E+Co Alerts


Data + Privacy: Open Banking and the new Consumer Data Rights

In the context of ongoing Australian regulatory developments in data and privacy, the Government has now released the new framework for regulation of “Consumer Data Rights” (‘CDRs‘).


The CDR gives ‘CDR consumers’ the ability to control access to their data held in digital form. It is noteworthy that CDR consumers are not just individuals, and would also include businesses and trusts.

The ACCC proposes to make rules specifying minimum thresholds for “CDR data”, including at minimum things like customer name, contact details, account number, direct debits. The ACCC has released the CDR Rules Framework, (available for download here), and held a public consultation period that closed on 12 October 2018.

Open banking context

The context of this is the Government’s independent review into banking in Australia, as part of the introduction of an Open Banking regime.  On 9 May 2018, the Government announced the introduction of the CDR to “…provide individuals and businesses with a right to efficiently and conveniently access specified data in relation to them held by businesses…”.

The Government has announced that the banking sector will be the first sector brought within the CDR, and as a result the framework currently has a banking focus. However the regulation of other sectors may follow. In the initial phase, the rules will apply to the four major banks only and online customers of those banks.

The revisions are intended to bring greater competition to the sector, by enabling other financial service providers to offer additional services to bank customers.

Sharing obligations

Under the ACCC Rules Framework, a data holder will be required to share CDR data with the individual themselves or accredited data recipients (‘ADRs‘).

Sharing data with the consumer:  The CDR Rules Framework proposes rules under which the consumer may request their data using online mechanisms, nominating specific data in their request.

Sharing data with ADRs:  The CDR Rules Framework proposes rules under which a data holder may share CDR data with ADRs.  The process requires the consumer to give consent to the ADR, and when the ADR seeks to access the data from the data holder, there is a two-way authentication process under which the data holder authenticates: (i) the identity and accreditation status of the ADR; and (ii) the identity of the consumer.  Once the consumer authorises the disclosure, the data holder then directly shares the data with the ADR.

Proposed ADR Requirements

The ACCC proposes that potential ADR applicants:

— Be “fit and proper persons” to receive the data;

— Have appropriate systems etc to comply with the legislation, including in relation to privacy management risks. (ACCC seeks stakeholder views on certification against evidentiary industry standards.);

— Have internal dispute resolution processes and are a member of an external dispute resolution body recognised by the ACCC; and

— Holds appropriate insurances.

Data contemplated to be covered initially

Most data provided by or on behalf of a customer to a data holder and held in digital form would be covered. The ACCC proposes to make rules that the following minimum data be covered:

— Customer name;

— Contact details;

— Account number(s);

— Payee lists/direct debits;

— Account-level information, including authorisations; and

— Unique identifiers.

It is expected that data collected prior to 1 January 2017 will be excluded from scope. Also excluded from disclosure to an ADR is ID verification information.

The ACCC is considering whether metadata should be included, such as data on where a transaction occurred (i.e. geolocational data) or at what time.

The draft legislation provides that CDR data can include data that is “directly or indirectly derived from underlying CDR data”.  The purpose of this includes to enable transformed or value added data to fall within the CDR regime, though it also seems that – based on the Open Banking review – this would not extend to data that has undergone “material enhancement by the application of insights, analysis or transformation by the data holder”.

Other matters

The ACCC’s view is that failures by data holders and ADRs to comply with their obligations will have civil penalty provisions, though the Framework does not currently identify which rules will be subject to a civil penalty.

Now that public consultation period has closed, it is expected that draft rules will be published in December 2018, and will have legal authority once the legislation (Treasury Laws Amendment (Consumer Data Right) Bill 2018) has passed Parliament (expected to be 2019).

This area is another example of the consumer protectionist direction in which the Australian regulation of data and privacy continues to evolve.  Whilst only applying to the banking sector initially, it provides some useful indicators of the sorts of processes and standards that are expected to increasingly apply.

About James Edwards
James is the founder and principal of Edwards + Co, and advises businesses on legal and commercial issues in a world enabled, disrupted and re-assembled by the internet of everything.

Comments are closed.