Australia - Tapping Texas Tea - The New Consumer Data Right Bill.

18 August, 2018

What you need to know

The Federal Government released exposure draft legislation which if made law will create a new consumer data right. That right will allow consumers (individuals and businesses) to access, or to direct the transfer to accredited organisations of, certain data held about them by companies. It is intended that the right will be introduced initially in the banking sector (commencing 1 July 2019), then the energy and telecommunications sectors and subsequently to other sectors of the economy. This will occur by the Minister designating sectors of the economy to which the right will apply.

Key points to take from the proposed legislation include:

The scope of data which is subject to the consumer data right includes data derived from consumer data, such as data to which organisations have added value or applied statistical analysis;
The proposed legislation sets out the regulatory framework and powers of the ACCC for the implementation of the consumer data right in each designated sector;
Consumer data rules, as determined by the ACCC will apply to each designated sector. Much of the detail is to be set out in the rules and none have been released; and
A number of privacy safeguards applicable specifically to consumer data have been introduced in the proposed legislation, which impose constraints on the collection, use and disclosure of consumer data by participants in the regime for all designated sectors.

What you need to do

The consumer data right is intended to foster competition by allowing competitors of incumbent suppliers access to consumer data which enables analysis for the purpose of offering and supplying tailored products or services.

Given the potential scope, cost and impact of the right, businesses should consider the impact of the proposed legislation on them and whether to submit a response on the proposed legislation or attend a roundtable discussion with the Treasury.

What is the Consumer Data Right?

The proposed legislation sets out the regulatory framework for the creation of a new consumer data right for designated sectors of the Australian economy. The proposed new consumer data right will create a right to access information which a business holds. The right allows not just access to the data but a right to direct the data be transferred to a third party.

Currently, the right is a 'read only' right. That is, it only is a right to receive, or direct the transfer of, a copy of the relevant data. The Government has flagged that it may subsequently extend the right to a 'read/write' arrangement which will allow the relevant third party to transact on a consumer's behalf (for example, to transfer funds from an account).

Who is a consumer?

The consumer data right will be available to be exercised by all individuals, and all companies regardless of size.

Which sectors must make the data available?

The consumer data right will be progressively rolled out on a designated sector by sector basis. The first sector to be subject to the right is the banking sector. The intention is that the four major banks will make initial datasets available by 1 July 2019, with final consumer datasets available by 1 July 2020. All remaining banks will be required to implement the consumer data right requirements 12 months after each of the dates set for the four major banks.

The Government has announced that the next sectors which will be subject to the consumer data right are the energy sector and the telecommunications industry.

The Government has mentioned the possibility of consumer's insurance information and retail loyalty cards being subject to the consumer data right. Each designated sector will be subject to sector-specific consumer data rules that are to be approved by the Treasurer after being developed by the ACCC.

Who must make the data available and at what cost?

The proposed legislation requires that all data holders within a designated sector must disclose designated consumer datasets to accredited data recipients at the direction of the consumer. Essentially it is the entity that generates or collects the initial transaction records or data about a consumer that will be considered the data holder. In addition, the third party data recipients can be required to disclose designated consumer datasets as well.

The proposed legislation has included the possibility for data holders to charge a fee for the disclosure of certain classes of datasets, with the intention of allowing data holders to charge for access to value-added data.

What data must be made available?

Under the proposed legislation, the consumer data which must be disclosed to accredited data recipients includes sector specific designated datasets and any information that is subsequently derived from that data.

The Government has stated its intention for the consumer data to be broader than personal information as defined in the Privacy Act and include metadata and information which is primarily about a good or service if it "relates" to a reasonably identifiable consumer.

Permitted Data Recipients and Accreditation

All organisations which may receive consumer data by direction from a consumer must be accredited by a Data Recipient Accreditor. All persons, including foreign entities, can apply for accreditation. It is intended that there will be different levels of accreditation depending on the risks associated with particular datasets. Under the proposed legislation, the consumer data rules (which have not been released as of yet) will include the accreditation process and criteria, which may apply sector by sector.

Enhanced Protections for Consumer Data

There will be specific enhancements to a consumer's rights in respect of their data which may be transferred under the consumer data right, including:

data can only be transferred under the consumer data right at the direction of the consumer;
consumer data must be handled in accordance with specific consumer data right privacy safeguards;
the introduction of transfer, security and data standards via a newly created Data Standards Body;
the extension of the Privacy Act to apply to all accredited data recipients, including small to medium sized enterprises; and
the creation of offences for misleading or deceptive conduct by persons about their participation in the consumer data right regime and civil penalties for non- compliance with the regime.

