Treasury summarises the Bill as follows -
1.1 The Consumer Data Right (CDR) will provide individuals and businesses with a right to efficiently and conveniently access specified data in relation to them held by businesses; and to authorise secure access to this data by trusted and accredited third parties. The CDR will also require businesses to provide public access to information on specified products they have on offer. CDR is designed to give customers more control over their information leading, for example to more choice in where they take their business, or more convenience in managing their money and services. Over time it is expected that these same benefits will be rolled out to other sectors of the economy.
1.2 The Government has committed to applying the CDR to the banking, energy and telecommunications sectors. The CDR relating to banking data is commonly referred to as “Open Banking”.
1.3 CDR will reduce the barriers that currently prevent potential customers from shifting between banking and other service and utility providers. Through requiring service providers to give customers open access to data on their product terms and conditions, transactions and usage, coupled with the ability to direct that their data be shared with other service providers, we would expect to see better tailoring of services to customers and greater mobility of customers as they find products more suited to their needs.
1.4 The CDR places the value of consumer derived data in the hands of the consumer and will enable a range of business opportunities to emerge as new ways of using the data are discovered. Consumers will be the decision makers in the CDR system and will be able to direct where their data goes in order to obtain the most value from it.
1.5 Strong privacy and information security provisions are a fundamental design feature of the CDR. These protections include Privacy Safeguards and additional privacy protections through the consumer data rules. The OAIC will advise on and enforce privacy protections. Consumers will have a range of avenues to seek remedies for any breach of their privacy including access to internal and external dispute resolution.
Context of amendments
1.6 On 26 November 2017, the Government announced, as a partial response to the Productivity Commission’s Inquiry into Data Availability and Use (the PC Data Report), the introduction of a Consumer Data Right (CDR) with application initially in the banking, energy and telecommunications sectors. The Government confirmed its commitment to the CDR and announced the creation of a new National Data Commissioner, as part of its full response to the PC Data Report on 1 May 2018.
1.7 In its response to the Productivity Commission’s Data Report the Government announced that CDR will be introduced to provide individuals and businesses with a right to efficiently and conveniently access specified data about them held by businesses. Under the CDR consumers can also authorise secure access to this data by trusted and accredited third parties The CDR will also require businesses to provide public access to information on specified products they have on offer. A key feature of the right is that access must be provided in a timely manner and in a useful digital format.
1.8 On 20 July 2017, the Treasurer commissioned the Review into Open Banking in Australia 2017 (Open Banking Review) to recommend the best approach to implementing Open Banking. The report recommended that Open Banking be implemented through a broader CDR framework. The report was then released for public consultation on 9 February 2018 and on 9 May 2018 the Government responded to the Open Banking Review, agreeing to all the recommendations, other than the recommendation about the timing for implementation.
1.9 The CDR implements recommendations from a wide range of reviews. Notably, the Competition Policy Review 2015 (the Harper Review), was the first to recommend data access and portability rights in an efficient format across the economy. This recommendation was further developed in the Productivity Commission’s Inquiry into Data Availability and Use 2017 and the Australia 2030: Prosperity through Innovation Review 2017 (ISA 2030).
1.10 A number of reviews have recommended data portability rights in specific sectors including the Financial System Inquiry 2015 (the Murray Inquiry), the Northern Australia Insurance Premiums Taskforce Final Report 2016, the Review of the Four Major Banks 2016 (the Coleman Review), the Independent Review into the Future Security of the National Electricity Market – Blueprint for the Future 2017 (the Finkel Review), the draft report on Competition in the Australian Financial System 2018, COAG’s report Facilitating Access to Consumer Energy Data, the Australian Small Business and Family Enterprise Ombudsman’s report Affordable Capital for SME Growth, and the ACCC’s Electricity Supply and Prices Inquiry 2018.
1.11 The CDR provides access to a broader range of information within designated sectors than is provided for by Australian Privacy Principle (APP) 12 in the Privacy Act. While APP 12 allows individuals to access personal information about themselves, the CDR applies to data that relates to individual consumers, as well as business consumers. It also provides access to information that relates to products.
1.12 As the CDR covers both competition and consumer matters, as well as privacy and confidentiality concerning the use, disclosure and storage of data, the system will be regulated by both the ACCC and the OAIC. The ACCC will take the lead on issues concerning the designation of new sectors of the economy to be subject to the CDR and the establishment of the consumer data rules. The OAIC will take the lead on matters relating to the protection of individual and small business consumer participants’ privacy and confidentiality, and compliance with the CDR privacy safeguards.
1.13 A Data Standards Body will also be established to assist a Data Standards Chair as he or she makes data standards. These data standards will explain the format and process by which data needs to be provided to consumers and accredited entities within the CDR system. Initially, this function will be undertaken by Data61 of the CSIRO.
Summary of new law
1.14 The CDR creates a new framework to enable consumers to more effectively use data relating to them for their own purposes. While initial application will be to the banking sector, the Government has committed that the telecommunications and energy sectors will soon also be subject to the CDR creating opportunities in these key areas of the economy for consumers to ensure that they are getting the best deal for their circumstances.
1.15 Further sectors of the economy may be designated over time, following sectoral assessments by the ACCC in conjunction with the OAIC.
1.16 The CDR framework gives consumers control over their consumer data. It will enable them to direct the data holder to provide their data, in a CDR compliant format, to accredited entities including other banks, telecommunications providers, energy companies or companies providing comparison services. CDR also allows consumers to access their own data without necessarily directing that the data be provided to a third party. The CDR system may also see the emergence of new data driven service providers.
1.17 The ACCC is provided with the power to make rules, in consultation with the OAIC, that will determine how CDR functions in each sector.
1.18 Entities must be accredited before they are able to receive consumer data. This will ensure that the accredited entities have satisfactory security and privacy safeguards before they receive CDR data.
1.19 Data relating to a consumer will be subject to strong privacy safeguards once a consumer requests its transfer to an accredited recipient. These safeguards are comparable to the protections for individuals contained in the APPs. The safeguards provide consistent protections for consumer data of both individuals and business enterprises. They also contain more restrictive requirements on participants than those applying under the Privacy Act.
1.20 The data must be provided in a format which complies with the standards. While the standards may apply differently across sectors, it is important that the manner and form of the data coming into the CDR system be consistent within and between designated sectors, as far as is practicable. This will promote interoperability, reduce costs of accessing data and lower barriers to entry by data driven service providers – promoting competition and innovation.
1.21 All individual and small business consumers in a designated sector to which the CDR applies will have access to dispute resolution processes to resolve disagreements with participants in the system. It is envisaged that sectors will access existing alternative dispute resolution arrangements, for example AFCA.
1.22 The CDR will provide the OAIC with the function of enforcing the privacy safeguards and providing individual remedies to consumers, while the ACCC will have the function of enforcing the balance of the regime and for taking strategic enforcement actions.