
In particular, the Bill contains limited reference to the allocation of liability between CDR participants. The Bill currently contains a single provision which sets out that a CDR participant will not be liable provided that it transfers or discloses CDR data in compliance with all elements of the CDR regime. While this goes some way in clarifying that a CDR participant will only be liable for its own conduct, it is not yet clear whether "compliance" with the regime might require data holders to vet potential data recipients or be alert to any "red flags" with respect to data securitya.
The Bill also makes only cursory reference to the principle of reciprocity, which is the concept that an accredited data recipient participating in open banking should also be obliged to provide "equivalent" data under the regime. We expect that the details around exchange of reciprocal data in the banking sector will be determined by the ACCC.
See here for Bill-related materials including further explanatory materials, a ready reckoner, a summary of privacy protections and a guide to making submissions.
Submissions on the Bill close at 5 p.m. Friday 7 September 2018.
Rules and data standards applicable to open banking are expected to be released in September.