Legislation to implement a consumer data right into Australian law has been introduced, ahead of its imminent roll-out in the banking sector, with other sectors to follow. The provisions have now been referred to a Senate committee, and various concerns have been raised by the Opposition. Consultation regarding roll-out in the energy sector has also commenced.
On 13 February 2019, the Government introduced the Treasury Laws Amendment (Consumer Data Right) Bill 2019 (Bill) into Parliament.
The Bill contains the legislative framework for implementation of a consumer data right (CDR). Other relevant aspects of the regulatory regime including the designation instrument, consumer data rules (CDR Rules) and data standards are intended to be put in place under that legislative framework on a sector by sector basis.
On 14 February, the Senate referred the Bill to the Economics Legislation Committee for inquiry. The Committee is expected to report by 21 March. The Labor Opposition has criticised the short timeframe for review and has raised concerns with various aspects of the Bill, including in respect of privacy and the treatment of derived data.
Public consultation on the key documentation for the banking sector roll-out will continue this year with the release of a draft of the CDR Rules currently anticipated during the first quarter of 2019. This timing may alter if there are any delays in the passage of the legislation. The anticipated expansion of the consumer data right beyond the banking sector has also begun with the Australian Competition and Consumer Commission (ACCC) publishing a discussion paper to begin the consultation on how best to apply the CDR in the energy sector.
An Exposure Draft of the Bill was initially released in August 2018. Please see our previous alert here for an overview of the key aspects of the regime.
This was followed by the release of other key CDR documentation for the banking sector roll-out for public consultation namely:
- a CDR Rules Framework (Rules Framework) published by the ACCC seeking comment on issues connected with the CDR Rules to be made by the ACCC once the Bill is passed; and
- draft data standards from Data61.
Just prior to Christmas, an updated draft of the Bill was circulated followed by updated documentation from both Data61 and from the ACCC in the form of a CDR Rules Outline (Outline). Treasury also released the first version of the Privacy Impact Assessment for CDR (PIA) for consultation. The Opposition has criticised the fact that Treasury, rather than the Office of the Australian Information Commissioner, has managed the PIA process. A second version of the PIA incorporating feedback from stakeholders and an independent privacy consultant was released on 1 March, with subsequent versions to follow as the CDR regime is finalised.
Given the CDR Rules will contain much of the detail regarding how the CDR will be implemented in the banking sector, in this alert we provide a brief overview of some of the key changes made to both the Bill and the ACCC's approach to the CDR Rules for the banking sector in the course of the public consultations that have occurred to date.
Key changes to the Bill
A significant number of changes were made to the Bill in the course of the public consultation period. Some key points that arose during the public consultation period and are now reflected in the Bill, include the following:
- Principle of reciprocity: This is the concept that an accredited data recipient should be also obliged to provide "equivalent" data under the regime due to their participation (even if they would not otherwise be required to provide access to CDR data as a data holder). The Bill anticipates that the CDR Rules for each sector may provide that in certain circumstances a consumer can direct an accredited data recipient to provide access to certain CDR data to the consumer or other accredited persons.
- Updated privacy safeguards: There is updated detail regarding how the privacy safeguards are intended to apply to CDR data. As noted above, the Labor Opposition has raised concerns regarding the approach to privacy.
- Designated gateways: In some sectors, the Minister may designate a gateway (or multiple gateways) to facilitate the transfer of information from a data holder to an accredited person or the consumer themselves. The Government anticipates that most sectors are unlikely to have a designated gateway. However there could be sectors where an entity is already in place fulfilling a similar role. In such circumstances, designation of that entity as a designated gateway could take advantage of existing efficiencies.
- Chargeable CDR data: The Bill now contains the concept of chargeable CDR data. However, the circumstances in which charges could be applied are intended to be extremely limited with anticipation being that in the vast majority of cases a compulsory transfer of CDR data on request from a consumer cannot trigger a charge. The inclusion of the concept of chargeable CDR data has been raised as another issue of concern for the Labor Opposition.
Key changes with respect to the CDR Rules for the banking sector
The Outline released just prior to Christmas and updated in late January does not contain the actual CDR Rules for the banking sector roll-out, but rather sets out the ACCC's proposed position in relation to version one of the CDR Rules. As it stands, the ACCC's approach is that the first version of the CDR Rules made by the ACCC will only cover matters that are essential to the commencement of the CDR in the banking sector, with other issues to be covered in subsequent versions of the CDR Rules. The Outline anticipates CDR Rules covering the following areas:
- How data sharing will occur.
