Identity Resilience

The new National Strategy for Identity Resilience replaces the 2012 National Identity Security Strategy. It features Shared Principles for Resilient Identities -

 1 Seamless Commonwealth, state and territory digital ID systems will support identity resilience 

Digital IDs provide a highly secure credential which can be used to prove identity online. They can reduce the amount of information you share, as they allow you to share only the information needed, which means you do not need to share all the details of a valuable identity document such as a passport. Governments will work together to achieve interoperability between digital ID systems and credentials so that Australians can access services in any jurisdiction. 

2 Identity needs to be inclusive 

Australian governments are committed to supporting vulnerable cohorts to access services, and to supporting Australians that choose not to use digital services or credentials. Indigenous Australians, people from culturally and linguistically diverse communities, and people with disabilities are disproportionately targeted by certain types of scams, and may also have more difficulty accessing or understanding ways to remediate compromises to their ID. Older Australians are also vulnerable and reported the highest losses to scams in 2021, and may be less likely to adopt digital credentials or other technologies. Where practical, Australian governments are committed to providing digital and non-digital options so that individuals have a choice in how they manage their identity. 

3 Individuals, industry and government have a role to play 

Individuals, industry and government all have roles to play in achieving identity resilience. Individuals need to know how to protect their identity and be empowered to proactively respond to identity misuse. Industry and governments can strengthen identity resilience by adopting best practice for preventing, deterring and responding to identity misuse, and by actively coordinating efforts to improve and promote education on identity resilience, secure cyber practices and support services. 

4 All jurisdictions will work towards consistent high national standards 

Individuals need to have secure and trusted identity credentials regardless of who they are issued by. Australian governments will develop stronger, nationally consistent standards for issuing physical and digital credentials. Australian governments will also ensure that identity credentials have security measures that make them resilient. 

5 Biometric establishment and verification of identity with consent can improve resilience 

Where appropriate, and with an individual’s consent, Australian governments will use biometrics to make it harder for criminals to misuse identity credentials. Combinations of biographic attributes (e.g. name, date of birth and licence number) do not adequately protect Australians from identity crime, and can be exposed in a data breach. Passwords can be forgotten, stolen or compromised. Australian governments will protect personal privacy and secure data in regards to the use of biometrics. 

6 All jurisdictions will allow an individual to update their information conveniently across agencies 

Currently, an individual who changes their name or moves house has to update each credential individually, and often does not. As a result, their personal details may differ between government agencies and jurisdictions, which increases the potential for identity fraud. Australian governments will work towards enabling individuals to update their credentials in a more streamlined and convenient way, if the individual wishes to do so. 

7 Less data collection and retention 

Large data breaches have demonstrated the risks associated with large stores of personal information and of retaining copies of credentials. We need to consider the likelihood of future data breaches when deciding what we collect and retain. Digital IDs, digital credentials and government services like the Document Verification Service, allow government agencies and businesses to verify identity while minimising their collection of personal information. Australian governments will support businesses and government agencies to collect and retain less personal information where appropriate. This will be balanced against existing and legitimate needs relating to law enforcement and regulatory regimes. 

8 Clear data-sharing arrangements 

To support individuals impacted by large scale cyber incidents and data breaches, governments need to be able to collect and share data. Australian governments will work to put in place data-sharing arrangements to better protect victims of cyber incidents and data breaches. 

9 Consistent revocation and re-issuance 

Across Australia there are different processes for revoking and reissuing credentials. This makes it harder for a victim of identity crime to recover, especially when they have to engage with multiple Commonwealth, state and territory agencies and the private sector. Australian governments will work towards streamlined and consistent processes for remediating compromised identity credentials to reduce the burden on victims. 

10 Clear accountability and liability 

Liability for the cost of remediating credentials compromised in a data breach, cyber-attack, or other identity crimes needs to be clear, along with appropriate enforcement actions. The lack of clear accountability can delay mitigation measures when responding to a data breach. The solution should minimise further harm to the individual whose data was compromised.

the Strategy document states 

Building on existing work and being future ready 

To give effect to the above principles, Australian governments have committed to the following short, medium and long term initiatives. Plans for implementing the initiatives will be considered by the Data and Digital Ministers Meeting. The Data and Digital Ministers Meeting, a sub-committee of National Cabinet, will also oversee the implementation of the initiatives. Building on the innovative and leading edge work of the Commonwealth, states and territories, the initiatives include the elevation of existing projects to the national stage. They complement initiatives that support identity resilience, which are in development or already in operation, but have not been included in this Strategy. These include, for example, the Commonwealth’s myGov and myGovID systems, the Trusted Digital Identity Framework, ID Support NSW, and the Australian Death Check. 

Short term initiatives (Up to 12 months to implement) 

Update of the National Identity Proofing Guidelines 

Australian identity proofing standards need to be fit for purpose and used consistently across the country. The National Identity Proofing Guidelines (the Guidelines) provide guidance for government and private sector organisations on proofing the identity of individuals. The Guidelines will be updated and aligned with the Trusted Digital Identity Framework to support consistent processes across digital and non-digital credentials. This will help to address longstanding inconsistencies in identity management practices between jurisdictions; support less collection and retention of data; and build confidence in the use of Commonwealth, state and territory digital ID systems. 

Cohesive national approach for responding to the identity security aspects of data breaches 

Large-scale data breaches and cyber incidents have demonstrated the need for a cohesive national response to the identity security aspects of data breaches, to minimise the damage caused and to expedite the recovery of individuals’ identities. This initiative will seek to establish a Centre of Excellence to increase the speed and efficiency of responses to the identity security aspects of significant data breaches. This will be a single and highly visible point of expertise that supports the management of the identity security aspects of breaches at a Commonwealth level, and works with state and territory bodies, to minimise the harm for individuals, businesses and governments. 

Identity resilience education and awareness 

Education and awareness can help build individual, industry and government resilience. A range of education and awareness programs exist across the Commonwealth, states and territories. These include the Australian Competition and Consumer Commission’s Scamwatch and awareness information delivered by ID Support NSW. Improving consistency and coordination at a national level will increase the effectiveness of these programs. This initiative will focus on amplifying and coordinating existing education and awareness efforts to better protect Australians. 

Medium term initiatives (1-3 years to implement) 

Credential Protection Register 

When a credential is discovered to have been compromised it can take a long time to remediate. During this time, criminals can continue to misuse the credential. In October 2022, the Commonwealth established the Credential Protection Register to prevent the Identity Matching Services verifying a compromised credential that has been listed on the Register. This initiative will seek to further develop the Credential Protection Register, for example to allow individuals to have better control of their credentials, and also to improve the sophistication of the Register. 

Mobile phone trust scores 

Mobile phone numbers can be integral to identity authentication (for example when used in multifactor authentication) and as an alternative to using email and social media to contact a client. However, they can also be used for identity takeover and fraud. A ‘Mobile phone trust score’ system would allow telecommunication providers to assign trust scores to mobile phone numbers based on risk factors such as recent sim swaps, tenure of phone plan and virtual private numbers. The trust score will help to prevent mobile phones being used to facilitate fraud. 

Long term initiatives (3-5 years to implement) 

Reissuing Digital Credentials through Digital wallets 

Digital Credentials (for example Working with Children Checks or mobile driver licences) are important for identity resilience. It is cheaper, easier and quicker to reissue a digital version of a compromised credential than a physical one. The development of digital credential standards is vital to ensure consistency of data, user experience and interoperability, while maintaining choice and privacy. This initiative will look at addressing technical and legislative differences and barriers across jurisdictions to help reduce fraud, improve customer experience and reduce duplication of effort. This initiative can also inform upcoming digital credential projects so that they are ready for digital wallets at launch. 

No wrong doors for identity remediation 

Individuals should be able to engage with one government organisation in order to fully and quickly recover their identity. This could include regaining control of online accounts, revocation and re-issue of credentials, and protective measures for compromised credentials. Some states and territories have already established comprehensive support services that operate within their jurisdiction. This initiative will focus on a cross-jurisdictional approach to improve the experience for individuals, reduce further harm and enable full identity recovery. 

Strong, consistent commencement of identity records 

Commencement of identity records such as birth certificates, and immigration records for Australians born overseas, are issued by different jurisdictions and are not always linked to change of identity (e.g. change of name) processes in other jurisdictions. This initiative will explore how jurisdictions can work together to improve the integrity of identity records, and provide every Australian with an accurate commencement of identity record updated for life events. 

Implementation 

Realising the intent of the Strategy will require a strong focus on cross jurisdictional collaboration, application of the principles, and the implementation of the initiatives. Under the oversight of the Data and Digital Ministers Meeting, and in close collaboration with all Australian governments, the Commonwealth, through the Department of Home Affairs, will coordinate the implementation of this Strategy. A detailed plan, including resources required, will be developed for each initiative for consideration and approval by the Data and Digital Ministers Meeting. 

