Conventus Law

Conventus Law

by

19 September, 2018

 

What you need to know

 

Today the Australian Competition and Consumer Commission (ACCC) released the consumer data right rules framework, which identifies the rules the ACCC considers to be essential for the commencement of the consumer data right on 1 July 2019.

 

Key points include:

 

  • the framework does not list specific rules but instead outlines the high level positions the ACCC proposes to take when making the rules upon commencement of the consumer data right 
  • the ACCC has invited submissions to help shape the specifics of the rules with a view to publishing the draft rules in December 2018

 

What are the consumer data rules?

 

The exposure draft of the consumer data right legislation assigned the significant role of determining the consumer data rules to the ACCC. The rules intend to regulate the application of the new consumer data right to each designated sector of the economy. It is envisioned that the rules will initially apply to the banking sector, then the energy and telecommunications sectors and subsequently to other sectors of the economy.

 

While the ACCC cannot make the consumer data rules until the consumer data right legislation commences and the Treasurer has designated a sector to which the rules will apply (expected to be 1 July 2019 for the big four banks), the ACCC has released the framework to seek input from the public on what should be included in the first version of the rules. It has foreshadowed that there may be multiple iterations of the rules, enabling the ACCC more time to work through some of the more complex issues. 

 

The framework explains that the ACCC intends to make rules relating to:

 

  • how data is to be shared between accredited data holders and data recipients
  • who may take advantage of the consumer data right
  • who is obliged to share data under the regime
  • what data is within the scope of the regime
  • the accreditation process and outsourcing
  • the register of accredited entities
  • consumer consents
  • the authorisation and authentication process 
  • the provision of data to consumers
  • the making of generic product data available
  • how data can be used
  • the application of privacy safeguards
  • reporting and record keeping
  • dispute resolution
  • data standards (which must then be followed by the Data Standards Body)

 

Important rules to consider

 

Some of the important rules the ACCC proposes to make include:

 

  • requiring accredited data recipients to obtain a consumer's 'freely given' consent to the collection and use of specified data for specified purposes and for a specified time
  • requiring the request for a consumer's consent to be unbundled from other requests for consents such as those contained in a privacy policy or terms of use
  • prohibiting consumer data from being on-sold or used for direct marketing
  • at the time of seeking a consumer's consent, requiring a data recipient to disclose to the consumer, without ambiguity, how the consumer's data will be used
  • requiring an accredited data recipient that enters into an outsourcing arrangement involving the disclosure of consumer data to ensure it has in place appropriate plans and processes to manage risks arising from that outsourcing arrangement, and to ensure that it is able to meet its obligations under the consumer data right regime
  • requiring an accredited data recipient to only collect, use and share a consumer’s data where it has obtained that consumer's consent
  • allowing for the enforcement of the consumer data right against foreign entities by requiring those entities to appoint local agents that are liable for their principal's actions
  • where a decision is made to revoke accreditation, requiring the relevant data recipient to delete consumer data
  • requiring data holders, like accredited data recipients, to have a system in place allowing consumers to manage their authorisations easily
  • excluding data that results from 'material enhancement' from the scope of the regime

 

What's missing?

 

The ACCC will not address all potential issues in the first version of the rules. Instead, the ACCC proposes to only make rules on the matters it considers essential for the commencement of the consumer data right for the banking sector on 1 July 2019. 

 

Some issues the ACCC proposes not to address in the first version of the rules include:

 

  • the meaning of 'equivalent data' for the purposes of the reciprocity regime proposed in the Review into Open Banking which proposed accredited data recipients must also make equivalent data available
  • rules in relation to privacy safeguard 10, which requires participants to take reasonable steps to ensure data is accurate, up-to-date and complete at the time of disclosure
  • identity verification assessments, which cannot be fully considered until certain anti-money laundering laws are reformed
  • former customers and offline banking customers will not be able to participate in the consumer data right regime for the first 12 months, but further iterations of the rules may provide for this
  • information about breaches of which of the proposed rules will attract the civil penalty provisions (although the ACCC notes its current position is that all rules imposing obligations on data holders or accredited data recipients will be civil penalty provisions)

 

Open Banking

 

While the ACCC has taken the Review into Open Banking as a 'reference point', it has not fully reflected the recommendations of that report (which was adopted in full by the Government). The exposure draft of the legislation provides the ACCC with broad powers to make rules in this independent manner. It is the case though that only the major banks (ANZ, CBA, NAB and Westpac), excluding their related brands, will be the banks which are subject to the regime for the first 12 months. Further, the ACCC proposes that, in the first version of the rules, the sharing of the data outlined in the Open Banking review not be subject to fees.

 

Submissions

 

The ACCC has invited the public to comment on the framework through written submissions. In particular, submissions are welcomed in relation to:

 

  • how the rules should deal with consents to the disclosure of data tied to accounts with complex ownership structures (eg joint ownership)
  • the timeframe for requiring data holders to share data of former and offline customers
  • whether metadata about a transaction should be included as transaction data and what benefits to consumers could be derived, or what risks would arise, if metadata were included
  • appropriate service level standards in respect of the dedicated API and whether they should be specified in the rules
  • the specific rights and obligations that should be imposed in the rules and standards to give effect to the core right for a consumer to directly access their data
  • the consent, authorisation and authentication processes as they relate to the transferring of data to other parties such as contractors or intermediaries

 

Next steps and issues to consider

 

Organisations with consumer datasets should consider responding to the ACCC's request for submissions on the consumer data right framework in light of the significant implementation and compliance costs associated with the consumer data right regime. Submissions are due by 5pm, Friday, 12 October 2018.

 

The ACCC will be hosting a roundtable on the framework in Melbourne on 24 September, in Sydney on 25 September, and online on 9 October.

 

Expressions of interest are due by 5pm, Monday, 17 September.

 

The ACCC intends to publish the draft rules in December 2018.

Ashurst Logo

 

For further information, please contact:

 

Tim Brookes, Partner, Ashurst

tim.brookes@ashurst.com

 

Register for your monthly Asia legal updates from Conventus Law

Error: Contact form not found.

RELATED ARTICLES