More choice, tailored products and lower prices! Impacts of Consumer Data Right legislation.
Summary of key points
- The Consumer Data Right will apply to individuals, small to medium and large businesses.
- It is asserted that these rights will lead to more choice, tailored products and lower prices, amongst other things.
- If you are an individual or small to medium business and your Consumer Data Right is breached, you will be able to obtain assistance from the ACCC and/or the OAIC.
- The Bill is anticipated to be put before parliament before the end of 2018.
Consumer Data Right legislation
In light of the Review into Open Banking in Australia (Review), the Government has committed to implement a Consumer Data Right, through the Treasury Laws Amendment (Consumer Data Right) Bill 2018 (Consumer Data Right). The first stage is proposed to be implemented by 1 July 2019.
Whilst the Consumer Data Right will be implemented within the Banking Sector first (starting with the big four: Westpac, National Australia Bank, ANZ Bank and the Commonwealth Bank), it will subsequently be rolled out to the telecommunications and energy sectors, with a view to making the legislation versatile enough to be adopted by any Australian economic sector, should the Government elect to do so in the future.
What is Consumer Data Right?
The Consumer Data Right gives consumers the right to access data about themselves held by businesses, and then direct that this information be transferred electronically to accredited, trusted third parties of their choice, for the purposes of, amongst other things, comparison services.
It is hoped that this will encourage businesses to offer consumers the most convenient and economical products and services available, tailored to that consumer’s specific needs, based on their spending, usage and/or history.
“Consumer” has a broad meaning, and includes individuals, as well as small, medium and large businesses.
What are the Government’s main aims for the Consumer Data Right?
The Government’s aim is that this consumer focused practice will be more efficient and fair, improve consumer control, improve access to a consumer’s own data, and improve competition and data driven innovation in Australia.
How will you benefit from the Consumer Data Right?
You, as a consumer, will have better access to data on a business and the key goods and services offered by it.
In addition, you will be able to compare the services you require between businesses, based on your actual usage of those services, saving you money by securing the most cost effective banking, electricity, phone and internet service deals available.
For example, you currently hold an account with a major bank, but wish to change institutions. You can direct your current bank, otherwise known as the ‘data holder’, to share your financial data electronically to other banks or third party comparison services, to locate the best options available to you.
How will your data remain secure?
Privacy and security are core features of the Consumer Data Right, and will be tailored to adequately reflect the needs of each sector.
The privacy protections to be put in place will include:
- Provisions that data can only be transferred at the discretion and direction of the consumer.
- Mandatory accreditation of data recipients.
- Establishment of a register of accredited data recipients, who have put in place suitable security and privacy protections.
- Obligations regarding deletion of consumer data.
- Creation of a “Data Standards Body”, who will set transfer, security and data standards.
- Amendments to the Privacy Act 1988 to extend current provisions and include new protections, binding all accredited data recipients.
- Enforcement of privacy protections through the involvement of the Office of the Australian Information Commissioner (OAIC).
- Avenues for consumers to seek remedies for any breach.
The Consumer Data Right is a right for consumers to make a choice to share their data, not for a business to share a consumer’s data without their consent.
Rigorous consent requirements will apply and consent must be genuine – there will be no “implied consent” allowed for data transfers.
What is the timeline for implementation of the new legislation?
The Government has set a challenging timeframe for bringing this reform into place for consumers.
Banking Sector – “Open Banking”
Open Banking is the application of the Consumer Data Right in the banking sector.
The first phase is directed at the four major banks, requiring them to make data available on credit card, debit card, deposit and transaction accounts by 1 July 2019, with data on mortgages to follow by 1 February 2020 (including for joint accounts where digital authorisations to transact on the accounts already exists). Data on all products recommended by the Review is to be made available by 1 July 2020.
The second phase requires all remaining banks to implement this “Open Banking” a further 12 months after each of the dates set for the major banks.
Having said this, the Australian Competition and Consumer Commission (ACCC) is responsible for determining phasing details and has the power to adjust this timing if necessary.
The aim will be for consumers to be able to access and transfer their spending information, including deposit and credit account transactions and basic product information, from 1 July 2019.
Currently, Treasury is working alongside the Department of Environment and Energy to make determinations as to facilitating access to consumer energy data, and identify options for the manner and timing of implementation of the Consumer Data Right in the energy sector.
The ACCC will be responsible for examining the application of the Consumer Data Right within the telecommunications sector. This will include an examination into what consumer data sets are available, and of those, what specific data sets will be made available under the Consumer Data Right.
The Treasurer will have the power to apply the Consumer Data Right to new sectors. The ACCC will begin assessments of potential future sectors, once sufficient progress has been made with respect to implementation in the three current sectors.
Who will be regulating this?
The ACCC, OAIC and a new “Data Standards Body” will be joint regulators under a multi-regulator model.
The enabling legislation will set out the role, functions and powers of each of the joint regulators.
Consumer Data Rules
The ACCC will have the power to make Rules for each sector, and these Rules will dictate how the Consumer Data Right will work in practice. These Rules, once established, will guide the practical manner in which the Consumer Data Rights will operate.
What are the implications for breaches of the Consumer Data Right?
The OAIC will be responsible for handling complaints with respect to any breaches of the Consumer Data Right for small to medium businesses (under $3M turnover). Should the OAIC opt not handle a complaint themselves, they will direct the consumer making the complaint to another agency or dispute resolution body, such as the Australian Financial Complaints Authority.
The OAIC will be primarily responsible for handling complaints made by individuals and small to medium sized businesses, including providing remedies and strategic enforcement with respect to breaches of privacy.
The ACCC will also play a role in the event that there are repeated or more serious breaches by data holders.
Remedies available from these regulators will include infringement notices, civil penalties, compensation orders, enforceable undertakings, de-accreditation of data recipients (or suspensions or imposition of conditions) and court injunctions, including orders for the deletion of data.
Large businesses will not be provided assistance from the OAIC. These consumers will be able to directly litigate for any breach of their Consumer Data Right.
Small to medium sized businesses and individual consumers will also be able to directly litigate, for any breach of their Consumer Data Right.
Craig Higginbotham and Lynette Prichard
19 October 2018