Assessing effectiveness 

In implementing this strategy, effectiveness will be assessed by progress made towards implementation of the initiatives, and the effectiveness of these outcomes. An annual report will be provided to the Data and Digital Ministers Meetings on the effectiveness of the Strategy, associated policy and legislation, and follow-on actions required to ensure that Australians’ identities are resilient.

ACCC Data Brokers Inquiry

The ACCC has released Digital Platform Services Inquiry – March 2024 report on data brokers Issues Paper which states 

The purpose of this Issues Paper is to invite written submissions from interested parties to assist the ACCC in understanding the nature of the data broker industry in Australia and any related competition and consumer issues that may arise. 

The role of data brokers 

As we continue to spend more of our time online, Australians are generating an ever- increasing amount of data. As noted by the Organisation for Economic Co-operation and Development (OECD), ‘the digital transformation is changing economies and societies, powered partly by the collection and use of ever-growing quantities of consumer data.’ According to a 2019 McKinsey Global Survey, 47% of respondents said that data and analytics have significantly or fundamentally changed the nature of competition in their industries over the previous 3 years. In many markets, access to large volumes of high- quality personal data is essential for businesses to compete. Where businesses have unique access to such data, this can provide them with a significant competitive advantage. Conversely, not having access to such data can be a significant barrier to entry and expansion. For example, McKinsey’s 2019 research found that businesses reporting the greatest growth in revenue and earnings received a significant proportion of that boost from data and analytics, with high-performing organisations 3 times more likely than others to say their data and analytics initiatives had contributed at least 20% to earnings before interest and taxes over the previous 3 years. 

What is a data broker? 

Data brokers are a key part of the data supply chain that fuels a range of online and offline products and services. The Direction for the Inquiry defines a data broker as ‘a supplier who collects personal or other information on persons, and sells this information to, or shares this information with, others.’6 Hence, for the purposes of the Report, we will focus on data brokers that collect, process and analyse ‘personal or other information on persons.’ ... 

By combining information acquired from a range of sources, data brokers are able to develop and monetise new proprietary data products and services. These data products and services include tools and reports prepared for a variety of purposes such as customer profiling, marketing, risk management, consumer credit reports or scores, and fraud or crime prevention. The Final Report of the ACCC’s Digital Platforms Inquiry (the DPI Report), discussed the role of data brokers, observing that they ‘have a central role in exchanging and combining personal information and data across a wide variety of sectors in Australia.’ 

Despite the central role that data brokers play in providing data products and services to a range of businesses, as well as the wide variety and volume of information that they collect, analyse and process, there is currently little transparency, awareness and understanding of how data brokers operate in Australia. 

Many consumers are not aware that businesses such as data brokers collect their information, nor have an understanding about how or when such information is collected, or what is being done with this information. In addition, many consumers appear to be uncomfortable with the kinds of data-handling practices used by businesses such as data brokers. A recent survey by the Consumer Policy Research Centre found that 74% of Australians were not comfortable with companies sharing or selling their personal information, and less than 10% were comfortable with targeted advertising based on the tracking of online behaviour or personal characteristics without express permission. Despite these consumer sentiments, current trends in data collection and analysis suggest that the role of data brokers is likely to increase. 

Overseas jurisdictions, including the United States, the United Kingdom and Canada, have previously examined the role of data brokers and identified concerns with their practices. The ACCC will draw on relevant literature and reports both in Australia and overseas for the purpose of this Report. 

Proposed focus 

Data brokers can be broadly split into two categories:

▪ businesses that collect data on their own consumers and sell or share that data with others (first-party data brokers), and 

▪ businesses that collect data about consumers from a range of third-party sources and sell or share that data with others (third-party data brokers). 

The ACCC has previously examined how digital platforms use the first-party data they collect from their users in providing digital platform services. We have also looked at some examples of businesses that share or sell first-party data to others. However, we have not yet examined the data collection, storage, supply, processing and analysis services supplied by businesses who sell or share information that is predominately collected from a variety of other sources, (i.e. third-party data brokers). Third-party data brokers typically add value to the data they collect by applying sophisticated and proprietary analysis to it, which is then used to develop data products and services sold or licensed to businesses that might not otherwise have the in-house capacity or resources to undertake this themselves. 

Unlike first-party data brokers, third-party data brokers do not have a direct relationship with the consumers on whom they collect, process and analyse information. This raises unique consumer protection issues, since consumers are less likely to: ▪ be aware of these practices ▪ have explicitly consented to the collection and use of their data, and ▪ be able to challenge or opt out of the collection and use of their data. 

The ACCC proposes to focus predominantly on third-party data brokers for the purposes of the Report. 

Market dynamics 

The ACCC’s preliminary analysis has identified a number of data products and services supplied by third-party data brokers operating in Australia, including: • Customer and audience profiling and tracking products and services, including marketing and advertising campaign measurement, audience profiling and tracking, media planning, and marketing optimisation. • Property data analytics products and services, including housing affordability reports, construction reports, sales and auction result data and valuation models. • Retail data analysis products and services, including consumer purchasing data, which can be used for pricing, marketing, inventory and optimisation strategies. • Risk and fraud management products and services, including for use in insurance and tenancy applications. • Data validation, cleansing and enriching services. • Identity verification services. 

Another key category of data products and services supplied by third-party data brokers in Australia is consumer and commercial credit reporting products and services, including the supply of credit reports and scores. While the provision of these products and services may raise similar competition or consumer issues to the other products and services supplied by third-party data brokers, we do not propose to focus on these specific offerings as they are regulated separately under the Privacy Act 1988 (Cth). 

We understand that the types of products and services identified above are provided by a range of entities that collect information, including the following third-party data brokers in Australia:

• CoreLogic: is a property data and analytics company that produces a range of products including housing affordability reports, construction reports, sales and auction result data and valuation models. Customers include businesses involved in commercial and residential real estate, banking and finance, and construction, as well as the public sector. CoreLogic operates in 9 locations across Australia, New Zealand, the United States and the United Kingdom, and reportedly has data on over 14 million properties across Australia and New Zealand.  Its annual Australian revenue in the year ending 31 December 2020 was $169.5 million. 

• Equifax: provides ‘insights’ and sells ‘products’ and ‘solutions’ on a range of issues to small businesses and business and enterprise customers. It operates in 24 countries worldwide, providing insights on over 820 million consumers and 91 million businesses. It moved into Australia when it acquired Veda in 2016. In 2021, Equifax Australia Holdings generated revenue of $435 million in Australia. To the extent that Equifax is also a credit reporting body in Australia, we are not proposing to inquire into its credit reporting activities, which are regulated under Australian privacy law. 

• Experian: provides a range of ‘business solutions’ and ‘insights’ services to business users, including a range of data and analytics tools to serve a range of purposes, including marketing, risk management and data validation. It is a global company, operating across 30 countries.  Experian Australia Holdings generated $74.6 million in revenue in Australia in 2021. 

• Illion: provides data and analysis products and services, including risk management and marketing solutions and access to varied ‘data registries.’ Illion is a part of the Dun & Bradstreet Worldwide Network. In 2015, its Australian and New Zealand operations were sold to Archer Capital for $220 million, which was rebranded as illion in 2018. 

• LiveRamp: operates across the globe from 13 offices and has over 900 business customers. LiveRamp provides data tools and analysis to support customer and audience profiling and tracking, as well as marketing and advertising campaign measurement.  LiveRamp was acquired by Acxiom, then a data broker, in 2014. In 2018, Acxiom sold its marketing business (now known as Acxiom Marketing Solutions) and rebranded its data broking business as LiveRamp. 

• Nielsen: is a market research, data and analytics company that offers audience measurement, media planning, marketing optimisation and content metadata services in Australia. Nielsen operates in more than 55 countries. It earned US$3.5 billion (approximately AU$5.27 billion) in global revenue over the year to December 2021. In 2022, its Australian revenue reached $42 million. 

• Oracle: is a provider of cloud applications and cloud infrastructure services. It also operates a third-party data marketplace, which offers ‘actionable audience data' on over 300 million consumers, as well as an ‘ID Graph’ service, which allows advertisers to combine data on individuals across multiple devices.  Oracle’s annual Australian revenue in the year ending 31 May 2021 was $116.2 million. 

• PropTrack: is owned by REA Group and offers ‘data and insights powered by REA Group’ in relation to banking and lending, collateral risk, and real estate. PropTrack is headquartered in Australia and operates in 7 other countries. The REA Group also includes consumer-facing services such as realestate.com.au, flatmates.com.au and Mortgage Choice. The REA Group reported $1.17 billion in revenue over the 2021/22 financial year, including $97 million in the ‘media, data and other’ category. 

• Quantium: offers a range of data science services, including data cleansing, curation and monetisation. It also offers the ‘Q.Checkout’ platform, with insights into an estimated 10 million Australian consumers via Woolworths data, while its CommBank iQ service, a joint venture with Commonwealth Bank, offers access to ‘Australia’s largest aggregated and de-identified transaction banking dataset.’ Quantium was founded in 2002 and now operates across 11 offices worldwide. Woolworths Group acquired a majority stake in Quantium in 2021. In December 2022, Quantium and Telstra announced a new data and AI joint venture.

