The introduction of 'open banking', that is, the Consumer Data Right (CDR) regime applicable in the banking sector, was announced as part of the 2017-18 Australian Government budget.
The Australian Government then committed to rolling out the new CDR regime in the banking, energy and telecommunications sectors in November 2017. It confirmed that commitment in May 2018, when it released its full response to the Productivity Commission's report of its Inquiry into Data Availability and Use and its response to the Review into Open Banking in Australia 2017.
The Government has foreshadowed that this legislative right may be rolled out in other sectors over time, as recommended in the Productivity Commission's report.
Implementation in the banking sector is due to commence on 1 July 2019.
This article provides a brief overview of the CDR regime and looks at whether the Government is likely to meet this ambitious timetable.
We will be publishing more on the new regime, looking at key issues in greater detail. We are also hosting an International Institute of Communications seminar on 20 November on this topic. Click here for more information and to RSVP.
What is the Consumer Data Right?
The CDR has two key elements:
- the ability for customers, whether individuals or businesses, to require that businesses transfer data held about them either to the relevant customer directly or to an accredited third party
- a requirement for businesses to provide public access to information on specified products that they offer.
The intention of the proposed CDR regime is that, by providing customers with more control over their own data, and making product terms and conditions more transparent, competition in the relevant sector will be improved as businesses are forced to be more innovative, and price conscious, in the products that they offer to their customers.
What legislative change is required?
The legislative changes required for the CDR regime will be implemented via the Treasury Laws Amendment (Consumer Data Right) Bill 2018. The Treasury has undertaken two consultations on the exposure draft legislation, with the second consultation including the designation instrument for the application of the CDR to the banking sector. The second consultation period closed on 12 October 2018.
Key elements of the proposed legislation are:
- amendments will be made to the Competition and Consumer Act 2010 (Cth) (CCA) to provide for the creation of the CDR, the accreditation regime for proposed accredited data recipients and to allow specific sectors to be designated to participate in the CDR regime
- powers will be given to the Australian Competition and Consumer Commission (ACCC) to determine how the CDR will operate in a given sector, via consumer data rules (which are to be approved by the Treasurer)
- additional privacy safeguards will be implemented to protect consumer data once a request is made to transfer that data to an accredited entity (these can also be supplemented by the ACCC's rules). These protections will be broader than those currently provided in the Privacy Act 1988 (Cth), as there will be greater restrictions imposed on the uses which may be made of the data and, of course, the protections will apply to both individuals and business customers (meaning that the protections are not just limited to "personal information" that is protected under the Privacy Act). The different circumstances in which the Privacy Act and/or the privacy safeguards will apply are still a little unclear, even following the second consultation regarding the proposed legislation
- a Data Standards Chair will be established who will, assisted by a new Data Standards Body (initially Data61), make data standards setting out the format and process by which data needs to be provided to customers and accredited entities
- enforcement powers will be given to the ACCC, other than for the privacy safeguards, where the Office of the Australian Information Commissioner will be responsible for enforcement.
Expectations are that the Bill will be introduced to Parliament this year, allowing the legislation to commence early next year.
Role of the ACCC
The ACCC has a key role in the implementation of the new regime. Reflecting this, the ACCC is also undertaking consultation, notwithstanding that it cannot formally make any CDR rules until the proposed legislation is passed. The ACCC is currently developing, and has undertaken consultation on, a "Rules Framework".
The Rules Framework sets out the approach the ACCC proposes to take in implementing the CDR regime generally though, of course, given that banking is the first sector that will be subject to the CDR, the framework has a banking focus. Notwithstanding that it is stated to be a framework only, the Rules Framework contains extensive detail covering areas from the designation of customers who will be able to take advantage of the regime, the data holders who will be obliged to share data and the nature of the data to be shared to how data may be used, additional privacy rules and how disputes will be resolved (amongst other topics).
Of interest, and potential concern, is that the ACCC has indicated it does not propose to make all rules at the commencement of the regime (which as noted previously is proposed for 1 July 2019) but only those rules that are essential for the initial application of the regime in the banking sector. Further rules will be developed over time. This may mean there are important issues that are not initially dealt with under the rules. This could include, for example, the scope of any reciprocity arrangements (that is, whether an accredited recipient should be obliged to provide to other parties data equivalent to the data it has received, at the request of a relevant customer) and the application of the CDR regime to derived data (that is, data that has been enhanced by the data holder by analysis or other means, whether directly or indirectly).
The ACCC has engaged in a very open process in its consultation on the Rules Framework and has listened to stakeholders. It is expected that the revised framework, when issued, will reflect the input that it has received.
Will Australia be ready?
It seems very likely, given the interim Data Standards Chair has been appointed and the Data Standards Body established, as well as the advanced stage of the consultation processes for both the legislation and the ACCC's Rules Framework, that the CDR regime will be ready for implementation in the banking sector from 1 July 2019. At that time it will apply only to the four major banks and a limited class of products, but will be implemented progressively for other applicable banks and products. The banking sector will need to continue to work quickly to develop the necessary systems to ensure it is also ready to implement the CDR regime.
This publication does not deal with every important topic or change in law and is not intended to be relied upon as a substitute for legal or other advice that may be relevant to the reader's specific circumstances. If you have found this publication of interest and would like to know more or wish to obtain legal advice relevant to your circumstances please contact one of the named individuals listed.