Under the draft Treasury Laws Amendment (Consumer Data Right) Bill 2018, individual and business consumers will be able to access their own data or direct custodians to share their data with accredited entities that have “satisfactory security and privacy safeguards” in place.
Such entities could be banks, telcos, energy companies and comparison service providers that would be able to deliver tailored access to consumer data.
“Data recipients must be accredited as trustworthy to receive data pursuant to the Consumer Data Right, enabling customers to have justified confidence in the system,” Federal Treasurer Scott Morrison said.
Consumer data will be subject to “strong privacy safeguards” similar to the individual protections contained in the Australian Privacy Principles (APPs) as part of the Privacy Act, but more restrictive so that an “enhanced level of protection” is built around CDR data, specifically individual and small business consumer data, according to the government’s explanatory memorandum.
“The privacy safeguards provide minimum standards for the treatment of CDR data. They can be supplemented by the consumer data rules to ensure CDR data is adequately protected. This also means that the system is able to respond flexibly to any emerging risks,” the memorandum states.
“The APPs have been switched off and substituted by the CDR safeguards in respect of the use, disclosure, storage and collection of CDR data by accredited data recipients.”
The Privacy Act will additionally be extended to protect the non-CDR data held by small businesses, so long as they are accredited data recipients with an annual turnover of less than $3 million.
Mr Morrison called the Bill “a game-changer for Australians” as it would allow consumers to use their data, for their own benefit, such as finding better deals on banking products.
The Treasurer cited the Productivity Commission’s final report on competition in the Australian financial system, which found that the average household could save up to $1,000 a year on their home loan if they switched to another lender. However, Mr Morrison noted that oftentimes households choose not to refinance or don’t know how, unhelped by what the PC has claimed is a “blizzard of barely differentiated products” on offer.
“With over 4,000 different residential property loans on offer, it is no wonder that customers struggle to determine which home loan is best for them,” Mr Morrison said.
“No longer will Australians be left in the dark by banks and financial service providers.
“Customers will determine which data is shared, on what terms and with whom. The Consumer Data Right is a right for customers and not for those who wish to access or use a customer’s data.”
The shared data would have to be in a CDR-compliant format, the draft Bill stipulates, which will be determined by the Australian Competition and Consumer Commission (ACCC), in consultation with the Office of the Australian Information Commissioner (OAIC) and the Data Standards Body (DSB).
“The CDR will provide the OAIC with the function of enforcing the privacy safeguards and providing individual remedies to consumers, while the ACCC will have the function of enforcing the balance of the regime and for taking strategic enforcement actions,” the government’s explanatory memorandum states.
The memorandum further highlights the importance of ensuring an interoperable framework for data sharing, as the open banking regime will be extended to other sectors such as energy and telecommunications.
“While the standards may apply differently across sectors, it is important that the manner and form of the data coming into the CDR system be consistent within and between designated sectors, as far as is practicable. This will promote interoperability, reduce costs of accessing data and lower barriers to entry by data-driven service providers, promoting competition and innovation,” the explanatory memorandum states.
The draft legislation further stipulates that the ACCC would be provided the power to determine how the CDR — which will initially apply to the banking industry before being rolled out across energy, telecommunications and other sectors — functions in each sector.
The competition watchdog has already set up a dedicated Consumer Data Right Branch, which will have the authority to establish rules around the “accreditation of an entity, use, storage, disclosure and accuracy of CDR data”, the format of CDR data, and the data standards, according to the explanatory memorandum.
The memorandum acknowledges that while it might appear that the ACCC is being handed “significant powers to create consumer data rules”, it suggested that the broader context be considered.
“The CDR will be applied across very different sectors of the economy which are already subject to various regulatory regimes. As a result, the government considers it important to provide direction to the ACCC on the types of consumer data rules that can be made, balanced with the flexibility to make rules that are appropriate and adapted to any industry that might become designated into the future,” the explanatory memorandum states.
According to the exposure draft legislation, individual and business consumers will also have access to dispute resolution processes to resolve disagreements with participants in the CDR system, for example, through the new Australian Financial Complaints Authority (AFCA), which amalgamates the Financial Ombudsman Service, the Superannuation Complaints Tribunal and the Credit and Investments Ombudsman to provide consumers access to “free, fast and binding dispute resolution” at a single destination.
The draft legislation also considers conduct that misleads a CDR consumer into believing they are making a valid direction to provide access to data, such as phishing websites, as an offence that warrants civil penalties.
The government is accepting submissions to the draft legislation until 7 September 2018.