The ACCC acknowledges that these businesses offer a wide range of products and services, including some offerings that may not directly involve the use of personal or other information on persons. The ACCC has previously engaged some of these businesses in the course of our work. The ACCC is interested in the level of competition between third-party data brokers and other businesses in Australia, and invites submissions on this issue. In particular, we invite any general observations on the level of competition, including what factors drive competition, as well as identification of any specific barriers to effective competition in the provision of data products and services. 

Questions 

1) Who are the databrokers operating in Australia that predominantly collect informationf rom other sources (i.e., not directly from consumers)? 

2) How do data brokers compete? What factors do data brokers differentiate themselves on (e.g., price, range of data, specific types of data, analysis undertaken, additional services offered)? 

3) How difficult is it for new data brokers to enter the Australian market? What are their entry strategies (e.g., expansion of overseas data brokers into Australia, expansion of other businesses into data broking, new entrants)? Does this differ depending on the types of data products or services provided? 

4) What are the benefits of data brokers? Who do they benefit? Does this vary by data broker? If so, how? 

Questions for customers of data brokers 

5) What factors do you consider when choosing which data broker to acquire products or services from? 

Data collection and sources 

The ACCC understands that third-party data brokers collect information from a range of sources, including: • digital platforms, including social media services • web pages (through web scraping) • the use of website cookies • app developers, including through the use of software development kits (SDKs)  • other businesses (such as banks, retailers and telecommunications companies) • open data projects • government sources (such as the electoral roll, ASIC databases, and land titles offices) • customer loyalty schemes • other data brokers. 

From these sources, data brokers collect a range of information. For example, this could include an individual’s name, home and work address, date of birth, marital or family status, education level, income, purchasing history, search and browsing habits, location data, and financial information. 

The ACCC is interested in understanding more about how data brokers collect information. Stakeholder feedback in response to the below questions will help us better understand industry practices and identify any potential consumer or competition issues. 

6) What information do data brokers collect?  For each type of information, provide details of: a) How this information is collected, including details of any technologies used (e.g., tracking scripts, web-based plug-ins, tracking pixels,  or SDKs in apps). b) Where or from whom this information is collected. c) The terms and conditions under which the data is collected. d) Any prices or fees paid for the information, including details of how these are determined. 

7) Are there any particularly important or must-have sources of information for data brokers to collect? If so, what are they and who supplies these (e.g., digital platforms)? 

Questions for businesses that sell data to data brokers 

8) What information do you sell or provide to databrokers? a) To which databrokers?Do you provide or sell the data to multiple databrokers? Whyor why not? b) Under what terms and conditions (including price) do you sell this data? Is this done via tender, negotiated contracts, take-it-or-leave-it list prices, or other means? c) How do you collect this data? d) Do you know how this data is used? Do you have any control over this? 

9) What other types of businesses (non-data brokers) do you sell or provide data to? 

Data products and services 

The ACCC is particularly interested in the development and supply of data products and services by data brokers to other users. Examples of the types of products and services offered by data brokers include tools and reports developed and used for a range of purposes, including customer profiling, consumer credit scores, marketing, risk management and fraud or crime prevention, as discussed above. The ACCC seeks views from stakeholders on how data brokers use the data they collect. For example, we seek to better understand how data brokers process and analyse data, the specific products and services they offer, who uses these products and services, what they are used for, and the terms and conditions that may apply to their supply and use. 

10)What are the business models used by data brokers? How do they monetise their services? 

11) What types of data products and services are offered by data brokers? a) Who acquires these? b) How and for what purposes are these used? c) What terms and conditions (including restrictions) typically apply to their use? 

Questions for business users of data products and services 

12) What products and services have you acquired from data brokers? a) From which databroker(s)? b) Were these bespoke or ‘off-the-shelf’ products? c) Under what terms and conditions (including price) did you acquire these products and services? Was this done via tender, negotiated contracts, take-it-or-leave-it list prices, or other means? d) What did you use these products and services for? e) What terms and conditions or restrictions govern or governed the use of these products or services? 

13) Are there any ‘must-have’ data products or services that you acquire from data brokers? Are these available from multiple data brokers? If you were unable to acquire these from a data broker, how else could they be acquired? 

14) How important are data brokers for the provision of digital platform services? For example, in addressing data-related barriers to entry. Why? 

15) How do the products and services provided by data brokers affect competition in other markets? For example, in markets where businesses may supply data to data brokers, or in markets where businesses acquire products and services from data brokers in order to provide their own products and services. If the products and services provided by data brokers do affect competition in other markets, how? 

Potential consumer and small business harms 

The ACCC is seeking views on potential consumer and small business harms and benefits associated with the collection, processing and analysis of information by data brokers. The ACCC has previously identified a range of potential harms relating to the collection and use of personal information or data, including harms associated with:

• Direct marketing practices, including customer profiling, personalised pricing or pre-quoting, and potentially harmful targeted advertising.   

• Use of information in ways that discriminate against a consumer, or in ways not anticipated by the consumer.  For example, a consumer’s personal details shared in another context being used to influence their access to rental housing. 

• Incomplete or inaccurate data being used to develop a profile of a consumer. For example, consumers may be unable to complete important transactions, such as opening a bank or mobile phone account, if the data included in a risk mitigation product is incorrect and identifies them as a risk on the basis of the incorrect information.   

• The misuse of personal or other information on persons obtained by malicious actors. For example, products that identify an individual’s home address or place of work may be used to facilitate harassment or stalking, and may expose domestic and family violence victims, law enforcement officers, prosecutors, public officials or other individuals to retaliation or harm.  Personal information could also be misused by malicious actors to perpetuate scams. 

• Misleading terms and conditions or inadequate disclosures about how information is shared with data brokers,  including the use of clickwrap agreements, which use digital prompts that request users to provide their consent to online terms and policies, without requiring them to fully engage. 

As consumers are generally unaware of data brokers and their business practices, we are concerned there may also be a general lack of awareness about the potential harms related to these practices. While the practices of data brokers may also raise privacy-related harms, this Report will not review the operation of Australian privacy laws, which is outside the scope of the Inquiry. 

16) What benefits do data broker products and services provide to consumers and small businesses? 

17) What consumer harms may arise from the collection, processing, analysis or storage of information by data brokers? Which consumers are most likely to be harmed and why? 

18) What consumer harms may arise from the use of data products and services sold or provided by data brokers? Which consumers are most likely to be harmed and why? 

19) What processes and controls do data brokers have in place to protect consumers? This may include efforts around the de-identification and aggregation of data, data verification processes to ensure data is accurate, or measures to protect stored data. a) Are these controls adequate? What more could/should be done? 

20) To what extent are consumers aware that their data is being collected and used by data brokers? How are they are made aware? 

21) What steps can consumers currently take to inspect and/or remove the data that is held about them or to otherwise raise a complaint with data brokers? 

22) What bodies or resources exist to assist and support consumers in their dealings with data brokers? What more could be done to better educate and empower consumers? 

Question for consumers 

23) Have you experienced any harm, including financial loss or differential treatment, as a result of a product or service provided by a data broker? What actions were open to you to try and address the issue, and was it resolved?

Obscurity

The recent large-scale Optus data breach has been followed that the telco will provide short-term funding to affected consumers for credit watch services by Equifax. As I've noted in a forthcoming article Equifax itself featured in a very large-scale data breach in 2017. 

'Interoperable Obscurity' by Thomas Kadri in the Journal of Free Speech Law (Forthcoming) comments 

Data brokers are abuse enablers. By sharing people’s information, brokers thwart obscurity, stimulate surveillance, and ultimately facilitate interpersonal abuse. This Essay canvasses four regulatory responses to brokered abuse: prohibiting abusive acts, mandating broker transparency, limiting data collection, and restricting data disclosure. Though some of these measures have merit, none is adequate, and several recent privacy laws can even make matters worse. Put simply, the current legal landscape is neither effective nor empathetic. 

Of particular concern, prevailing approaches can exacerbate victims’ trauma by forcing them to engage repeatedly with their abuse and vulnerability. Due partly to existing laws, people face a whack-a-mole task of pleading to remove their data from every single broker separately. But lawmakers could put an end to this traumatic experience through a regulatory regime of “interoperable obscurity.” In short, brokers could be compelled to design their systems to let a person obscure their information across all brokers with a single request. 

Requiring brokers to support a centralized obscurity process would represent the kind of empathetic regulation needed to tackle abuse. The right to defend oneself is sacred in many cultures, but those responsible for creating both law and technology have been slow to empower people with rights and tools of self-defense fit for the digital age. Interoperable obscurity is no panacea, but it could be a start.

