The proposed ‘Consumer Data Right’ (CDR) is a scheme where individuals and businesses are able to access ‘their data’, or direct that their data is shared with other entities. The CDR will initially apply to entities in the banking sector, but will likely soon after apply to businesses in the telecommunication and energy sectors with other sectors to potentially follow.
The CDR scheme is significant because it imposes additional privacy and data sharing obligations on regulated entities (beyond the existing obligations under the Privacy Act 1988 (Cth)). Penalties will apply for non-compliance.
While the bill is subject to public consultation (which is closing on 7 September 2018), the following key features may be immediately relevant to your organisation:
- Application of the Consumer Data Right.
- The Consumer Data Right scheme will apply to ‘Designated Sectors’ of the Australian economy (i.e. sectors the Minister declares the scheme will apply to) and particularly to Data Holders in that sector.
- ‘Data Holders’ are the entities in a Designated Sector that hold ‘CDR data’ (defined below). Generally, Data Holders are the entities that have collected, generated or hold ‘CDR data’.
It has already been announced that the banking sector will be the first sector required to comply with the CDR scheme. The banking sector designation is expected to come into effect on 1 July 2019, and will stipulate which Authorised Deposit-taking Institutions could be considered Data Holders. The Energy sector will follow quickly (if not at the same time as the banks). Then the telecommunications sector.
- Transfer of CDR data.
- The Consumer Data Right will only apply to ‘CDR data’. When declaring that a sector is a ‘Designated Sector’, the Minister will also specify what information will be considered ‘CDR data’.
- Generally, there will be there categories of CDR data
- information that relates to a ‘CDR consumer’;
- information that relates to a product (e.g. information in the product disclosure statement); and
- data that is derived from these sources.
- To give an example of the types of data that will be considered CDR data, it is anticipated that from 1 July 2019 the major Australian banks will need to make available information relating to credit and debit cards, and relating to deposit and transaction accounts. Following this, it is expected that information regarding customer’s mortgages will need to be made available by 1 February 2020.
- A CDR consumer is permitted to request access to, or direct that CDR data is shared with an accredited entity (with accreditation initially being managed by the ACCC). Importantly, a CDR consumer is defined to include individuals, and small, medium or large business enterprises.
- Privacy protection and the ‘consumer data rules’.
The Consumer Data Right scheme deals with privacy and data protection through the following mechanisms:
- Consumer data rules – the CDR scheme permits the ACCC to make ‘consumer data rules’ on a range of elements of the CDR system. The rules may relate to the disclosure, use, accuracy, storage, security and deletion of CDR data, accreditation of data recipients, reporting and record keeping, and any other matter incidental to the CDR system. The consumer data rules may be enforced through the ACCC’s existing infringement notice system, or as a civil penalty (if the consumer data rules state that a rule is subject to a civil penalty).
- Data standards – a Data Standards Body will be established under the scheme tasked with creating data standards relating to how data should be shared. It is expected that this role will be undertaken by Data61 (CSIRO’s data arm – CSIRO is the Australian Government’s research organisation). The data standards are given contractual effect, and can be enforced by an individual and the ACCC.
- Privacy safeguards – the CDR scheme introduces certain privacy safeguards which apply irrespective of whether data belongs to an individual or a business (unlike the Australian Privacy Principles which apply to ’personal information’). The OAIC is responsible for promoting compliance with the privacy safeguards. The privacy safeguards are also civil penalty provisions, and the OAIC is permitted to seek the application of a civil penalty for the contravention of the privacy safeguard.
This publication is introductory in nature. Its content is current at the date of publication. It does not constitute legal advice and should not be relied upon as such. You should always obtain legal advice based on your specific circumstances before taking any action relating to matters covered by this publication. Some information may have been obtained from external sources, and we cannot guarantee the accuracy or currency of any such information.