Australia's Consumer Data Right (CDR) officially launched on July 1 with the first tranche, an open banking-like regime, requiring financial services providers to share a customers' data when requested by the customer.
While the first tranche of the CDR applies to the financial services industry, energy and telecommunications will soon join the regime.
Data can only be shared with accredited data recipients (ADRs). But of concern to Australian Information and Privacy Commissioner Angelene Falk is that "big tech" has the ability to apply for ADR status.
"It's currently open to large technology and social media companies to apply to be accredited as data recipients in the CDR scheme, however, I understand that none are currently accredited and I'm not aware of any specific use cases as to why they may wish to engage, so in a sense, I'm speaking in the abstract," she said.
Appearing before the Senate Select Committee on Financial Technology and Regulatory Technology on Friday, Falk said one of the strong protections in the CDR system is consumer consent and the ability for individuals to exercise choice and control about how their data is handled.
She's concerned that this may also give the technology giants access to more data than they already have.
"I think because of the rich data holdings that are held by some of the social media platforms, care would need to be taken to ensure that individuals understand what they're consenting to if their Consumer Data Right information were to be combined with that [which is] perhaps is on their social media profile," Falk said.
"Some of the risks I think are around the insights that could be derived from that information and it could include sensitive information and be used in ways that individuals might not expect."
She pondered whether the committee consider that a digital platform should have access to all data, or whether there be a condition that it not be combined with sensitive data the organisation may already hold.
"There's other issues around the use of algorithms and artificial intelligence in the combining of data that may lack transparency for consumers and be difficult to explain … [they are] some of the challenges with having fully informed and freely given consent when you enter into very complex data handling arrangements," she added.
Individuals have the ability to make a complaint if they feel that their personal information has not been handled in accordance with the legislative requirements, and the OAIC has had 20 "contacts" in relation to the CDR system.
"We have a triaging role so that consumers who are engaging in the system don't need to navigate government in order to make a complaint or make an inquiry, so they'll come to our office and we'll triage them to the appropriate entity," deputy commissioner Elizabeth Hampton explained.
She said of those 20 contacts, the OAIC has had two complaints and eight inquiries for its office; and nine inquiries and one "report" that have been sent to the ACCC.
While those numbers are low, Falk said they reflect the number of people engaged in the system, expecting the number to grow alongside scheme uptake.
MORE FROM THE OAIC
- ACCC and OAIC promise to put consumers at the centre of CDR enforcement
- OAIC wants stronger enforcement powers in Australia's revamped Privacy Act
- 519 data breach notifications include 33 from Australian government entities
- OAIC asks Home Affairs to create 'information champ' role for overseeing FOI requests
- OAIC has fielded zero complaints and received no reported COVIDSafe breaches
- OAIC orders Home Affairs to compensate asylum seekers over data breach