Australian Open Banking live, energy next - Consumer Data Right update

Australia's Consumer Data Right ("CDR") regime in the banking sector ("Open Banking") is live as of 1 July 2020.  The Australian Government has also formally extended the CDR to the energy sector, with implementation expected in late 2021. The primary goal of CDR is to  allow customers to more easily compare and switch providers if they find a better deal elsewhere, resulting in increased competition and innovation.

What is the CDR, and what does it mean for me? 

The CDR is a data portability reform that the Australian Government intends to roll out economy-wide, sector-by-sector, starting with banking, followed by energy and telecommunications.  The objective of the CDR is to:

• provide consumers with the ability to efficiently and conveniently access their personal data held by businesses ("data holders"); and
• authorise the secure sharing of that data to trusted and accredited third parties ("accredited data recipients").

The CDR also requires businesses to provide public access to information on specified products that they offer.

The CDR aims to give consumers the ability to access and use more information about themselves, and about their use of products in order to improve their ability to make informed comparisons and switch to other providers if they find a better deal elsewhere. This is expected to encourage competition between providers, leading to better prices and more innovative products and services, enhancing consumer welfare.  

Implementation, compliance and enforcement

The CDR regime is implemented by a framework consisting of legislative provisions in Part IVD of the Competition and Consumer Act 2010 (Cth) ("CCA"), rules made by the ACCC under the legislation¹ ("CDR Rules") and technical consumer data standards made under the rules by the designated Data Standards Body, CSIRO's Data61 ("Data Standards").  The ACCC is responsible for accrediting data recipients. 

The ACCC and the OAIC are jointly responsible for monitoring compliance with, and enforcing the, CDR regulatory obligations, with the ACCC focusing on general compliance, and the OAIC on privacy issues relating to the handling of consumer data by data holders and accredited data recipients.  Breaches of the regulatory obligations attract significant civil penalties, among other consequences.²

The ACCC's and OAIC's joint Compliance and Enforcement Policy for the Consumer Data Right ("Policy") published in May 2020 explains the approach they will take to encourage compliance and prevent breaches.  The ACCC and OAIC will be actively monitoring compliance relying on stakeholder intelligence / complaints, mandatory periodic reports from data holders and accredited data recipients, audits and assessments of data holders and accredited data recipients, and information requests and compulsory notices. 

In determining the appropriate enforcement approach, the ACCC / OAIC will consider factors including:

• the impact of the conduct on consumers;
• whether the conduct was "deliberate, repeated, reckless or inadvertent";
• the extent of potential gain from the conduct;
• whether the conduct indicates systemic issues;
• whether the business has displayed a corporate culture of compliance, including effective compliance programs; and
• whether the conduct was self-reported and the level of cooperation with the ACCC.

Relevantly, the following conduct has been identified as "priority conduct" likely to result in significant detriment to consumers and the integrity of the CDR, "always" giving grounds for the consideration of enforcement action:

• data holder refusal: repeated refusal to disclose consumer data (or frustrate the process of disclosure) by intentionally circumventing the Rules or Data Standards;
• misleading or deceptive conduct: conduct that misleads a person into believing that another person is a CDR consumer or that a valid request or consent has been made, "holding out" that a person is accredited when they are not, or misleading representations by data recipients regarding the nature or benefits of the CDR service provided;
• invalid consent: accredited data recipients collecting data without valid consent;
• misuse or improper disclosure of consumer data: intentional misuse or improper disclosure of CDR consumer data by an accredited data recipient, inconsistent with the consent provided by a CDR consumer, particularly where consent has been withdrawn. This would also include circumventing the "data minimisation principle", which requires authorised data recipients to only collect the minimum data they need to provide the products the consumer has consented to; and
• insufficient security controls.³

Data holders and accredited data recipients, in their dealings with each other, competing providers and consumers, also remain subject to other parts of the CCA, including the Australian Consumer Law. 

The ACCC is a very active, well-resourced regulator, and we expect it to closely monitor and vigorously enforce compliance with the CDR.  Having regard to the Policy, current and prospective data holders and accredited data recipients should make sure they understand their regulatory obligations and have robust compliance systems in place.  

Rollout in the banking sector

The banking sector was first in line for the implementation of the CDR regime, and will be the test case for the effectiveness of the regime.