The proposed legislation introduces a set of consumer data right privacy safeguards which apply to accredited data recipients in substitute of the Australian Privacy Principles (APPs) and to data holders that will be subject to both the APPs and the consumer data right privacy safeguards. Although similar in nature to the APPs, these safeguards provide enhanced protection of consumer data, including that an accredited data recipient may only collect consumer data if a consumer has requested for them to do so, and that an accredited data recipient must not use or disclose any consumer data unless the consumer has consented to that use or disclosure, or the use or disclosure is authorised by law (other than the APPs). The safeguards also require organisations to destroy or de-identify consumer data, including derived data, if they are no longer using the consumer's data for the purpose for which they had received that data.

Consents to Consumer Data Use

While consumers will be free to determine how their own transferred data is used and disclosed, they will need to provide consent to those uses and disclosures. The proposed legislation envisages that the consumer data rules will cover the requirements for consent to be validly given, although the Government has stated that it expects that consent must be express. The consent process is intended to be structured to ensure that consumers understand what it is they are consenting to. It may be the case that some uses or disclosures will require further conditions to be met under the consumer data rules including for:

use of the data for marketing by accredited data recipients;
on-sale of the data; and
transfers of the data overseas.

Regulatory Structure

The consumer data right will be implemented by amendments to the Competition and Consumer Act and the Privacy Act. It is intended there will be three regulatory bodies:

A. The ACCC, which will:

advise the Treasurer which sectors of the economy should be designated for a consumer data right;
have rule-making responsibilities setting out the required functionality of the right in each sector;
set accreditation criteria and processes for data recipients, and manage the accreditation register;
certify technical data standards as meeting the requirements for the consumer data right; and
take enforcement action in relation to serious or systemic breaches of the consumer data right;

B. The Office of the Australian Information Commissioner, which will:

have primary responsibility for complaint handling; and
handle complaints from individuals and small to medium sized enterprises or direct them as applicable to the relevant external dispute resolution body, ACCC or other regulator;

C. A Data Standards Body (initially Data61), which will:

set technical standards relating to transmission of data, data format and security of data. The proposed legislation states that these technical standards will operate as a multilateral contract between consumer data right participants.

Next Steps and Issues to Consider

The Government is inviting submissions on the exposure draft legislation. All organisations with consumer datasets should consider responding to the proposed legislation, given that it imposes significant cost and implementation issues for any organisation subject to this right. Even if organisations are not participating in one of the three sectors designated for initial implementation, organisations should consider submitting a response which evaluates the regulatory impact and costs that the consumer data right regime could have if applied to its sector. Responses are due by 7 September 2018. Before responding, organisations may also consider attending roundtables that will be held by the Treasury (with an expression of interest required by Monday, 20 August). Further information on how to respond to the draft legislation and the roundtables can be found on the Treasury's website.

For further information, please contact:

Tim Brookes, Partner, Ashurst

tim.brookes@ashurst.com

Australia – Tapping Texas Tea – The New Consumer Data Right Bill.

Privy Council Clarifies Cayman Islands Law On Shareholder Standing To Bring Personal Claims Against A Company Alleging That Shares Were Allotted For An Improper Purpose.

Jersey To Significantly Increase Compensation In Employment Cases.

India – AKP Banking & Finance Digest- November 18, 2024.

- Anuroop Omkar - AK & Partners,

Oil & Gas Sector Investment Kazakhstan Mitigating Risks In M&A Transactions.

- Raushana Chaltabayeva - Unicase Law,

Kazakhstan – Financing Renewable Energy Projects Bankability Of PPA.

- Saniya Perzadayeva - Unicase Law Firm,

Malaysia – What Companies Need To Understand About Transfer Pricing.

Employer Sponsorship And Work Permits In Indonesia.

- Stephen Igor Warokka - SSEK,

Labor And Employment Law Updates From Indonesia And The World.

Gross Split Production Sharing Contracts: Commercial Insights From Indonesia’s MEMR Regulation No. 13 Of 2024.

- Fitriana Mahiddin - SSEK, SSEK

UK – Shifts Workers – A New Right To Reasonable Notice.

CONVENTUS LAW

OTHERS

Australia – Tapping Texas Tea – The New Consumer Data Right Bill.

Register for your monthly Asia legal updates from Conventus Law

- Manisha Singh - Lex Orbis,

- Sacha Kirk - Lawcadia,

Footer

CONVENTUS LAW

OTHERS