The new Consumer Data Right (CDR) - Issues and opportunities - Data Protection

Businesses who hold data about consumers need to be aware of a number of significant changes arising from the proposed new Consumer Data Right (CDR). The proposed legislation has been released for public comment, and may be altered depending on submissions received by the Government and further Government analysis. It is clear from the Government's position, however, that a new CDR right will come into effect in Australia.

The new CDR is intended to come into effect on 1 July 2019 for participants in the banking sector, however it will soon after be implemented in the energy and telecommunications sector, with other sectors to follow.

The reference to 'sectors' is a little generic – the CDR will more so apply to particular classes of entities and particular datasets that will be designated by the Federal Government.

At its core, the CDR allows a consumer to obtain certain data held about that consumer by a third party and to enable that data to be given to certain accredited third parties for certain purposes (including to enable comparisons between services to be made).

ISSUES AND OPPORTUNITIES

While the mantra of the new CDR is all about consumer choice and competition, there are some potentially significant imposts which could have substantial compliance cost impacts on the data providers and could impact on data innovation.

At the same time however, there are opportunities for organisations to provide services and products that support and enhance consumer choice through the innovative use of what were previously difficult to obtain and valuable datasets.

Below are some of the significant issues and opportunities that may arise for organisations as a result of the proposed CDR:

Business information – the CDR applies to any type of consumer who is seeking information. It is not limited to individuals. In the words of the explanatory materials to the CDR "the CDR consumer is a person, including a small, medium or large business enterprise...". Potentially, large business organisations can obtain data about the use of a particular service from a service provider and transfer that information to a competitive service provider. While there are 'privacy safeguards' in place, it is unclear how confidential and sensitive information will be dealt with.
Not limited to personal information – as is evident by the fact that businesses can obtain information about their use of a particular service, individuals can obtain data about their use of the service and that data does not need to be 'personal information' as defined in the Privacy Act. In other words, the data does not have to be information from which the identity of the individual can be identified. All it needs to be is information that 'relates to' the consumer. This potentially broadens the field of data that must be made available to the consumer. The extent of that requirement will need to be set out in the yet to be promulgated 'Consumer Data Rules'. The ACCC is planning on releasing the Consumer Data Rules for the banking sector in the week of 10 September 2018.
Privacy safeguards – while they are very similar to aspects of the Australian Privacy Principles, there are a new set of principles called the Privacy Safeguards that need to be adhered to when it comes to CDR data. Organisations will need to be set up so that they can properly deal with the requirements of the Privacy Safeguards in the same way that they have been geared up to deal with the Australian Privacy Principles. This may necessitate keeping CDR data segregated from other business data so that the specific requirements of the Privacy Safeguards can be complied with. If an organisation is also subject to the EU General Data Protection Regulation (GDPR), this could potentially mean having three sets of segregated data which cannot be mixed.
Technical requirements – because consumers will be able to request that their Consumer Data be transferred from a data holder to an accredited organisation under the CDR, the data holders need to have their systems set up to be able to deal with this transfer of data. This raises two issues for data holders:
- the nature of the systems that have been established to allow this transfer to occur and what changes need to be made to them; and
- the format and nature of the data that is required to be transferred.
The latter is to be specified initially by Data 61 which is the inaugural Data Standards body.
Contractual obligations – as we've seen with the Australian Privacy Principles and most recently with the GDPR, we can expect to see organisations placing contractual obligations on their service providers to give effect to those organisation's obligations under the CDR. Get ready for another round of contractual amendments.
Value added information – CDR data that needs to be shared includes information that is 'directly or indirectly derived' from the CDR data. Where a company has augmented customer data with its own information to create unique insights in relation to a consumer, this would potentially need to be shared. This may be seen by some to potentially impact on innovative data applications.
Third Party datasets – CDR data could potentially include third party data sets which the data holder may not have rights to share. It is contemplated that there may be compensation where an organisation is compelled to disclose proprietary data as part of the CDR arrangements, but the process of valuing this data is yet to be outlined.
Reciprocity – the concept of 'reciprocity' refers to the fact that if an organisation wants to be the recipient of CDR data (that is, if it becomes 'accredited') , it should also be required to share data that it holds to other recipients. It's not entirely clear how this concept will operate where the recipient doesn't hold data which falls within one of the relevant datasets that has been designated for a sector e.g. a comparison service.
Consent – the precise details of what will be required for a consumer to 'consent' to disclosure are still to be worked out and will be set out in the Consumer Data Rules. It may be that the consent requirements for CDR Data will be different from consent and related notice requirements under the Privacy legislation.
Accreditation – the ACCC is finalising its position paper on the requirements that organisations must meet in order to become accredited to receive CDR data. In addition to the principle of 'reciprocity' referred to above, another interesting thing on 'accreditation' is that those organisations who may have been exempted from complying with Australia's Privacy Principles in relation to 'personal information' (e.g. small business operators) will lose that exemption if they become accredited under the CDR scheme.

We will provide further updates as the Government issues the Consumer Data Rules and responds to submissions and industry reaction.

The above is only a general outline of some of the key features of the proposed CDR regime. It should not be taken as an expression of the definitive position given the draft nature of the proposed legislation and the fact that comment is still being sought.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.