ACCC revises Customer Data Right rules

The Australian Competition and Consumer Commission (ACCC) has made further revisions to the rules around the yet-to-be-legislated Customer Data Right (CDR) and is encouraging feedback from consumers, businesses and community organisations.

Under the draft Treasury Laws Amendment (Consumer Data Right) Bill 2018 – the legislation that will underpin the open banking regime coming into effect on 1 July – individual and business consumers will be able to access their own data or direct custodians to share their data with accredited entities such as banks, telcos, energy companies and comparison service providers to get tailored access to services and competitive deals.

According to the ACCC’s exposure draft, released on Friday (29 March), the CDR consumer and the accredited person (such as a mortgage broker) must sign a “CDR contract” – under which the accredited person uses the consumer’s CDR data to deliver goods and services to the consumer – before a data-sharing request can be made.

The consumer would have to explicitly consent to the accredited person “collecting specified CDR data from the data holder of that CDR data” and “using the collected data in order to provide goods or services under the contract”, according to the exposure draft.

The consent must be voluntary, express, informed, specific as to purpose, time limited and easily withdrawn, while the consent process is required to be “as easy to understand as is practicable”. Even if a period of time is specified in the CDR contract between the accredited person and the CDR consumer, the accredited person must notify the consumer that the consent is current every 90 days.

The accredited person cannot collect “more data than is reasonably necessary in order to provide goods or services under the CDR contract”, nor can they use the collected data for purposes outside what the consumer has explicitly consented to.

Requests to share consumer data by accredited persons are to be made using the data holder’s “accredited person request service”, which is an online service to be provided by data holders.

The exposure draft states that this service must “enable requested data to be disclosed in machine-readable form” and “conform with the data standards”.

Once the request has come through the online service, the data holder is required to obtain authorisation from the consumer “as soon as practicable” to share the data.

Once authorisation has been obtained, the data holder will have to share the data with the accredited person through its online accredited person request service and cannot charge the accredited person for making the request.

The data holder can refuse a request to share data made by an accredited person if it has “reasonable grounds” to believe that it would “create a real risk of harm or abuse to an individual” or “adversely impact the security, integrity or stability of the Register of Accredited Persons or the information and communication technology systems the data holder uses to receive requests, and to disclose CDR data, under these rules”.

If the data holder is to refuse a request, they must inform the ACCC within 24 hours of the refusal and the reasons for it using an ACCC-approved form.

The draft rules also permit the accredited recipient to share the collected data with an outsourced service provider for the purpose that the “outsourced service provider can use the data to provide goods or services to the accredited data recipient that will assist the accredited data recipient to provide the goods or services under the CDR contract”.

To be able to share data with an outsourced service provider, the accredited data recipient must be in a contractual relationship with the provider for the provision of goods and services. The outsourced service provider is bound by the same rules as the accredited data recipient when it comes to information security privacy.

ACCC commissioner Sarah Court said in a statement that the regulator will continue to “work through important issues, such as guidance for potential data recipients on the requirements for accreditation, and the operation of a pilot that is scheduled to begin in July 2019”.  

Feedback to the draft rules are to be submitted by 10 May 2019 via the ACCC’s consultation hub.

[Related: CDR not designed to empower the powerful: ACCC]