Social Sorting

'Connected but Still Excluded? Digital Exclusion beyond Internet Access' by Sofia Ranchordas in M Ienca, O Pollicino, L Liguori, E Stefanini and R Andorno (Eds), The Cambridge Handbook of Life Sciences, Informative Technology and Human Rights (Cambridge University Press, 2021, Forthcoming) comments 

Digital government has digitized numerous public services, automated decision-making, and improved the openness of the public administration. Nevertheless, for senior citizens, undeserved communities, individuals with low literacy and limited digital skills, the shift to governmental portals, online payments, and smartphone applications are considerable obstacles in their daily interactions with public authorities. This chapter argues that digital inequality denies vulnerable citizens their rights twice: first, their ethnicity and socioeconomic status may be conducive to a ‘negative’ ranking or score (e.g., higher risk of welfare fraud); and second, they are also excluded because they do not have adequate access to technology, are not well informed, and do not have the time and skills required to interact with digital government. This chapter explores one of the paradoxes of the digital society: connected citizens in developed countries are also affected by the digital divide and are increasingly being excluded by the generalized digitalization of public services. Drawing on a review of interdisciplinary literature, this chapter contributes to the legal literature with an account of the underlying causes of digital exclusion and a discussion of its most relevant legal implications through the lenses of fundamental rights (e.g., due process, equal treatment) and the principles of good administration. This chapter reflects on potential solutions for more inclusive digital government policies.

Consumer Data Right

The report of the  Inquiry into Future Directions for the Consumer Data Right (CDR), strategically released on 23 December, states 

The Inquiry was asked to make recommendations on options to expand the CDR’s functionality. This includes how the CDR could be expanded to include ‘write’ access so that consumers could not only choose to share their data through the CDR, but also apply for and manage products including, for Open Banking, by initiating payments. The Inquiry was also tasked with examining how the CDR could be used to overcome barriers to consumers conveniently and efficiently switching between products and providers, and to consider ways to ensure that the CDR promotes innovation in a manner inclusive of the needs of vulnerable consumers. Lastly, the Inquiry was asked to identify opportunities to leverage the CDR to enhance opportunities for Australian consumers, businesses and the Australian economy, and to leverage the CDR infrastructure to support productivity and a safe and efficient digital economy. 

Overview of future directions and recommendations 

The Inquiry has been guided by the same four key principles that guided the CDR from its inception and through the implementation of Open Banking. These are that the CDR should be consumer focused, encourage competition, create opportunities and be efficient and fair. The process of completing the Inquiry has been highly consultative. The Inquiry has considered formal submissions from 73 interested parties in response to its Issues Paper. It has also met virtually with over 300 representatives from industry, peak bodies, consumer groups, regulators, government and academia, including parties in overseas jurisdictions. Further information on consultation undertaken by the Inquiry is contained in Chapter 1. Public submissions are listed at Appendix B. 

The Inquiry has reported on future directions and recommendations for the CDR in the following chapters: • Chapter 1 introduces the Inquiry’s Terms of Reference, background information, the guiding principles of the Inquiry and the key themes from submissions. • Chapter 2 presents the four future directions for the CDR. • Chapter 3 sets out the switching journey in Figure 3.1 and the role of CDR on this journey. It examines the risks and benefits of switching and barriers faced by consumers who wish to switch. • Chapter 4 outlines how the CDR’s functionality could be expanded to include action initiation, including a framework for action initiation and the action initiation process. • Chapter 5 examines how action initiation could enable customers to apply for and manage products, including initiating payments, in the banking sector. • Chapter 6 examines potential enhancements to the CDR ecosystem, including tiered accreditation, voluntary data sets, consent taxonomies and consent management. • Chapter 7 considers the consumer safeguards that are necessary to ensure trust in the CDR, including privacy protections. • Chapter 8 explores the opportunities available to leverage CDR infrastructure, including in relation to digital identity solutions, standard setting and the accreditation regime. It also looks at how the CDR can be leveraged with similar regimes internationally. • Chapter 9 outlines a roadmap for the Inquiry’s recommendations, taking into consideration initial sector assessment and priorities for implementation. Additional reference information on Inquiry matters and issues are dealt with in the appendices. 

Chapter 1 – Introduction to the Inquiry 

As the CDR rolls out into the banking sector, the Inquiry was announced to consider future directions for the CDR. The Inquiry has been guided by the principles of a CDR that is consumer focused, encourages competition, creates opportunities and is efficient and fair. For the digital economy to work safely, efficiently and fairly, the CDR needs to function effectively in conjunction with other frameworks and regulations, including those related to consumer protection, information security, data protection and sectoral regulation. A balanced approach to safety, efficiency and effectiveness is needed. This may involve some enhancements to existing laws and regulations. 

Chapter 2 – Future Directions for the Consumer Data Right 

There are four future directions for the CDR. These are: 1. Beyond data sharing, towards data-empowered consumers 2. Beyond open banking, towards an economy-wide foundation 3. Beyond a standalone system, towards an integrated data ecosystem 4. Beyond Australia’s borders, towards international digital opportunities These future directions show the ways in which the CDR should expand to strengthen the foundations of Australia’s digital economy. The implementation of the recommendations from the Inquiry should be expedited to deliver on the CDR’s benefits to Australia and Australians. Chapter 3 – Expanding the Consumer Data Right to support switching The CDR currently assists consumers to identify products that best suit their needs based on analysis of their consumer data and the range of products on the market. Expanding the CDR to help consumers switch easily and conveniently between products will provide even greater consumer benefit and, importantly, cost savings. The CDR can be used to overcome behavioural and practical barriers to convenient and efficient switching between products and providers. Encouraging consumers to use the CDR to switch and realise its benefits will require consumer trust and confidence in the system. An expanded CDR will support services that could assist with tailored product identification and switching and facilitate general management of a consumer’s data. Analysis and comparison of all available products, including bundled products, should be enabled by the CDR. The Inquiry discusses how switching in some sectors is impacted by sector-specific legislative or regulatory frameworks that may need to be reviewed to deliver the most streamlined consumer experience. 

Chapter 4 – Action initiation framework 

The CDR provides a secure set of channels through which accredited persons can communicate with data holders. These channels should also be opened to suitably accredited persons to initiate actions on a consumer’s behalf with the consumer’s consent. Enabling action initiation in this way would allow the CDR to facilitate a much broader range of functions, and increase the range of products and services available to consumers. The legislation that gives legal basis to the CDR should be amended to enable action initiation. Action initiation should also be governed by the Rules and Standards. As with data sharing, the suitability of sectors for CDR action initiation should be determined through a sectoral assessment process. In enabling action initiation through the CDR, the current consent framework should be maintained to ensure that the system promotes confidence among consumers. This framework should also be bolstered by enabling additional authorisation processes to allow data holders to confirm the validity of action initiation requests received through the CDR. This will help enable data holders to comply with their other obligations and protect consumers. 

Chapter 5 – Action initiation in the banking sector 

The CDR should be expanded in the banking sector to include action initiation. There should be two broad classes of actions – ‘payment initiation’ and ‘general action initiation’ – in the banking sector. Bank account-to-account payment initiation should be prioritised to leverage developments in the Australian payments industry. CDR payment initiation’s design features should enable a customer to authorise a suitably accredited person to use the CDR to initiate a payment on their behalf. Broadly, it should apply to all authorised deposit-taking institutions (ADIs) and accounts subject to CDR data sharing and have broad and extensible functionality. It should allow for competition among payment systems and the initiation of payment instructions through standardised application programming interfaces. CDR payment initiation should provide a consistent and integrated consumer experience with data sharing. ADIs may also charge reasonable fees for complying with payment initiation requirements. The allocation of liability under CDR payment initiation should be principles-based, building on existing compensation arrangements. The ePayments Code should be updated to clarify how its liability provisions apply when a third party initiates a payment. A CDR payment initiation roadmap should be published in consultation with the payments industry. CDR agencies should engage with operators of major payment systems to explore opportunities to align third party payment initiation arrangements with the CDR payment initiation design features. Once CDR payment initiation is fully in place, strong consideration should be given to prohibiting the use of third party access to a customer’s digital banking portal to make payments. General action initiation in the banking sector should enable product applications, updating details, managing products and closing a product or account. However, certain information should be explicitly excluded from change due to privacy and safety concerns. Priority should be given to product applications and establishing new customer relationships in developing general action initiation to support switching. The CDR should enable consumer-directed sharing of Know Your Customer outcomes when the reliance provisions are expanded. 

Chapter 6 – Read access enhancements The CDR framework should encourage participation by consumers, accredited data recipients (ADRs) and service providers in the data economy. This means enabling the broad range of specialised services provided by participants in the data economy to flourish in the CDR, and for accreditation requirements to be calibrated according to the level of risk participants are required to manage. Where participants receive accreditation, they should be willing to provide, as well as receive consumer data at consumers’ request. The range of data utilised in the CDR environment should not be limited only to data identified in the process of sectoral designation. The CDR provides a strong framework for data sharing and standards that can be utilised for a broad range of data sets, a process that encourages the use of voluntary data sets should be developed. Consents and authorisations form the foundation of the CDR, outlining the terms on which a consumer agrees to engage with the regime. The language in these consents should therefore be as accessible to consumers and accredited persons as possible, enabling all parties to engage confidently in the system. Consumers should also be empowered to more easily keep track of their consents, making it more convenient to engage with the regime. 

