23 December 2019

CDR Intermediaries

The ACCC has released a consultation paper on expansion of the Consumer Data Right rules through facilitation of the participation of third party service providers. Delays to rollout of the CDR were noted here.

The paper states that the ACCC
introduced the foundational rules for the Consumer Data Right (CDR) regime in the lock-down version of the rules, released in September 2019 (rules). Consistent with the position in the Rules Outline released in December 2018, the rules do not provide for the use of third party service providers who collect or facilitate the collection of CDR data on behalf of accredited persons (intermediaries). The ACCC noted that it intended to develop rules to accommodate business models that use intermediaries in a subsequent version of the rules. The rules permit disclosure of CDR data by an accredited person to an outsourced service provider, provided certain conditions are met, but do not otherwise permit disclosure of CDR data to non-accredited third parties. As noted in the Rules Outline, the ACCC took this position for the first version of the rules having regard to concerns raised by stakeholders regarding the risk of reduced consumer protections and the potential to undermine the CDR accreditation regime. Instead, the ACCC committed to considering the ability for consumers to direct the sharing of CDR data to certain non-accredited third parties (including professional advisors, such as accountants and lawyers) in a subsequent version of the rules. ... 
The ACCC is seeking views from stakeholders on how the rules should permit the use of intermediaries that collect or facilitate the collection of CDR data from data holders on behalf of accredited persons. The ACCC is also seeking views on expanding the rules to permit the disclosure of CDR data from accredited persons to non-accredited third parties and the appropriate consumer and privacy protections that should apply to such disclosures.
The paper states
Intermediaries 
The ACCC recognises the important role of intermediaries in the financial services sector, and the data economy more generally, in facilitating the efficient and secure collection of data. Accommodating intermediaries in the CDR regime will support increased uptake of CDR and development of new products and services by providing flexibility for potential accredited data recipients looking to enter the CDR regime. The ACCC understands that there are a range of innovative business models that intend to operate in the CDR regime, including software as a service or platform as a service providers. These business models include those that may assist in or facilitate the collection of CDR data and those that may offer ‘end-to-end’ services that collect and use CDR data. 
In response to the CDR exposure draft rules, the ACCC received submissions from a number of parties that indicated their interest in becoming accredited at the unrestricted level in order to act as an intermediary in the regime. If the rules provide for an accredited intermediary to collect CDR data on behalf of a data recipient, it could facilitate entry into the CDR regime of data recipients with a lower tier of accreditation if the intermediary will manage risks associated with the data recipient collecting, storing or using CDR data. The ACCC is therefore also interested in understanding views on how the rules should permit the disclosure of CDR data between accredited persons, including between an accredited intermediary and an accredited data recipient. 
The ACCC is seeking views on how intermediaries should be provided for in the rules, including what obligations they should be required to meet and the appropriate level of transparency for consumers where an intermediary is used by a data recipient to collect and/or use CDR data. 
The ACCC is considering both outsourcing and accreditation models for regulating intermediaries and recognises that it may be appropriate for the rules to provide for both models dependent on the nature of the services provided by an intermediary to an accredited person. Under an accreditation model, an intermediary would become accredited in its own right and would be subject to the obligations of an accredited person under the CDR regime. The current outsourcing model in the rules permits the disclosure of CDR data by an accredited person to an outsourced service provider provided certain conditions are met, including that the accredited person has a CDR outsourcing arrangement in place that meets the requirements in rule 1.10. Under rule 7.6, the accredited person is responsible for the use or disclosure of CDR data by an outsourced service provider. 
Consultation questions: intermediaries 
The ACCC has developed guiding questions for responses. You do not need to respond to each individual question and may decide to raise additional issues. Where possible, please explain your reasoning. 
1. If you intend to be an intermediary in the CDR regime, or intend to use an intermediary, please provide a description of the goods or services you intend to provide to accredited persons or to CDR consumers using an intermediary. Do you intend (or intend to use an intermediary) to only collect CDR data, or collect and use CDR data? What value or economic efficiencies do you consider that intermediaries can bring to the CDR regime and for consumers? 
2. How should intermediaries be provided for in the rules? In your response please provide your views on whether the rules should adopt either an outsourcing model or an accreditation model, or both and, if so, and in what circumstances each model should apply. 
3. What obligations should apply to intermediaries? For example, you may wish to provide comment on: a. if intermediaries are regulated under an accreditation model, the criteria for accreditation and whether they should be the same or different to the criteria that apply to the current ‘unrestricted’ level, and the extent to which intermediaries should be responsible for complying with the existing rules or data standards; b. if intermediaries are regulated under an outsourcing model, the extent to which contractual obligations should be regulated between accredited persons and intermediaries; c. if the obligations should differ depending on the nature of the service being provided by the intermediary. 
4. How should the use of intermediaries be made transparent to consumers? For example, you may wish to comment on requirements relating to consumer notification and consent. 
5. How should the rules permit the disclosure of CDR data between accredited persons? For example, you may wish to comment on requirements relating to consumer consent, notification and deletion of redundant data, as well as any rules or data standards that should be met. 
6. Should the creation of rules for intermediaries also facilitate lower tiers of accreditation? If so, how should the criteria and obligations of new tiers of accreditation differ from the current ‘unrestricted’ accreditation level, and what is the appropriate liability framework where an accredited intermediary is used? 
Permitting CDR data to be disclosed to non-accredited third parties 
The ACCC is also seeking views on how the rules should provide for the disclosure of CDR data by an accredited person to non-accredited third parties, with the consent of a consumer. As noted above, the rules permit disclosure of CDR data by an accredited person to an outsourced service provider, provided certain conditions are met, but do not otherwise permit disclosure of CDR data to non-accredited third parties. 
The ACCC considers that allowing CDR data to be shared with non-accredited third parties, such as accountants, will be an important expansion of the CDR regime. The ACCC recognises there are existing mechanisms that facilitate the transfer of data from consumers to third parties. Enabling sharing of CDR data with third parties in the CDR regime is likely to increase benefits for consumers, where appropriate consumer and privacy protections are also provided for in the rules. 
The ACCC considers that an important principle for the development of these rules is that consumers must give fully informed consent when CDR data is disclosed to non-accredited third parties. Additionally, the ACCC considers that while the rules may authorise the transfer of CDR data from accredited persons to non-accredited third parties, this would not be a requirement and accredited persons should be able to make commercial decisions regarding whether to offer this functionality to consumers. 
Consultation questions: permitting CDR data to be disclosed to non-accredited third parties 
7. If the ACCC amends the rules to allow disclosure from accredited persons to non- accredited third parties and you intend to: a. receive CDR data as a non-accredited third party, please explain the goods or services you intend to provide, the purposes for which you propose to receive CDR data, and how this may benefit consumers; b. be an accredited person who discloses CDR data to non-accredited third parties, please explain the intended goods or services you intend to provide and how they may benefit consumers. 
8. What types of non-accredited third parties should be permitted to receive CDR data? Why is it appropriate for those types of third parties to be able to receive CDR data without being accredited? 
9. What privacy and consumer protections should apply where CDR data will be disclosed by an accredited person to a non-accredited third party? 
10. What degree of transparency for CDR consumers should be required where an accredited person discloses CDR data to a non-accredited third party? For example, are there particular consent and notification obligations that should apply?