The Australian Treasury has recently released draft legislation[1] with respect to Consumer Data Right (CDR) for a second round of public consultation. Under the proposed CDR regime, businesses in certain sectors of the economy will be compelled to provide consumers (individuals and business customers) with access to particular data, including their transactions, usage and product information. Consumers will also have the right to direct a business to transfer such data relating to them to a trusted third party (known as an “accredited data recipient”) – for example, to another bank. This follows recommendations by the Productivity Commission[2] and the Treasury’s Review into Open Banking conducted in 2017. The CDR is intended to facilitate greater competition by providing consumers with greater control of the data relating to them held by businesses.
The concept of Open Banking refers to the CDR regime as it applies to the banking sector[3].
The Australian Competition and Consumer Commission (ACCC) will be primarily responsible for regulating CDR and Open Banking, and we note that the ACCC has also consulted stakeholders on its draft Rules Framework. Under the current proposal, banks must make data under Open Banking available to consumers without charge.
Whilst CDR and Open Banking rely upon the accessibility and sharing of consumer data, the proposed legislation contains a high degree of privacy safeguards, protection and information security provisions. Proposed measures to enhance privacy under the CDR regime include the need for data recipients to be accredited by the ACCC[4]; the introduction of stronger transfer, security and data standards; and 13 “Privacy Safeguards” that mirror the structure of the Australian Privacy Principles under the Privacy Act 1988 and which will interact with them.
The Office of the Australian Information Commissioner (OAIC) will be responsible for regulating the privacy and data breach notification aspects of the proposed regime.
Although the draft legislation has not yet been tabled in Parliament, the Government’s plan is for Open Banking to be phased in, commencing on 1 July 2019 with the “Big Four” banks being required to make available data associated with credit and debit cards, deposits and transactions accounts. This will be followed by the Big Four banks having to make available data about mortgage products by 1 February 2020. At this stage, Open Banking is planned to commence for all other Authorised deposit-taking institutions (ADIs) on 1 July 2020 with all available data for all banking products of all ADIs being captured by the regime by 1 July 2021.
Given these anticipated timeframes, ADIs should consider what changes will need to made their IT systems, processes and privacy measures in order to comply with the CDR regime as it applies to them. ADIs may also need to include new provisions in key IT service provider agreements to support the proper management of CDR data, and to update privacy policies and collection statements.
It is expected that, following the successful implementation of Open Banking, CDR would eventually be rolled out to the energy sector, telecommunications sector and other parts of the Australian economy. The energy sector is likely to be second sector to implement the CDR. The timing of that implementation is still being considered by the government.
[1] The Treasury Laws Amendment (Consumer Data Right) Bill 2018, if passed by Parliament in its current form, will amend the Competition and Consumer Act 2010, the Privacy Act 1988 and the Australian Information Commissioner Act 2010.
[2] Productivity Commission Data Availability and Use Inquiry Report, 8 May 2017.
[3] Exposure draft Consumer Data Right (Authorised Deposit-taking Institutions) Designation 2018 relating to Open Banking has been released by the Treasury.
[4] We note that an overseas entity (such as a foreign ADI) may be able to be accredited as an accredited data recipient under the currently proposed CDR legislation.