Chapter 7 – Consumer safeguards Additional consumer safeguards will be required as the CDR’s functionality expands to ensure consumers benefit, and their rights are protected. Key CDR data sharing consumer protections should be extended and adapted for CDR action initiation, with consumers having access to appropriate remedies if accredited persons or data holders act without appropriate consumer consent or authorisation. Additionally, the Inquiry considers that the CDR regime should oblige an accredited person to act efficiently, honestly and fairly in initiating actions. In some sectors, it may be appropriate that a higher standard apply either generally or in relation to particular actions. As existing laws and regulations and sectoral specific regulation will continue to apply to businesses that provide products and services using the CDR, the interaction and potential overlap between industry-specific consumer protections and the CDR regime should be considered when assessing a sector for designation. Consideration of the needs of vulnerable consumers, and the participation of consumer representatives, will be important in developing a safe and inclusive CDR, while consumer education will remain a crucial tool in building understanding and trust in the CDR. As action initiation will require additional data to be exchanged to realise the action, privacy and information security assessments must take place to ensure proportionate and appropriate protections are in place. 

Chapter 8 – Opportunities for connecting the CDR to the data economy 

The CDR of the future will require a mechanism for ensuring customers are who they purport to be. The level of customer authentication required is likely to be variable for different data sets and different actions in different sectors. A minimum authentication assurance standard, applicable to both data holders and accredited data recipients, should be developed which supports interoperability and flexibility for participants, and meets consumer experience standards. As Australia’s digital economy grows, the established framework and infrastructure supporting the CDR has potential for wider use domestically and internationally. The Data Standards Body expertise in data standards setting should be available for government data sharing initiatives, while the data safety assurances provided by the CDR accreditation process can be leveraged by regimes outside the CDR where similar data protections are required. The CDR should not seek to duplicate regulation imposed by external regulators or industry frameworks. Where applicable the CDR should align with, or recognise external accreditations held by participants. The CDR presents significant opportunities for consumers and entities providing data-driven services. Under the CDR, the additional data shared, with the consent of the customer, provides opportunities for entities to use artificial intelligence (AI) technologies for product innovation and insights into a business’s consumer base. There is a need for further guidance about transparency requirements relating to data aggregation activities such as the use of algorithms. While there are a range of different approaches in international data portability regimes, there is scope for interoperability. To further this, Australia should continue to use open international standards where available, streamline accreditation to recognise foreign regimes where appropriate and seek mutual recognition with the United Kingdom. Australia should seek an opportunity to convene an international forum and formalise existing dialogue with international policy bodies. 

Chapter 9 – Consumer Data Right Roadmap 

The Inquiry recommendations have identified a broad range of initiatives that play an important role in the future success of the CDR. To enable effective implementation and maximum benefit to consumers, the path forward must be planned with an understanding of which CDR components complement one another, and what costs are likely to be incurred by participants. An integrated CDR Roadmap must be developed signalling the major steps to be taken as the CDR develops to enable investors in the data economy to prepare accordingly. Engagement with stakeholders will remain a priority as the CDR grows. This includes consultation with external reviews and consultations relevant to the data economy within and outside government. Post implementation reviews will enable lessons from implementation to feed into the ongoing work as further sectors and capabilities are introduced to the CDR.  

The Inquiry's recommendations are summarised as ... 

Chapter 1 – Introduction to the Inquiry 

Recommendation 1.1 – Balanced approach to safety, efficiency and effectiveness The Consumer Data Right should be developed to be safe, efficient and effective. A balanced approach is needed to realise meaningful benefits to consumers and grow participation in the data ecosystem. 

Recommendation 1.2 – Clarity in relation to other laws and regulations The Consumer Data Right operates in conjunction with other laws and regulations, including sectoral regulation. However, amendments to these other laws and regulations may be required to enable the benefits of the Consumer Data Right to be fully realised. Similarly, the Consumer Data Right may enable new behaviours and practices which may warrant a government response through other laws and regulations. Consumer Data Right development and operational processes should identify emerging behaviours and practices of concern and refer them to appropriate policy makers and regulators. Government should articulate with clarity when a response should occur through the Consumer Data Right or other laws and regulations. 

Chapter 3 – Expanding the Consumer Data Right to support switching 

Recommendation 3.1 – Analysis and comparison of bundled products Analysis and comparison of bundled products should be facilitated by the Consumer Data Right. The Data Standards Body should consider the most appropriate and efficient method to better enable product reference data about the range of services available, including bundled products, to be provided to consumers and accredited persons. 

Chapter 4 – Action initiation framework 

Recommendation 4.1 – Action initiation through the Consumer Data Right The Consumer Data Right should be expanded to enable third parties, with a consumer’s consent, to initiate actions beyond requests for data sharing. This expansion should build on trust developed in the system through the successful operation of the regime in enabling data sharing. 

Recommendation 4.2 – Framework and sector designation powers for action initiation The expansion of Consumer Data Right functionality to include action initiation should be implemented primarily through amendments to Consumer Data Right framework in the Competition and Consumer Act 2010. These amendments should delegate powers to the Consumer Data Right rule maker and Data Standards Chair where appropriate. The amendments should set out the associated powers for the making of Rules and Standards and enable the designation of actions within a sector by the Minister. 

Recommendation 4.3 – Sector assessment for action initiation Sectoral assessments should be required prior to the designation of action initiation in a sector. The process for conducting a sectoral assessment for action initiation should be analogous to that for data sharing. Sectoral assessments for action initiation should consider particular classes of actions based on the matters in subsection 56AD(1) of the Competition and Consumer Act 2010 , adapted as required. Additionally, the sectoral assessment should consider sector-specific regulatory barriers that may prevent action initiation from being facilitated safely, efficiently and effectively, and the digital maturity of the sector to implement action initiation. The OAIC should also consider specific classes of actions when assessing potential privacy and confidentiality implications of designating a sector. 

Recommendation 4.4 – Alignment between the Consumer Data Right and sector-specific regulation When conducting sectoral assessments, consideration should be given to whether regulatory and legal changes are required and appropriate to enable action initiation within a sector. 

Recommendation 4.5 – Action initiation process Action initiation through the Consumer Data Right should be based on the existing consent, authentication and authorisation processes currently used for data sharing, with appropriate amendments. 

Recommendation 4.6 – Supported instructions for action initiation Action initiation in the Consumer Data Right should only enable an accredited person to initiate actions which the consumer is already able to perform with a data holder. Action initiation should not be used to force data holders to perform actions which they would not otherwise offer, or which are prohibited under other regulation. This principle should be used to steer consideration of what actions are designated for action initiation. 

Recommendation 4.7 – Exclusion from action initiation Certain actions that are deemed to be of significant risk to consumers’ security or privacy should be excluded from being able to be actioned through the Consumer Data Right. Such actions should be determined through consultation with industry and consumer representatives during the sectoral assessment and implementation within a sector. The updating of passwords is an example of one such excluded action. 

Recommendation 4.8 – Accreditation for action initiation The accreditation regime should be extended to include tiered accreditation for action initiation, with those actions posing greater potential risk to the consumer requiring higher tiers of accreditation. 

Recommendation 4.9 – Accredited persons’ interactions with other regulatory regimes As sectors are designated for action initiation, the relevant sectoral regulators should examine whether additional guidance or education material should be provided to assist persons seeking accreditation understand how the services they propose to provide using the Consumer Data Right could be treated under existing regulatory regimes. Prospective accredited parties should be encouraged to consider these issues. 

Recommendation 4.10 – Consent to send instruction and consent to initiate action Accredited persons should be required to obtain access and usage consents to initiate actions for consumers. These consents should be voluntary, express, informed, specific as to purpose, time-limited and easily withdrawn. 

Recommendation 4.11 – Consent processes and consumer experience Action initiation consent processes should be subject to Consumer Experience Standards and Guidelines to ensure that processes produce genuine consent. The Data Standards Chair should consider additional safeguards which balance the need for security with consumer experience where appropriate. 

Recommendation 4.12 – Ongoing consent arrangements Consumers should be able to provide consents to accredited persons to initiate actions on their behalf on an ongoing basis, within the consent’s time limit. Additional safeguards should also be considered for inclusion in the Rules. 

Recommendation 4.13 – Restrictions on unnecessary actions The Rules should restrict accredited persons to only being able to request access consents for actions that are relevant to the provision of a service. 

Recommendation 4.14 – Authentication requirements by data holders Data holders should be obliged to authenticate consumers prior to requesting action initiation authorisations. Authentication requirements should be reviewed by the Data Standards Body to ensure they reflect the risks associated with action initiation. 