Following the commencement of the Rules on 6 February 2020, Australia's big four banks were required to start sharing product reference data in a standardised format, facilitating better product comparisons.  From July 2020, the major banks are required to share certain consumer data, such as data relating to credit and debit cards, deposit accounts and transaction accounts, with accredited data recipients where directed by a consumer to do so.  A wider range of consumer banking data must be made available from November 2020 (including data relating to mortgage and personal loans, investment loans, joint accounts, closed accounts, direct debits, scheduled payments and payees).

Other ADIs are required to share product data from October 2020, and will be required to begin sharing consumer data from 2021.⁴

As at July 2020, two accredited data recipients have completed the necessary steps to securely receive data – Frollo Australia and Regional Australia Bank.  A further 39 providers have reportedly begun the process to become accredited data recipients.⁵

Extension to the energy sector

On 26 June 2020, the CDR was formally extended to the energy sector.⁶  The designation instrument captures consumer data sets relating to the sale or supply of electricity, including where electricity is bundled with gas.  Coverage of data sets about products is broader and includes electricity, gas and dual fuel plans.

Information that has been made part of the scope of the CDR in energy includes individual consumer information as well as information about the sale or supply of electricity to a customer (including other products or services offered, such as free energy efficiency assessments or discounts on non-energy products), as well as metering data, NMI (national metering identifier) standing data, DER (distributed energy resource) register data and billing data for that consumer.

Several steps need to occur before the CDR regime becomes effective in the energy sector, including the development of operational and technical rules by the ACCC and the Data Standards Body, and the technical build.  The timeframes for implementation are still to be confirmed, but it is expected that implementation may commence in late 2021.⁷

The ACCC is currently consulting on the energy rules framework, including the extent to which additional rules, or amendments to the existing Rules, will be required to accommodate the energy sector.⁸ Unlike for Open Banking, where data is provided by data holders directly to accredited data recipients, for the banking sector, the Australian Energy Market Operator ("AEMO") has been selected as the gateway between data holders and accredited data recipients (except in respect of data which AEMO itself holds).  This gateway model, and the unique characteristics of energy data and markets, mean that changes to the current Rules are necessary.

During the remainder of this year, we will likely see a number of specific rules proposed for the implementation of the CDR in the energy sector.  These will require significant engagement from energy sector participants – particularly retailers.  Once the CDR rules and technical standards are settled, it may be necessary to uplift retailer systems to ensure that the capability to provide consumer data is available.

It will also be useful to keep an eye on the operation of the new CDR rights in the banking sector, including the extent of consumer engagement with the CDR.  As this is a very new regime in Australia, lessons may be gained from seeing how it operates in other sectors.

For more details on CDR in the energy sector, see:

• Ashurst "Consumer data right for the energy sector: data sharing and switching is one step closer"
• Ashurst "The new oil - the Australian consumer data right hits the energy sector"

1. Competition and Consumer (Consumer Data Right) Rules 2020, made in February 2020, and amended on 19 June 2020 to clarify their intended operation. The Rules will be regularly updated to expand the scope of the CDR, including to other sectors.
2. For corporations, the greater of AUD10 million per breach, three times the value of the benefit obtained from the breach, or 10% of annual turnover where the value of the benefit cannot be determined. These penalties can only be imposed if the ACCC brings court proceedings and liability is established. Other enforcement options include administrative resolutions, infringement notices, court enforceable undertakings, suspension or revocation of accreditation by the ACCC, certain determinations and declarations by the OAIC relating to privacy issues.
3. ACCC/OAIC Compliance and Enforcement Policy for the Consumer Data Right, May 2020.
4. See the rollout timetable on the new CDR website, available here.
5. ACCC, "Consumer Data Right goes live for data sharing", 1 July 2020.
6. See Consumer Data Right (Energy Sector) Designation 2020 (Cth), and Josh Frydenberg and Angus Taylor and More Power to Compare and Switch Energy Providers, 29 June 2020.
7. Based on indications from the Australian Energy Regulator (AER), Australian Energy Market Operator (AEMO) and Australian Energy Market Commission (AEMC).
8. The ACCC is seeking submissions by 28 August 2020, and looking to publish draft energy rules for consultation in Q4 of 2020.