What's the issue?
The Consumer Data Right (CDR) is about mobilising consumer transaction data (not just consumer data) in the banking, energy and telecommunications sectors. It will allow service providers in this industry to provide this data to competitors at the request of consumers and businesses.
The CDR legislation, which passed the Australian parliament on 1 August 2019, is inspired, in part, by the General Data Protection Regulation's data mobility requirements introduced in the EU in 2018.
The banking sector is first off the blocks with energy and telco industries to follow.
The really interesting point to note about CDR data is that it captures more than just personal information. CDR data will capture customer data, customer name, contact details, account details, transaction data (including opening and closing balances and dates of transactions), and product data.
The CDR is designed to improve the flow of information in the economy and encourage the development of products that are customised to individual needs. The hope is that this will drive data driven growth and create a stronger economy.
Why is it important?
The CDR is important because it will be a legal requirement for service providers in affected industries and consumers and businesses will come to expect it.
The penalties are serious being up to AUD$420,000 for individuals (or AUD$2.1 million for businesses) and may be imposed for misleading conduct relating to the transfer of CDR data or breaches of the new Privacy Safeguards.
How can businesses get ready to not only comply but perform data transfers?
The CDR was supposed to take effect from July 2019 and the banks are pushing ahead with the pilot phase even though the commencement date has been delayed.
Australia's big four banks, which dominate 80 per cent of the market, will have a huge impact on how open banking will look for Australia through their participation in the pilot program.
The legislation was passed by the Senate on 1 August 2019, however formal implementation is expected to begin in February 2020 which will require banks to make product and consumer data for mortgage accounts available.
If the Australian Competition and Consumer Commission is confident in the framework at this point, the banks will be required to publicly share consumer data about credit and debit cards, deposit accounts and transaction accounts, paving the way for the open banking regime.
So what next? Those in the banking, energy and telco sectors should prepare by:
- staying up to date on any revisions to the regulatory framework throughout the pilot program, including rules issued by the ACCC
- reviewing and considering whether your organisation will fall within the remit of the new laws and what consumer data will be affected
- planning a framework for compliance and establishing procedures for handling customer requests for CDR data transfers and drafting corporate governance policies to govern them
- training your staff on how to comply with the new laws
- considering the advantages and disadvantages to your business due to the CDR scheme and the impact of ensuring compliance with the requirements set by the relevant regulators.
This publication does not deal with every important topic or change in law and is not intended to be relied upon as a substitute for legal or other advice that may be relevant to the reader's specific circumstances. If you have found this publication of interest and would like to know more or wish to obtain legal advice relevant to your circumstances please contact one of the named individuals listed.