Recommendation 4.15 – More explicit requirements for accredited persons to authenticate customers The Consumer Data Right should include explicit requirements for accredited persons offering action initiation enabled services to authenticate customers in circumstances where there is an ongoing provision of service to that customer. These requirements should be based on international standards on authentication processes. 

Recommendation 4.16 – Authorisation to take a specific action Whether the taking of a particular action should require a specific authorisation to be given to a data holder should depend upon the nature of the action requested and other factors, such as the value of the transaction and existing practices and processes in the sector. These requirements should be enabled in the Rules and specified through the Standards. 

Recommendation 4.17 – Data holders to require explicit consumer authorisation to accept instructions Data holders should only progress actions initiated by accredited persons when they have received the consumer’s explicit authorisation to do so. The Data Standards Body should investigate the benefits of enabling fine-grained authorisation for specific action classes, with recommendations being driven by consumer experience and security considerations. 

Recommendation 4.18 – Obligation to act Data holders should be obliged to progress actions initiated by an accredited person for which the consumer has provided a valid authorisation to the same extent as they would otherwise be obliged to progress such an action were the request provided directly by the consumer through another channel. Data holders should not be able to discriminate based on the channel through which the instruction was received. 

Recommendation 4.19 – Existing data holder obligations Data holders should remain subject to any requirements imposed on them by other regulatory regimes and measures may need to be built into the Consumer Data Right to facilitate this. The Consumer Data Right should similarly contain provisions to assist data holders in managing commercial risks, such as fraud, when assessing actions initiated by accredited persons on the consumer’s behalf. Data holders should remain capable of conducting reasonable step-up authentication measures to ensure the validity of any requests. The way in which these measures are conducted should be commensurate to the risk of the action being requested and not detract from the rights of access granted to accredited persons. 

Recommendation 4.20 – General liability for action initiation For action initiation, the general liability framework should extend the principle underpinning the operation of section 56GC of the Competition and Consumer Act 2010. This will protect data holders from liability when acting in compliance with the Consumer Data Right regime in response to an action initiation instruction for which they have received the consumer’s authorisation to accept. For the avoidance of doubt, the data holder continues to be subject to any regulatory or legal obligations that would otherwise apply if the instruction had come directly from the customer. 

Recommendation 4.21 – Notification of action initiation In designing the Consumer Data Right framework, processes should be included to enable consumers to be notified when an action is initiated on their behalf by an accredited person. 

Recommendation 4.22 – Cessation Accredited persons should be required to cease acting on the consumer’s behalf through the Consumer Data Right when they no longer have a valid consent. Accredited persons should be required to communicate this cessation to the data holders to whom they could previously send actions. 

Recommendation 4.23 – Record keeping 

Accredited persons and data holders should be required to keep records of the actions that were initiated through the Consumer Data Right, as well as records of the consumer’s consents and authorisations.   

Chapter 5 – Action initiation in the banking sector 

Recommendation 5.1 – Designation of the banking sector for action initiation The banking sector designation under the Consumer Data Right should be extended to include action initiation, including payment initiation. The designation process should include thorough regulatory and privacy impact assessments and detailed consultation on the designation instrument prior to a final decision by the Minister. The banking sector designation should specifically set out the classes of general action initiation and payment initiation that should be supported. 

Recommendation 5.2 – Prioritising bank account-to-account payments Bank account-to-account payment initiation through the Consumer Data Right should be prioritised so its design can be coordinated with developments in the Australian payments industry and to expedite the benefits it can bring to customers. 

Recommendation 5.3 – Bank obligation to support Consumer Data Right payment initiation Consumer Data Right payment initiation should apply to all authorised deposit-taking institutions subject to the mandatory data sharing obligation under Open Banking. These authorised deposit-taking institutions should be obliged to provide access to third party payment initiation and process any valid payment instruction received from an appropriately accredited person through the Consumer Data Right, as if it had been provided by the customer through any other digital channel. Banks should continue to be subject to existing obligations placed on them by other regulatory regimes. 

Recommendation 5.4 – Broad and extensible payment instruction functionality Consumer Data Right payment initiation functionality should be broad and extensible, including the list of payment functionality in Table 5.3A. Both payer and payee payment initiation should be enabled to initiate payments (with consumer consent), to allow flexible ongoing payment initiation consents and authorisations, and permit step-up authentication by the customer’s authorised deposit-taking institution when required. Payment-related action functionality, such as registered payee management, should complement payment initiation functionality and be considered part of general action initiation. 

Recommendation 5.5 – Coverage of accounts Consumer Data Right payment initiation should apply to the bank accounts in Table 5.4 that ordinarily support payment functionality for customers. The Consumer Data Right should not require authorised deposit-taking institutions to provide new payment functionality in the accounts provided, only a new channel for using existing functionality exercisable with the customer’s authority. 

Recommendation 5.6 – Competition in the payments system The Consumer Data Right payment initiation should be designed to allow competition among payment systems in order to improve consumer outcomes. By enabling flexibility in implementation, Consumer Data Right payment initiation should leverage future developments in the payments system. 

Recommendation 5.7 – Accreditation for payment initiation Only an appropriately accredited person should be allowed to initiate payments through the Consumer Data Right. An assessment should be conducted by the Consumer Data Right rule maker to determine whether additional requirements to the unrestricted accreditation tier should be placed on those seeking to initiate payments, including how information security and insurance requirements should be adjusted. This assessment should also consider whether different tiers of accreditation for payment initiation could be enabled. 

Recommendation 5.8 – Standardised payment initiation application programming interfaces Authorised deposit-taking institutions should be obliged to receive a Consumer Data Right payment initiation instruction from an appropriately accredited person through a standardised application programming interface. Consumer Data Right agencies should engage with operators of major payment systems to develop Consumer Data Standards for bank account-to-account payment initiation that are, as far as possible, not specific to a particular payment system. The NPP API Framework, the UK Open Banking standards and standards used for international payments should be used as important reference points for developing these standards. 

Recommendation 5.9 – Cost of providing payment initiation Authorised deposit-taking institutions should be entitled to charge for complying with Consumer Data Right payment initiation requirements. The ACCC should be empowered to intervene if unreasonable fees are charged. 

Recommendation 5.10 – Consent-driven payment initiation Consumer Data Right payment initiation should require the explicit consent of the consumer regarding the types of payments that are being enabled, and the purposes for which these payments are being allowed. 

Recommendation 5.11 – Authentication requirements for payment initiation Authentication requirements for authorised deposit-taking institutions and accredited persons engaged in payment initiation should be determined based on an assessment of the risks inherent to payment initiation, as well as the need for consistency in the consumer experience. 

Recommendation 5.12 – Fine-grained payment initiation authorisation Consumers should be able to provide some level of specificity to their banks when authorising them to accept payment initiation instructions from an accredited person through the Consumer Data Right. The level of specificity required should be determined in the Rules and Standards. 

Recommendation 5.13 – Consistent and integrated consumer experience Consumer Data Right payment initiation should be designed to integrate into the rest of the Consumer Data Right to provide a consistent experience for consumers. Subject to consumer experience testing by the Data Standards Body, this should include the ability to provide consents and authorisations for data sharing, action initiation and payment initiation through a single process. Consumer Data Right agencies should engage with operators of major payment systems to support the alignment of payment consent mechanisms with the Consumer Data Right’s consumer experience standards and guidelines. 

Recommendation 5.14 – Allocation of liability and supporting fraud mitigation The existing compensation arrangements between the bank and the customer, including under the ePayments Code where it applies, should continue to apply to payments initiated through the Consumer Data Right. For the purposes of applying these arrangements, the conduct of the accredited person should be taken as being akin to the conduct of someone who the bank and customer have agreed can operate the account on the customer’s behalf. An accredited person should be responsible for losses arising from its own conduct, including when they result in an unauthorised payment from the consumer’s bank account. In this case, to the extent that the bank (because it has compensated the customer for the loss) or the customer suffers a loss from the unauthorised payment then they should have a direct right of action for compensation from the accredited person. The ePayments Code should be updated to further clarify how its liability provisions would apply when a third party initiates a payment. Consumer Data Right information security requirements should be updated for payment initiation and to support fraud mitigation processes. 

Recommendation 5.15 – Consumer Data Right payment initiation roadmap A Consumer Data Right payment initiation roadmap should be published, informed by consultation with the payments industry and interested stakeholders, to set clear expectations and drive the implementation of Consumer Data Right payment initiation. The roadmap should particularly draw on the timetable in the New Payments Platform’s Roadmap as a critical development in the Australian payments infrastructure. 

Recommendation 5.16 – Opportunities for alignment in implementing Consumer Data Right payment initiation In implementing Consumer Data Right payment initiation, authorised deposit-taking institutions should meet the recommended design features. CDR agencies should engage with the operators of major payment systems, including the New Payments Platform, to explore opportunities to align third party payment initiation arrangements with those recommended for Consumer Data Right payment initiation. This should be conducted with a view to facilitating the utilisation of those arrangements by banks to meet their Consumer Data Right payment initiation obligations, so that implementation is expedited and compliance costs are minimised. 

