On 30 September 2020, the Australian Competition and Consumer Commission (ACCC) released a further consultation paper concerning the continued expansion and development of the Consumer Data Right (CDR) regime.
The consultation paper accompanies an Exposure Draft with proposed amendments to the Competition and Consumer (Consumer Data Right) Rules 2020 (Rules), which aim to facilitate participation in the CDR ecosystem by a broader range of entities and to promote a flexible, dynamic and effective regime for sharing consumer data.
The ACCC sought public submissions on several proposed amendments, including:
- New restricted accreditation levels with lower barriers to participation
- Further Combined Accredited Person (CAP) arrangements, allowing restricted and unrestricted parties to work together and facilitating data transfer between accredited parties
- Permitting disclosure to non-accredited persons, with consumer consent, including disclosures to ‘trusted advisors’ and disclosures of ‘CDR insights’
- Extending the CDR to companies and partnerships, as well as to individuals authorised to transact on accounts of other individuals
Consumer Data Right
The CDR, first announced in November 2017, aims to give consumers greater access to, and control over, the personal data held by institutions.1 The Australian Government sees the CDR as central to driving competition in the market for key services, including by making it easier for consumers to compare offerings and switch between providers.
So far, the CDR has been only rolled out to the banking sector, with energy and telecommunications set to follow. However, incremental rollout and slow uptake has meant that the expected impact of the CDR has yet to crystallise—at the time of writing, only six CDR data recipients have been accredited.
Accordingly, a key focus of the new proposed amendments is to make the CDR regime more accessible, flexible and user-friendly, and to facilitate broader participation in the CDR ecosystem.
Key features of proposed CDR developments
New accreditation levels
Accreditation is a central part of the CDR regime, ensuring that those dealing with sensitive consumer data have adequate information security safeguards in place. However, as the CDR ecosystem has gone live it has become clear that the criteria for unrestricted accreditation are onerous, and appear likely to prevent smaller players from participating in the CDR regime.2
To support the participation of entities who may find it difficult to meet the requirements for unrestricted accreditation, the ACCC has proposed three new kinds of restricted accreditation:
- Limited data restriction: Access to CDR data is limited to particular data clusters (e.g. bank accounts, payees, regular payments and basic customer data).
- Data enclave restriction: CDR data may only be accessed within an unrestricted Accredited Data Recipient’s (ADR) data environment (i.e. a data ‘enclave’).
- Affiliate restriction: An unrestricted ‘sponsor’ certifies that it has a commercial relationship with the restricted ‘affiliate’ and that the affiliate meets relevant accreditation criteria. The affiliate then only has access to CDR data collected by the sponsor.
The aim of these new levels is to lower barriers to participation in the CDR ecosystem (by paring back the accreditation criteria to a smaller subset of requirements) while maintaining appropriate security measures commensurate with each level’s particular risk profile.
Cooperation and data transfer between accredited persons
The proposed amendments also include expanded arrangements to allow accredited parties to work together and share CDR data securely and efficiently. This will build on the Combined Accredited Person (CAP) arrangements that allow outsourced service providers and intermediaries to collect, use and disclose CDR data on behalf of an accredited principal.3
Under the proposed amendments, the CAP arrangements will extend to a further two scenarios, in tandem with the new restricted accreditation categories:
- Data enclave accreditation: Mandatory for the restricted person to enter into a CAP arrangement with an unrestricted ‘enclave’ provider.
- Affiliate restricted accreditation: Optional for an affiliate to enter into a CAP arrangement with their unrestricted sponsor, who will collect data on their behalf.
The proposed amendments will also allow ADRs to transfer CDR data between one another, with consumer consent, to offer goods and services to consumers.
Disclosure to non-accredited persons
Currently, consumers can consent to ADRs disclosing CDR data either to the consumer directly, or to outsourced service providers. However, consumers often wish to share their data with others, for various purposes. The proposed amendments will allow consumers to request disclosure to certain non-accredited persons:
- ‘Trusted advisors’: ADRs will be permitted to disclose CDR data—with consumer consent—to the consumer’s accountant, lawyer, tax agent, financial advisor, and others.
- ‘CDR insights’: Consumers will be able to consent to the disclosure of ‘CDR insights’ to any person—datasets derived from their CDR data with a consumer identifier, but which would be de-identified if that identifier was absent.
The ACCC has proposed a further suite of changes aimed generally at extending the CDR to more consumers, such as non-individuals (e.g. companies and partnerships) and individuals authorised to transact on accounts of other individuals (e.g. secondary card holders).
Other proposed changes will facilitate improved consumer experience, including around data sharing, consent and withdrawal processes.
Public submissions closed on 29 October 2020, which will be considered by the ACCC as it finalises the proposed changes. The ACCC currently intends to amend the Rules in December 2020.
Facilitating the participation of a broader range of players in the CDR ecosystem, and providing greater choice to consumers about how and with whom they share their data, are key steps towards realising the full benefits of the CDR regime.
- For more information on the CDR, visit our dedicated CDR hub
- We explain these criteria in our article on CDR accreditation.
- See our earlier article on accredited intermediaries in the CDR ecosystem