- Definition of different categories of data holders - to include 'initial data holders', 'subsequent data holders' and 'reciprocal data holders'. These provisions will be critical in clarifying exactly how the CDR applies to different entities in the banking sector, and given the phased implementation, when relevant obligations will arise for different categories of data holders.
- Definition of which CDR consumers are covered by the initial banking-sector roll-out. As flagged below, the initial roll-out is not intended to extend to minors under the age of 18 although this may change in future versions of the CDR Rules.
- Definition of which CDR data is in-scope - to include categories of 'customer data', 'account data', 'transaction data' and 'product data'. Products are themselves to be separated out into phase 1 to 3 products. Again, these provisions will be critical in clarifying the scope of relevant obligations and, given the phased implementation, when relevant obligations will arise with respect to different categories of CDR data.
- Processes and criteria for accreditation of accredited persons and obligations for accredited persons and accredited data recipients. There is currently intended to be only one general level of accreditation in version one of the CDR Rules, although subsequent versions are likely to introduce additional levels to accommodate different business models involving the use of third party intermediaries.
- The Accreditation Registrar's role.
- Consumer consent and authorisation requirements. These will be some of the most critical provisions in the new regime.
- The privacy safeguards.
- Record-keeping, reporting and audit power.
- Dispute resolution.
- The Data Standards Body.
There are several key changes to the ACCC's approach to aspects of the CDR Rules, as now reflected in the Outline when compared against the Rules Framework. The ACCC's updated approach includes the following positions:
- Although the sharing of CDR data with an accredited data recipient must still occur via APIs, the sharing of data via APIs to consumers is no longer required.
- Consent and authorisation will automatically expire after 12 months as opposed to 90 days as previously proposed. A reminder of the ongoing data sharing arrangement is to be given every 90 days to the consumer.
- The definition of 'CDR consumer' no longer includes minors.
- Joint account holders may elect which holders are authorised to give consent or authorisation and whether the data holder must notify other joint account holders that the data from the joint account has been shared.
CDR in the energy sector
The ACCC's consultation paper released on 25 February explores how best to leverage the CDR in the energy sector. Due to a number of energy sector-specific considerations, including energy market arrangements, the ACCC is seeking initial feedback on the merits of the following three potential options for accessing consumer data in the energy sector:
- an Australian Energy Market Operator (AEMO) centralised model where the AEMO would be the sole data holder of a centralised data set and responsible for providing data directly to accredited data recipients;
- the AEMO gateway model where the AEMO would function as a pipeline for the provision of CDR data from data holders including retailers and potentially also distributors and may also be a data holder providing CDR data directly to accredited data recipients; or
- the economy-wide CDR model where existing data holders would be responsible for providing CDR data directly to accredited data recipients and/or consumers, i.e. the model used in the banking sector.
The consultation paper also includes information on the relevant principles and considerations the ACCC will take into account when determining which model is most suitable. Submissions are due by close of business on 22 March. Once a data access model has been decided, work will commence on developing energy specific rules and standards.
As the Bill was originally intended to be introduced into Parliament in December 2018, the delay in its introduction has resulted in delays to the overall timeframe for CDR implementation. Treasury has therefore revised the timeline for the roll-out of CDR in the banking sector.
The initial 1 July 2019 start date is now intended to mark the beginning of a "pilot" phase involving the "Big Four" banks - Commonwealth Bank, ANZ, Westpac and NAB - intended to "test the performance, reliability and security" of the system. Product reference (generic) data is also intended to be made publicly available from this date.
Sharing of consumer data by these banks is intended to start no later than 1 February 2020, with a phased introduction of the main CDR requirements occurring over the next 18 months or so. Of course, it is possible that any further delays could result in further changes to the timeline. In particular, if there are delays in the passage of the Bill this is likely to flow through to additional delays in the implementation timeline.
The ACCC has indicated that it aims to begin implementing CDR in the energy sector during the first half of 2020.
It is anticipated that the roll-out of the CDR in the banking and energy sectors will be followed by roll-out in the telecommunications sector, with the CDR eventually expected to be implemented in all sectors.
Thanks to Courtenay Whitford and Anita Xie for their assistance in preparing this alert.