Recommendation 5.17 – Payments through a third party access to digital banking portal Once Consumer Data Right payment initiation is implemented by authorised deposit-taking institutions, strong consideration should be given to prohibiting the making of a payment through third party access to digital banking portals. This should be considered as the implementation of the required design features for Consumer Data Right payment initiation nears full implementation and becomes widely accessible on reasonable terms to consumers and accredited persons. 

Recommendation 5.18 – General action initiation in the banking sector General action initiation in the banking sector should enable product applications, updating details, managing products, closing a product, ending a customer relationship, and other associated general actions. These include general actions that support payments referred to in Recommendation 5.4. Certain information should be explicitly excluded from being subject to change through Consumer Data Right action initiation due to concerns for consumers’ privacy and safety. These classes of information should be identified through regulatory and privacy impact assessments, and through consultation with industry and consumer groups. 

Recommendation 5.19 – Prioritising product applications to support switching To support the streamlining of switching, product applications and establishing new customer relationships should be prioritised in the phased implementation of general action initiation in the banking sector. The Consumer Data Right rule maker should determine the order of prioritisation of general action initiation in consultation with consumer groups, the banking sector, accredited persons and other stakeholders. 

Recommendation 5.20 – Sector-specific regulation Relevant regulators, including ASIC, should provide guidance as to how the provision of services by an accredited person using Consumer Data Right data sharing or action initiation could impact upon whether the accredited person needs to obtain additional licences. 

Recommendation 5.21 – Identity verification assessments The Consumer Data Right should support consumer-directed sharing of Know Your Customer outcomes to the extent to which reliance is allowed on that outcome, in the event that proposed amendments to the reliance provisions in the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 are passed by Parliament. 

Chapter 6 – Read access enhancements 

Recommendation 6.1 – Consumer Data Right to support specialisation and a sophisticated data ecosystem The Consumer Data Right should support the specialisation of services to allow businesses to design their own business models, promote innovation and support a safe and efficient digital economy. 

Recommendation 6.2 – Outsourced service providers The Consumer Data Right should allow third parties to collect and disclose data on behalf of an accredited data recipient under an appropriate outsourcing arrangement without separate accreditation. The accredited data recipient would retain liability, and the outsourced service provider would need to comply with existing Standards. 

Recommendation 6.3 – Accredited data recipient to accredited data recipient transfers The Consumer Data Right should allow transfers from an accredited data recipient to another accredited data recipient with customer consent, including transfers via arm’s length intermediaries to an accredited data recipient. 

Recommendation 6.4 – Authorised representatives CDR data should be able to be released to a CDR-authorised representative of an accredited data recipient, with the customer’s consent. The authorised representative should be able to hold a lower tier of accreditation, in light of the principal accredited data recipient providing data access, taking on liability for Consumer Data Right compliance and taking on responsibility for putting in place arrangements to ensure compliance. The design of arrangements should have close regard to the role of authorised representatives under the Australian financial services licensing regime. 

Recommendation 6.5 – Data holders to receive CDR data from their sector The Consumer Data Right should allow data holders to receive CDR data relating to their sector from other data holders and accredited data recipients without requiring additional accreditation. 

Recommendation 6.6 – Providing CDR data outside the system to regulated parties The Consumer Data Right should allow regulated third parties operating outside the Consumer Data Right ecosystem to receive varying levels of data with the consent of the consumer, with reference to the level of regulation of the recipient. This access should include transfers of CDR data or derived data for regulated activities or for regulatory compliance activities at the customer’s direction. 

Recommendation 6.7 – Data for low risk public benefit uses The Consumer Data Right should allow non-accredited parties operating outside the Consumer Data Right ecosystem to receive varying levels of data with the consent of the consumer, subject to appropriate restrictions, if they provide low risk services for public benefit. 

Recommendation 6.8 – Insights to non-accredited persons The Consumer Data Right should allow non-accredited third parties operating outside the Consumer Data Right ecosystem to receive, from a data holder or accredited data recipient, lower risk insights data derived from CDR data. 

Recommendation 6.9 – Cross-sector application of reciprocity The Consumer Data Right principle of reciprocal obligations of an accredited data recipient to respond to a consumer’s data sharing request should not be limited by the scope of sectoral designations at the time of accreditation. Accredited data recipients should be obliged to comply with a consumer’s request to share data which is the subject of a sectoral designation as well as equivalent data held by them in relation to sectors which are not yet designated. 

Recommendation 6.10 – Identifying equivalent data Equivalent data should exclude materially enhanced data and voluntary data sets. Equivalent data applicable to a person seeking accreditation as an accredited data recipient should be identified by the accreditor during the accreditation process. Identification of equivalent data should be subject to the same principles which apply to the selection of data sets through the formal sectoral assessment and designation process. Guidelines on the identification of equivalent data should be published by the regulator. 

Recommendation 6.11 – Exclusion from reciprocal data sharing obligations Accredited data recipients should be excluded from reciprocal data sharing obligations if they are below a defined minimum size. 

Recommendation 6.12 – Accreditation criteria The accreditation criteria should not create an unnecessary barrier to entry by imposing prohibitive costs or otherwise discouraging suitable parties from participating in the Consumer Data Right. A tiered, risk-based accreditation model should be used to minimise costs for prospective participants. 

Recommendation 6.13 – Tiering of accreditation Regulation of the Consumer Data Right should be able to allow tiering of accreditation requirements based on factors, including the risks associated with the accessible CDR data and the activities that could be undertaken with it. 

Recommendation 6.14 – Inclusion of data The process and criteria for clearing or disallowing new Consumer Data Right data set standards should not discourage or exclude the provision of any data sets that are suitable for use in the Consumer Data Right. This should include data sets within a designated sector that have not been designated, and data sets from sectors not designated. 

Recommendation 6.15 – Process for introducing voluntary data sets The Data Standards Chair should be able to approve standards for new voluntary data sets developed using different pathways. These pathways should include design by the Data Standards Body under a fee-for-service model upon request, industry-led design, or individual firms introducing bespoke data sets. There should be a set period of time that the Data Standards Chair has to clear or disallow any standards that do not meet the specified criteria or benefit consumers. 

Recommendation 6.16 – Guidelines for voluntary data sets Guidelines should be provided outlining specific criteria that new data sets and their associated standards need to meet for inclusion in the Consumer Data Right environment. 

Recommendation 6.17 – Maintenance of industry designed standards Standards for voluntary data sets introduced to the Consumer Data Right by industry participants must be maintained by industry participants. The Data Standards Chair should have the right to disallow such standards if they are not maintained to the level required. 

Recommendation 6.18 – Ongoing consumer experience research The Data Standards Body should continue to conduct ongoing consumer research in a consistent, principled way that is reflective of the needs of consumers, accredited persons and data holders. Where appropriate, the findings of this research should be given legal effect through recognition by the Rules or Standards. 

Recommendation 6.19 – Consumer Data Right dictionary The Data Standards Body should include as part of the Consumer Experience Standards, a non-exhaustive dictionary outlining, in plain English, definitions of common terms used in Consumer Data Right consents. For usage consents, this should include common understandings of purposes. 

Recommendation 6.20 – Industry recommended and endorsed consents Industry and consumer groups should be encouraged to develop and endorse standard wording for Consumer Data Right consents for specific purposes, and accredited persons should be permitted to display these endorsements in their consent processes through icons, descriptions, links or other appropriate methods. 

Recommendation 6.21 – No mandated central consent collection A central body should not be mandated to collect all consumer consent and authorisation information created by participants in the Consumer Data Right system. 

Recommendation 6.22 – Sharable consent information Consent and authorisation data should be designated as CDR data to facilitate the secure provision of centralised consent management services at the consumer’s direction. Consultation should be undertaken before determining who should be required to share this information, so as not to unduly increase barriers to entry into the system. 

Recommendation 6.23 – Limited action initiation for consent management Consumers should be able to authorise an accredited person to perform certain actions in regards to Consumer Data Right consents and authorisations on their behalf as a Consumer Data Right action. Consultation with industry and consumer advocates should be conducted prior to the full scope of actions being determined. 

Recommendation 6.24 – Privacy impacts of sharing consent information Prior to the designation of consent and authorisation information, the potential privacy impacts of facilitating the transfer of consent data should be separately reviewed. This process should pay special attention to the needs of vulnerable consumers. 

Chapter 7 – Consumer safeguards 

Recommendation 7.1 – Interaction with sector-specific consumer protections The interaction and potential overlap between industry-specific consumer protections measures and the Consumer Data Right regime should be considered when assessing the potential to designate a sector for data sharing or action initiation, with any barriers or conflicts between the regimes appropriately resolved. 

