The Australian Competition and Consumer Commission (ACCC) on Friday released a draft document detailing the rules that would guide the implementation of the nation's new Consumer Data Right (CDR).
The CDR will allow individuals to "own" their data by granting them open access to their banking, energy, phone, and internet transactions, as well as the right to control who can have it and who can use it.
The draft rules [PDF] laid out three ways to request CDR data: Product data requests, consumer data requests made by CDR consumers, and Consumer data requests made on behalf of CDR consumers.
A product data request will allow any individual to request CDR data relating to products offered by data holders to be disclosed. A specialised service provided by the data holder would have to exist for this exchange to occur.
The request would have to be made in accordance with relevant data standards to be accepted, and the data would be disclosed in a machine-readable form to the person who made the request. The data may be used by that person as they see fit, according to the draft rules.
A CDR consumer may also directly request a data holder to disclose CDR data that relates to them -- this is known as a consumer data request.
A consumer data request that is made directly to a data holder is to again be made using a specialised online service provided by the data holder. This time, however, the data is to be disclosed in human-readable form to the CDR consumer who made the request.
A CDR consumer may request another person to request a data holder to disclose CDR data that relates to them. If the request by the third-party is made in line with relevant data standards, using the specialised service, that person will have the data disclosed in a machine-readable form.
Under the data minimisation principle however, the accredited person may only collect and use CDR data in order to provide goods or services under a CDR contract with the CDR consumer.
As banking is the first cab off the rank, these rules will apply initially only in relation to certain products that are offered by certain data holders within the banking sector.
The ACCC said these rules will then apply to a progressively broader range of data holders and products.
Addressing some of the privacy concerns raised during the Senate Economics Legislation Committee's probe of the Treasury Laws Amendment (Consumer Data Right) Bill 2019 [Provisions] earlier this month, the ACCC said the draft rules should be read in conjunction with the Competition and Consumer Act 2010.
In particular, the rules highlight Part IVD of the Act, which sets out the general framework for how the CDR works; designation instruments made under section 56AC of the Act; guidelines made by the Information Commissioner under section 56EQ of the Act; data standards made under section 56FA of the Act; and regulations made under section 172 of the Act.
The committee heard from the Australian Privacy Foundation (APF), which believes the privacy safeguards within the Bill are not sufficient and said in a submission that the government had "severely" underestimated the need for more thought across the entire legislative change.
"We consider the framework as it currently stands unnecessarily exposes people to harm because the fundamental privacy safeguards are not in place and risks have been severely underestimated by the government," APF wrote.
"This inquiry is only considering the legislation and not the Rules. We argue this is a mistake. Both the Rules and the CDR Bill need to be read together and considered by Parliament to ensure the package works as a whole."
After hearing concerns over the adequacy of the CDR's privacy safeguards, the rushed nature of the Bill, the distinct banking focus the Bill will have, and whether the outcome of the CDR will serve organisations more than it will consumers, the committee still recommended for it be passed.
Speaking at a Criterion Conferences Open Banking event in Sydney this week, Bruce Cooper, general manager of the ACCC's Consumer Data Right Branch said that despite a looming election, the ACCC is still going ahead with its planned deliverables of the CDR, expecting the CDR -- at least in some form -- to proceed under whatever party assumes government.
"While there remains some certainty about the timing, we are basically pressing forward with particularly the product reference data, which the timetable calls for being open by 1 July, to establish some sort of pilot that participants that will need to participate in CDR can test their systems against the rules and also to open accreditation so we basically have a vital ecosystem when we do kick off," he explained.
"We're doing that while there is that uncertainty because we feel that it won't be wasted work ... our expectation is that CDR will proceed in some form, quite similar to what it is at the moment, so continuing to work is the right way to go."
The ACCC is accepting submissions in response to the draft until May 10, 2019.
The Australian government department responsible for the Consumer Data Right says there is sufficient consideration given to privacy and that the legislation isn't being rushed through.
Despite hearing concerns around the Bill's ambiguity, lax privacy, and rushed nature, the Senate Economics Legislation Committee has still decided to recommend its passage.
Whereas competitor Westpac has predicted a damage bill of around AU$200 million, the National Australia Bank believes its internal transformation will allow it to comply without impacting its pocket all that much.