The consumer data right regime is here - what do you need to know?

In an effort to improve consumers’ ability to compare and switch between products and services, and to drive competitiveness and innovation between service providers, a new consumer data right (CDR) has been introduced.

The new CDR requires suppliers to provide their customers with access to customer data and, on request, to share that information with alternative suppliers. Suppliers are also required to make certain product data publicly available.

The CDR will initially only apply to the banking sector (so-called 'open banking'), but the government has flagged its future application to other sectors, including energy and telecommunications.

The legislation (the Treasury Laws Amendment (Consumer Data Right) Bill 2019) amends the Australian Information Commissioner Act 2010 (Cth), the Competition and Consumer Act 2010 (Cth), and the Privacy Act 1988.

What is the CDR regime?

The CDR Bill establishes the right for consumers to direct a supplier to share designated data about the consumer with another supplier or with the consumer themselves. The supplier is also required to make certain generic product data publicly available.

The regime is designed to give consumers greater control of their personal information and to make it easier to compare services or switch to a new provider. The goal is to drive competitiveness and innovation between businesses in the sector.

The CDR regime will initially apply to the banking sector, with other sectors such as energy and telecommunications, to follow.

Regulatory framework

The CDR Bill sets up an underlying regulatory framework made up of:

• Legislation;
• Rules; and
• Technical Standards.

The Australian Competition and Consumer Commission (ACCC) is responsible for developing rules which set out the operation of the CDR across designated sectors. On 29 March 2019 the ACCC released an exposure draft of the rules for consultation.

In addition to rules, the Consumer Data Standards body, supported by Data61 (part of the CSIRO), is tasked with developing technical standards which specify how CDR data is to be shared via application programming interfaces (APIs) with organisations accredited by the ACCC. The Consumer Data Standards team has been working closely with the ACCC (as lead regulator) and the Office of the Australian Information Commissioner (OAIC).

The OAIC has recognised significant implications for the handling of individuals' personal data and the importance of ensuring that a strong framework for protecting privacy is in place. This is important not only for protecting consumer personal data, but also for maintaining public confidence in the CDR regime.

Working groups have been established to support Data61 to design and test the open standards. Input from the specially formed Advisory Committee alongside draft guidance materials, API specifications and implementation materials are being shared on the Consumer Data Standard's Body's website and on GitHub.

What's next?

The open banking regime is underway already with the Government having launched its pilot program with the big four banks (Westpac, CBA, ANZ and NAB) on 1 July 2019. The big four were required to make generic product data available on credit and debit cards, transaction and deposit accounts to start the process of testing the performance and security of the CDR regime as it relates to open banking. Formal commencement of open banking will occur once the open banking designation instrument (where the banking sector will be a designated sector) is issued.

Formal implementation of the CDR Bill is expected to begin in February 2020 with the big four banks being required to provide CDR data on mortgages, credit and debit cards, transaction and deposit accounts. Other banks and financial institutions will be required to comply from July 2020 onwards.

What do you need to do?

Businesses in the banking, energy and telecommunications sector should be thinking about the following:

• Keeping up to date with changes, including the rules to be issued by the ACCC.
• Considering whether they will be required to comply with the CDR regime Those in the energy and telecommunications sectors should be closely watching how things unfold with open banking.
• Considering how to best leverage CDR data and position themselves in the market as a business that proactively engages with customers.
• Developing consumer and employee awareness campaigns and thinking about how to train staff to comply with the new laws.
• Reviewing and updating internal systems to ensure compliance (and functional capability), including establishing procedures for how to handle and respond to customer requests for access to, and transfer of CDR data.