MAIN STORY – By Contributing Editor Leon Spencer
The Australian competition watchdog is calling on feedback from businesses, consumers and community organisations after releasing the draft rules for Australia’s Consumer Data Right (CDR) regime.
The core aim of the CDR is to give consumers the ability to easily obtain access to the data held on them by relevant service providers and have it transferred to other service providers at their request.
While the CDR is set to begin with the banking sector, the Government will subsequently roll it out in the telecommunications and energy sectors.
The draft exposure of the Competition and Consumer (Consumer Data) Rules 2019 [PDF], published on 29 March by the Australian Competition and Consumer Commission (ACCC), essentially kicks off a public consultation process that is set to inform the continued development of the rules and the future Privacy Impact Assessment of the Rules.
“We… know there are a number of privacy advocates, consumer organisations and others who will be very interested to see these draft rules, and we welcome views,” ACCC Commissioner Sarah Court said.
The freshly published draft rules outline three ways in which a consumer will be able to request CDR data, including product data requests, consumer data requests made by CDR consumers and consumer data requests made on behalf of CDR consumers.
Product data requests enable any person to request a data holder to disclose CDR data relating to products offered by that data holder. It should be noted that such a request would not be able to be made for CDR data that relates to a particular identifiable CDR consumer.
The draft rules stipulate that for product data requests a data holder must provide an online service that can be used to make product data requests. Such a service must enable requested data to be disclosed in machine-readable form while confirming with data standards.
Consumer data requests made by CDR consumers, meanwhile, see a CDR consumer directly request a data holder to disclose CDR data that relates to them. This kind of request is to be made using a specialised online service provided by the data holder, and the data is to be disclosed in human-readable form.
Consumer data requests made on behalf of CDR consumers enable a consumer to ask an accredited person to request a data holder to disclose CDR data relating to that individual. In this scenario, the accredited person is only able to collect and use CDR data in order to provide goods or services under a CDR contract with the consumer.
For consumer data requests, data holders need to provide an online service that can be used by CDR consumers to make consumer data requests directly. This needs to allow a request to be made in “a manner that is no less timely, efficient and convenient than the online services that are ordinarily used by customers of the data holder.
Data holders also need to provide an online service – a consumer dashboard – enabling requests to be made via an accredited person to make requests on behalf of another individual. This service must enable requested data to be disclosed in machine-readable form.
Under the privacy safeguards outlines in the draft exposure, an accredited data recipient’s CDR policy needs to contain a list of the outsourced service providers, both in Australia and overseas, and details about the nature of services provided by those providers, along with the classes of CDR data that may be disclosed those service providers.
To ensure data remains safe, an accredited data recipient needs have processes in place to limit the risk of inappropriate or unauthorised access to its CDR environment. These include multi-factor authentications, restriction of administrative privileges and limited physical access, among other things.
In addition to the proposed rules dictating consumer data requests, product data requests and privacy safeguards, the 99-page draft document also covers draft rules around dispute resolution, data standards, how to become an accredited person for the purposes of CDR matters and more.
According to Court, the ACCC is continuing to work through several important issues, such as guidance for potential data recipients on the requirements for accreditation, and the operation of a pilot that is scheduled to begin in July 2019.