The new Consumer Data Right will start with “open banking” from July 2019

A new Consumer Data Right will take effect from July 2019, first in the banking sector then in the telecommunications and energy sectors. David Smith outlines the Consumer Data Right and all the pieces that need to come together in the coming months in order to implement this reform.

Banking: the first industry subject to the new Consumer Data Right

Australia’s banks, starting with the four major banks, will be subject to a new “open banking” regime under the Commonwealth Government’s “Consumer Data Right” reforms with effect from 1 July 2019.

The Government’s objective is to promote competition, choice and innovation. For example, it should become easier for a consumer to change banks because they will be able to tell their current bank to provide their data to other banks or comparison services.

The timetable is ambitious. The chair of the banking regulator APRA, Wayne Byres, said in a speech last week that “significant investment [by the banks] will be needed to meet the new obligations”.

What is the Consumer Data Right?
The Government has released exposure draft legislation that will amend the Competition and Consumer Act 2010 to implement a new Consumer Data Right.

The key requirement will be that at a consumer’s direction, a data holder (for example a bank) must electronically share the consumer’s data with:

• an accredited data recipient to which the consumer has given their consent (for example another bank, or a comparison service); or
• the consumer.

“Consumer” in this context will have a broad meaning and will include small, medium and large businesses as well as individuals.

A register of accredited data recipients, who have put in place suitable security and privacy protections, will be established.

The data holder will also have to make certain generic product data publicly available.

Implementation: banking, then telecommunications and energy sectors

The Consumer Data Right will be implemented in the banking sector first, starting with the “big four” banks. The right will apply in relation to credit and debit card data, deposit data and transaction account data from 1 July 2019, and mortgage data from 1 February 2020.

All other Authorised Deposit-taking Institutions, as defined in the Banking Act 1959, will follow so that “open banking” is in full operation by 1 July 2020.

This follows the implementation of an open banking regime in the UK which commenced in January 2018.

The Government has committed to making the telecommunications and energy sectors subject to the Consumer Data Right – these will follow the banking sector. The legislation is flexible enough to allow for the Consumer Data Right to be implemented in virtually any sector of the economy that the Government may designate in future.

The Government will be required to consult with the ACCC and the Office of the Australian Information Commissioner before designating a sector that will become subject to the Consumer Data Right.

Consumer data rules and consumer data standards

The ACCC is empowered to make “consumer data rules” for each sector that is subject to the Consumer Data Right. These rules will be very important in fleshing out how the Consumer Data Right will work in practice – for example, how a consumer may make a data request and how an entity must disclose the data. The ACCC will have to do a great deal of work to get these rules ready for the banking sector. In the meantime it has released a Consumer Data Right Rules Framework which describes, in principle, how it will approach preparing the rules.

Data sharing will be required to occur through an API (an Application Programming Interface that allows systems to talk to each other), to be implemented under standards being developed by the Data Standards Body to be appointed under the legislation. The Data Standards Body will at least initially be Data61 which is part of the CSIRO.

Privacy and data security

Under the legislation, data recipients must adhere to privacy safeguards that are broadly similar to the Australian Privacy Principles (APPs), and need not comply with the APPs, in relation to Consumer Data Right data.

Data holders will remain subject to the APPs – most of the Consumer Data Right privacy safeguards will not apply to data holders.

The Office of the Australian Information Commissioner will promote compliance with the privacy safeguards and be able to make guidelines about them. Amongst other powers, the Information Commissioner will be able to seek civil penalties for a breach of the privacy safeguards.

Dispute resolution

Entities subject to the Consumer Data Right regime will be required to participate in an external dispute resolution scheme, which the ACCC proposes will be the Australian Financial Complaints Authority (AFCA). However only smaller consumers, and not larger businesses, will be able to take a dispute to the AFCA.

For example, an individual or small business in a dispute with a bank about access to data under the Consumer Data Right regime will be able to take the dispute to the AFCA.

Consultation on the draft legislation

Following consultation on a first exposure draft of the legislation to implement the Consumer Data Right, the Government has now issued a second stage of exposure draft legislation which takes into account feedback from the consultation process. Comments on this are invited until 12 October 2018.

The legislation, including any amendments coming out of the further consultation process, is expected to be introduced into legislation before the end of 2018.

The banks and the regulators will be working very hard in the coming months to have everything in place for the Consumer Data Right regime to start operating from 1 July 2019.

Authored by:
David Smith, Partner