The CDR aims to provide consumers with rights to direct a business to transfer data on the consumer to a third party in a useable, machine readable form as well as to provide product data to facilitate an economy wide consumer directed data transfer system and reduce barriers to change of suppliers, thereby increasing consumer rights and competition.
The main aim is to allow consumers to switch service providers and services (for example bank accounts or energy providers) in an easy way without any of the friction cost involved to date. For example, automatic bill paying and direct debiting arrangements make it cumbersome for the average consumer to switch bank accounts. That has led to a sticky customer relationship and reduced competition and innovation.
The CDR will require new thinking from those in designated services and likely lead to innovative disaggregated intermediaries, especially on app-based architecture in an ever deepening IoT environment.
The government has determined that the CDR will be immediately targeted at the banking sector, with the energy and telecommunications sectors to follow. Ultimately, the law will be introduced sector by sector broadly across the economy.
With opportunity comes risk — the right will increase the move to tech-heavy solutions and inevitably engage information and privacy risks.
The CDR mirrors the data portability right in EU GDPR Article 20, which suggests that Australia is moving closer to the EU conception of privacy in certain areas.
With opportunity comes risk — the right will increase the move to tech-heavy solutions and inevitably engage information and privacy risks. Understanding the regulatory framework is crucial for business with new regulatory roles for current regulators and a new regulatory body.
The architecture of the CDR will permit an individual to ask that his or her unique data (excluding data and observations derived from that by the data holder, which will remain proprietary) be transferred to another provider. It will also allow a third party (for example watchdog groups) to require the production of data relating to products that is not specific to any consumer. This will allow for more wide spread comparison of products and services and assist in consumer choice, for example by price comparison services.
What about the Australian Privacy Principles?
There are obvious similarities and overlaps with the APP and, in particular, APP12, which deals with the right of access to personal information held in respect of a person.
The main legislative framework is brought about by amendments to the Competition and Consumer Act 2010.
The Rules will:
- enable consumers in certain sectors of the Australian economy to require information relating to themselves in those sectors to be disclosed to themselves or to accredited persons
- enable any person to be disclosed information in those sectors that is about goods or services, and does that not relate to any identifiable, or reasonably identifiable, consumers
- may require these kinds of disclosures, and other things, to be done in accordance with data standards. A register is to be kept of accredited persons.
Privacy safeguards apply. These mainly apply to accredited persons who, under those rules, are disclosed information relating to identifiable, or reasonably identifiable, consumers.
The Act also enables civil penalties and permits actions for damages by consumers.
How does a sector get designated?
The ACCC, OAIC and the new Data Standards Body will liaise in respect of new sectors and then a sector will be formally designated by the ACCC pursuant to the legislation.
Consumer finance was chosen as the first industry to bring in the CDR in the form of Open Banking, but the relevant reviews and legislation have been designed to keep interoperability between sectors in mind.
The CDR will also be able to work in other sectors of the economy, for example, energy and telecommunications and those sectors will be introduced over time (once the Open Banking Regime has been established).
What data must be provided?
The following can be the subject of a request:
- information about the user of the product
- information about the use of the product by the person or an associate of the person
- information about a product.
The following cannot be the subject of a request:
- Information that is not information about the user of a product is not subject to the CDR. It is essentially credit history and default information. The exchange of this information is regulated by the Privacy Act.
- Information that materially enhances consumer data is not subject to CDR.
How to request CDR data?
Consumer data requests made by CDR consumers
A consumer data request that is made directly to a data holder is made using a specialised online service provided by the data holder. The data is disclosed, in human-readable form, to the CDR consumer who made the request.
It can be requested by a consumer or a consumer can authorise another (eg another bank) to request that consumer’s CDR data be transferred. That third party must first be accredited and must make a request in accordance with relevant data standards, using a specialised service provided by the data holder. The data is disclosed, in machine-readable form, to the accredited person.
Under the data minimisation principle, the accredited person may only collect and use CDR data in order to provide goods or services in accordance with a request from a CDR consumer.
Product data requests
Any person may request a data holder to disclose CDR data that relates to products offered by the data holder. Such a request is called a product data request.
A product data request is made in accordance with relevant data standards, using a specialised service provided by the data holder. Such a request cannot be made for CDR data that relates to a particular identifiable CDR consumer. The data is disclosed, in machine-readable form, to the person who made the request. The data holder cannot impose conditions, restrictions or limitations of any kind on the use of the disclosed data.
A fee cannot be charged for the disclosure of required consumer data, but could be charged for the disclosure of voluntary consumer data.
Requirement to create dashboards and consumer data request services
Data holders must make available online services that can be used for:
- product data requests by consumers
- the provision of requested data to be disclosed in machine readable form.
Accredited persons (ie those who are authorised to receive consumer data) must also have a dashboard that allows CDR consumers to manage their requests and associated consents to collection and dealing with new CDR data.
Importantly, the requirement only seems to be available online. How this will affect less technologically literate, or lower socio-economic status Australians appears not yet to have been considered (we expect that this will be remedied shortly).
The data minimisation principle
Data holders must comply with the data minimisation principle.
The accredited person may only collect and use CDR data in order to provide goods or services in accordance with a request from a CDR consumer and must comply with the Privacy safeguards. These are consistent with the APPs in the privacy regime.
An accredited person:
- must not collect more data than is reasonably needed in order to provide the requested goods or services
- may use the collected data only as consented to by the consumer, and only as reasonably needed in order to provide the requested goods or services.
What are the Privacy Safeguards?
Privacy Safeguard |
APP |
1 |
Open and transparent management of CDR data |
Open and transparent management of personal information |
2 |
Anonymity and pseudonymity |
Anonymity and pseudonymity |
3 |
Soliciting CDR data from CDR participants only with valid requests |
Collection of solicited personal information |
4 |
Dealing with unsolicited CDR data from participants — duty to destroy |
Dealing with unsolicited personal information |
5 |
Notifying of the collection of CDR data |
Notification of the collection of personal information |
6 |
Use or disclosure of CDR data by accredited data recipients or designated gateways |
Use or disclosure of personal information |
7 |
Use or disclosure of CDR data for direct marketing by accredited data recipients or designated gateways by request or with valid consent |
Direct marketing |
8 |
Overseas disclosure of CDR data by accredited data recipients on condition that there be substantially equivalent privacy safeguards |
Cross-border disclosure of personal information |
9 |
Adoption or disclosure of government related identifiers by accredited data recipients not permitted unless authorised |
Adoption, use or disclosure of government related identifiers |
10 |
Notifying of the disclosure of CDR data |
Quality of personal information |
11 |
Quality of CDR data — date must be accurate, up to date and complete |
Security of personal information |
12 |
Security of CDR data and destruction or de identification of redundant CDR data |
Access to personal information |
13 |
Correction of CDR data |
Correction of personal information |