Recommendation 7.2 – Suitability of persons for action initiation Regulatory settings for accreditation should enable the accreditor to take into account all matters relevant to the applicant’s suitability to initiate actions of the type proposed. Requirements on persons seeking accreditation to advise the types of goods or services they propose to offer or, in the case of accredited persons, offer, consumers using CDR data should be extended to goods or services offered to consumers that involve the use of action initiation. 

Recommendation 7.3 – Remedies where instruction sent without a valid request If an accredited person sends action initiation instructions without obtaining a valid request from the consumer or complying with relevant Rules, consumers should have the right to take action against the accredited person. Other remedies (including civil penalties and suspension or revocation of accreditation), should also be available. 

Recommendation 7.4 – Remedies where data holder does not have authorisation If a data holder acts on action initiation instructions without having obtained the consumer’s authorisation to do so, the consumer should have the right to take action against the data holder. Other remedies (including civil penalties) should also be available. 

Recommendation 7.5 – Extending consumer protections for action initiation Consumer protections in Part IVD of the Competition and Consumer Act 2010 and the Rules, including the prohibitions on holding out and misleading and deceptive conduct in relation to consumer consent, should be extended or adapted as appropriate to apply to action initiation, with appropriate and proportionate remedies available. 

Recommendation 7.6 – Action initiation and accredited person’s obligations to consumers Where an accredited person seeks, or has been granted, a consumer’s consent to initiate actions with a data holder, the accredited person should be obliged to act efficiently, honestly and fairly in relation to initiating actions. In some sectors it may be appropriate that a higher standard (or additional obligations) apply, either generally or in relation to particular actions. This should be considered during sectoral assessment and rule making processes, and subject to consultation. If the accredited person fails to meet the standard of conduct required of them, the consumer should be able to take action against the accredited person. Other remedies (including civil penalties and suspension or revocation of accreditation) should also be available. 

Recommendation 7.7 – Monitoring impact on vulnerable consumers The impact of the recommended reforms on vulnerable consumers in designated sectors, including the availability and suitability of services offered and any trends in Consumer Data Right complaint data received, should be monitored to assess whether any regulatory settings require adjustment. The ACCC should be responsible for this monitoring. Additionally, an evaluation of the impact of the Consumer Data Right system on the wellbeing of vulnerable consumers should be completed 24 months after action initiation’s commencement. This assessment should be led by government in close collaboration with consumer representatives and industry. 

Recommendation 7.8 – Consumer education program CDR agencies should coordinate the development and implementation of a timely consumer education program for new Consumer Data Right designations. Participants, industry groups and consumer advocacy groups should also be invited to participate, as appropriate, in developing consumer awareness and education activities. 

Recommendation 7.9 – Encouraging innovation that benefits vulnerable consumers The Government should explore options to encourage the creation of products that use the Consumer Data Right to benefit consumers, including the establishment of a grants program to support developers to design and build such products. Government should seek input from consumer representatives and those providing services to vulnerable consumers in doing so. 

Recommendation 7.10 – Encouraging consumer representation in developing the Consumer Data Right The Government should explore ways in which interested consumer advocacy groups could be supported to contribute their expertise to the development of the Consumer Data Right and CDR-enabled products. This could include the engagement of consumer representatives in drafting guidance for accredited persons on the design of CDR-enabled products, which take into account vulnerable consumers’ needs. 

Recommendation 7.11 – Protections for action initiation instructions to be considered in the privacy and security assessments The privacy impact assessment and information security assessment should consider appropriate protections, proportionate to the risks involved for action initiation authorisation, consent and instruction data and, if warranted, identify protections that need to be put in place. Information security protections for action initiation authorisation, consent and instruction data should be proportionate to the risks presented by misuse of this data. The assessments should occur before the legislation is settled to determine what should be captured in the primary legislation, the Rules or Standards. 

Chapter 8 – Opportunities for connecting the Consumer Data Right to the data economy 

Customer authentication in the Consumer Data Right 

Recommendation 8.1 – Support for development of authentication solutions interoperable with the Consumer Data Right The Consumer Data Right should continue to be developed in a manner that encourages the use of interoperable authentication solutions, based on compatible international standards. 

Recommendation 8.2 – Minimum assurance standard for authentication to apply to data holders and accredited data recipients The Data Standards Body should develop a minimum assurance standard for authentication applicable to both data holders and accredited data recipients. The standard should support interoperability and flexibility for participants, provided minimum assurance standards and consumer experience standards are met. The standard should include provision of safe harbours for existing authentication requirements for current data sets and functions. 

Recommendation 8.3– Minimum assurance standard for authentication to include a risk taxonomy and matrix As part of the minimum assurance standard for authentication the Data Standards Body should develop a risk taxonomy and risk matrix against which assurance levels for particular data sets and Consumer Data Right functions in each sector can be determined with a degree of consistency. This taxonomy and matrix should form part of the minimum assurance standard used to inform the level of assurance required, noting that other considerations will also factor. It should consider the nature of data, likelihood of harm to consumers if data is misused and other key factors that the Data Standards Body considers appropriate. This should be developed in consultation with industry and consumers. Leveraging standard setting and the Data Standards Body 

Recommendation 8.4 – Standards setting for data held by government The Data Standards Body should be available as a source of expertise in developing and maintaining data standards that other government initiatives, regulatory regimes and information technology systems could adopt. It should also be available as a central point for engagement in relevant international data setting fora. 

Leveraging the accreditation regime 

Recommendation 8.5 – Leveraging the Consumer Data Right data safety licence The ‘data safety licence’ and supporting register should be available to meet equivalent requirements in other regimes, in a way that is consistent with best practice cybersecurity risk management and broader cybersecurity frameworks. 

Recommendation 8.6 – Aligning data safety accreditations As an alternative to broader use of the ‘data safety licence’, or as an interim step (or in relation to international regimes), efforts should be made to align similar data safety ‘accreditations’. 

Recommendation 8.7 – Recognising external data safety accreditation Where external data safety accreditations align with Consumer Data Right requirements, these could be recognised by the Consumer Data Right or at least enable their ‘accreditation holders’ to go through streamlined Consumer Data Right accreditation. 

Linkages with the AI Ethics Framework 

Recommendation 8.8 – Guidance on artificial intelligence ethics in the Consumer Data Right Further guidance about transparency requirements relating to data aggregation activities such as the use of algorithms, the importance of privacy by design and the application of relevant ethical frameworks, including the AI Ethics Framework when utilising AI technologies for data within the Consumer Data Right regime should be included in a future version of the Privacy Safeguard Guidelines. In addition, the OAIC should consider, in consultation with the Consumer Data Right rule maker whether it may be appropriate to include consideration of these matters in its future assessments program. Linkages and interoperability with international data portability regimes 

Recommendation 8.9 – Using open international standards where available Open international standards should be used as a starting point for Consumer Data Right rules and standards where available and appropriate. 

Recommendation 8.10 – When diverging from open international standards Where divergences from open international standards are proposed, the reason for this should be clearly articulated during consultation, giving stakeholders a chance to comment on whether alignment or divergence would be the most appropriate course. 

Recommendation 8.11 – Streamlined accreditation The registration system for accredited data recipients (including underlying rules) should be updated to include a clear procedure for accreditation under equivalent foreign regimes to be considered (as appropriate) in meeting some or all of the requirements for participation in the Consumer Data Right. 

Recommendation 8.12 – Seek mutual arrangement with the United Kingdom Australia should approach the United Kingdom with the prospect of creating a mutual bilateral recognition regime. This should include a process for identifying differences in registration requirements so any additional requirements in either regimes are clearly articulated. 

Recommendation 8.13 – Engage with New Zealand Australia should engage with New Zealand as it considers whether and how to develop a consumer data right including to explore options for mutual recognition of licensing for participants. 

Recommendation 8.14 – International forum The Government should seek opportunities to convene an international forum for policy makers considering, designing, implementing and maintaining consumer-controlled data portability regimes. In the interim, Australia should formalise existing relationships by establishing a quarterly dialogue with international policy bodies commencing with the United Kingdom, New Zealand, India and Singapore. 

Chapter 9 – Consumer Data Right Roadmap 

Recommendation 9.1 – Sector assessments with product reference data Sector assessments and designation instruments should be able to focus solely on product data where the opportunity exists for product data already available outside the Consumer Data Right to be introduced to the Consumer Data Right system. 

Recommendation 9.2 – Prioritisation of Inquiry recommendations Recommendations should be prioritised primarily based on the benefits they will provide consumers, including their contribution to new products, participation in the ecosystem, consumer protection and ease of implementation. Recommendations that can be progressed without legislative amendments should also be prioritised. 

Recommendation 9.3 – Integrated Consumer Data Right Roadmap The Government should create an integrated roadmap for the implementation of the Consumer Data Right, in collaboration with stakeholders in the private and public sectors. This roadmap should focus on key external projects in their implementation phases that will impact the Consumer Data Right. 

Recommendation 9.4 – Post-implementation review A post-implementation assessment of action initiation and payment initiation should be conducted approximately 24 months after the commencement date and report to the Minister with recommendations.