Australia's Consumer Data Right to finally make its way through Parliament

Legislation to be passed nearly two years after the new regime was officially announced.
Written by Asha Barbaschow, Contributor

The federal government this week plans to introduce legislation it has touted as opening up competition between banks, utilities, and telecommunications providers, as well as allowing consumers to easily switch between providers.

The Consumer Data Right (CDR) -- through the passage of the Treasury Laws Amendment (Consumer Data Right) Bill -- will allow individuals to "own" their data by granting them open access to their banking, energy, phone, and internet transactions, in addition to gaining the right to control who can have it and who can use it.

See also: Biometrics, CDR, broadband tax: All the Bills Canberra wants to reheat in 2019

The first sector to which the CDR will apply is finance, through an open banking regime. Under this mandate, due in February 2020, ANZ, the Commonwealth Bank, NAB, and Westpac will be required to give consumers greater access to the information they hold on consumers; and the power to require those banks to provide safe and secure access to that information to trusted third parties.

As banking is the first cab off the rank -- with three of the Big Four already having made access to generic product data for credit and debit cards, deposit accounts, and transaction accounts via an application programming interface (API) earlier this month -- there were concerns raised throughout the brief consultation period that the legislation would not be overly applicable to industries other than banking.

Read more: Rules drafted on how to access data under Consumer Data Right

The Australian Privacy Foundation (APF) in March also highlighted its concerns, saying the CDR privacy safeguards were not sufficient, and that the government has "severely" underestimated the need for more thought across the entire legislative change.

Despite hearing concerns over the adequacy of the privacy safeguards the CDR, the rushed nature of the Bill, the distinct banking focus it will have, and whether the outcome of the CDR will serve organisations more than it will consumers, the Senate Economics Legislation Committee on March 21 recommended that it be passed.

"At the very least, it will improve on current arrangements; and it has the potential to protect and empower consumers and drive competition and innovation," the committee wrote at the time. "The committee particularly welcomes the endorsement of the Bill from innovative high technology companies."

In justifying its reasoning behind allowing the sole recommendation of the Bill be passed, the committee said provisions such as the rules-making facility under the Bill would offer the possibility to address problems as they arise.

Australian Treasurer Josh Frydenberg on Monday said progress to the February launch is "well advanced".

"The ACCC will issue the 'lock-down' version of the Rules governing the system by the end of August; and the interim Data Standards Body has, in the last week, issued the implementation draft of the technical standards," he said. "High levels of privacy protection and information security will be a core feature of the system. It is not a right for businesses to share consumer's data without their consent."

Speaking with ZDNet about the CDR, Data Republic CEO Danny Gilligan said he was a huge supporter of the idea of giving consumers more control over their data and enabling data-sharing to happen more freely.

"The simplest way to view the CDR is consumers are utilising scraping technologies today to move their data where they want within services," he said.

"A CDR is really a regulated security and consent framework around what's already happening today. It's the same outcome, written in stone, with a much better consideration of security and consent."

According to Gilligan, the CDR is of great benefit to consumers.

"My view on it is: Is it perfect? No. Are there things I would absolutely change? Yes. Would I stop passing the legislation in order to get it perfect? No I would not," he said in response to a question on the vagueness of the Bill.

"My view is that it's good enough for now and we can continue to improve and iterate on as we go.

"It's a skeleton and there's lots of room to improve around that, but I think that it's a fundamental step in the right direction and I would advocate for taking it and improving upon it as opposed to not taking it at all."

Gilligan's thoughts were followed by a report from banking software company Temenos that claims the main concerns banks in the Asia-Pacific region have about open banking is the ability to capture customer data, with 34% of the 100 C-Suite level respondents flagging it as the biggest factor.

31% were concerned by a third-party relationship vulnerability being exploited and the remaining 31% weren't overly trusting of their organisation's ability to protect against cyber-attacks.

The report also reiterated the idea that technology and e-commerce "disruptors" such as Google, Facebook, and Apple are considered the biggest threat to Asia-Pacific banks, followed by payment players including WeChat Pay, PayPal, Ripple, and Alipay; and neo-banks Volt Bank, Varo Money, Starling, and Monzo.

See also: APRA grants Aussie fintech 86 400 a banking licence

Meanwhile, FinTech Australia -- the body representing Australia's fintech industry -- said it was pleased to hear that the rollout of the CDR was "picking up pace", and that all parties were heading along for the ride.

"We believe this reforms' impact on the financial services sector will be exponential and transformative. It is a key building block for fintechs looking to create new services that enhance competition and improve financial literacy," FinTech Australia GM Rebecca Schot-Guppy said.

"This rollout is just the first hurdle of what will be a long process before consumers will see the true impact of this reform. If the UK experience is anything to go by, the consumer data right and open banking policies will require ongoing support and promotion for them to realise their potential."

The CDR will be regulated by the Australian Competition and Consumer Commission and the Office of the Australian Information Commissioner, with a new Data Standards Body developing transfer and security standards.  


Editorial standards