The Treasury Laws Amendment (Consumer Data Right) Act 2019 (CDR Act) became law in Australia on 13 August 2019.
The CDR Act stems from a 2017 Australian Government Productivity Commission inquiry into:
the recent growth in data generation (by some estimates, the amount of digital data generated globally in 2002 (five terabytes) is now generated every two days, with 90% of the world’s information generated in just the past two years);
the collection of data through everyday activities, transactions, the Internet and technologies such as mobile devices, sensors and cameras; and
how better access to and use of data can benefit consumers, the community, business and government.
Given some of the outcomes and recommendations of the inquiry, the CDR Act implements new laws relating to rights associated to consumer data, which the CDR Act refers to as the ‘Consumer Data Right’. The Consumer Data Right regime is intended to, among other things, give individuals a right to efficiently and conveniently access specified data about them held by businesses and service providers in various sectors (Data Holders). This is so that individuals can direct how their data is shared with others, for example by choosing how they share their data with certain accredited data recipients (Accredited Data Recipients) in order to find more competitive products or services based on data on existing products or services they use.
The Consumer Data Right regime will apply to sectors of the Australian economy that have been designated in accordance with the CDR Act. The Government has indicated that the banking sector will be the first sector to which the Consumer Data Right will apply (also known as Open Banking). The big 4 Australian Banks (i.e. ANZ, CBA, NAB and Westpac, with other banking institutions to follow in due course) must provide individuals with access to their data that is held in respect of their credit and debit cards, deposit accounts and transaction accounts. Over the next 2 years banks will also be required to provide access to data on other financial product data.
Please refer to the Treasury’s webpage on the Consumer Data Right for further details on the proposed timetable for implementing the Consumer Data Right regime and Open Banking in Australia: https://treasury.gov.au/consumer-data-right/
The Government has indicated that the energy and telecommunications sectors will be the next sectors to follow and, eventually, the Government intends that the Consumer Data Right regime will be rolled out to other sectors in the Australian economy.
Who regulates the Consumer Data Right regime?
The Australian Competition and Consumer Commission (ACCC) and the Office of the Australian Information Commissioner (OAIC) will work together to regulate conduct under the Consumer Data Right regime.
The ACCC will mainly be responsible for matters such as the designation of new sectors to which the Consumer Data Right will apply, the establishment of the Consumer Data Right Rules (CDR Rules), accreditation of Accredited Data Recipients and the creation and maintenance of a register of Accredited Data Recipients and Data Holders. The ACCC published the CDR assurance strategy for the banking sector on 29 August 2019. This assurance strategy provides a summary of the ACCC’s testing and assurance scope and approach for ensuring a safe environment for sharing consumer data by consent and ensuring that consumer data rights are protected: https://www.accc.gov.au/focus-areas/consumer-data-right-cdr-0/cdr-assurance-strategy-banking
The CDR Rules will also govern the implementation of the Consumer Data Right in a sector. The ACCC published a “lock down” version of the CDR Rules for the banking sector on 2 September 2019, which will be provided to the Treasurer for consent: https://www.accc.gov.au/focus-areas/consumer-data-right-cdr-0/cdr-rules-banking
The OAIC will lead on matters relating to the privacy implications of the Consumer Data Right regime, including compliance with new “Privacy Safeguards” under the regime, which will have stricter requirements than the Australian Privacy Principles under the Privacy Act 1988 (Cth).
A data standards body will also be established to assist with making data standards, which will set out the format and process by which data will need to be provided to consumers and Accredited Data Recipients within the Consumer Data Right regime. Data61 (part of the CSIRO) is currently undertaking this data standards role.
Updates to legislation
The CDR Act implements the news laws by amending legislation that is currently in force in Australia. A high-level summary of these amendments is as follows:
The Competition and Consumer Act 2010 (Cth) is amended to include a new Part IVD relating to the Consumer Data Right, and consequential amendments relating to the Consumer Data Right concepts generally.
The Australian Information Commissioner Act 2010 (Cth) is amended to:
ensure that the OAIC and the Information Commissioner’s privacy functions extend to the Consumer Data Right regime; and
ensure that the OAIC is able to disclose information to and advise the body that will be responsible for accrediting Accredited Data Recipients.
The Privacy Act 1988 (Cth) is amended to provide a mechanism for accessing a broader range of information within the designated sectors compared to what is provided for in Australian Privacy Principle 12 (which allows individuals to access personal information about themselves). The Consumer Data Right applies to data that relates to individual consumers as well as business consumers, and provides access to information that relates to products.
For more information on the CDR Act and Consumer Data Right, please contact:
Mike Jeffery, Director, on M: +61 (0)402 745 054 or E: firstname.lastname@example.org
Samantha Khoo, Senior Associate, on M:+61 (0)422 190 433 or E: email@example.com
 Australian Government Productivity Commission Inquiry Report, ‘Data Availability and Use - Overview and Recommendations’ No. 82, 31 March 2017 (page 4) https://www.pc.gov.au/inquiries/completed/data-access/report/data-access-overview.pdf