Federal Register of Legislation - Australian Government

Primary content

Designations as made
This instrument designates the banking sector as being subject to the consumer data right.
Administered by: Treasury
Registered 06 Sep 2019
Tabling HistoryDate
Tabled HR09-Sep-2019
Tabled Senate10-Sep-2019

EXPLANATORY STATEMENT

Issued by authority of the Treasurer

Competition and Consumer Act 2010

Consumer Data Right (Authorised Deposit-Taking Institutions) Designation 2019

Subsection 56AC(2) of the Competition and Consumer Act 2010 provides that the Minister may, by legislative instrument, designate a sector of the Australian economy to be subject to the consumer data right. The consumer data right is set out in Part IVD of the Competition and Consumer Act 2010.

The purpose of the Consumer Data Right (Authorised Deposit‑Taking Institutions) Designation 2019 is to designate the banking sector as subject to the consumer data right.

The designation sets out, in relation to this sector, the classes of information that are subject to the consumer data right, the persons who hold this information and will be required or authorised to transfer the information under the regime, and the earliest date that the information must have begun to be held to be subject to the consumer data right. This information will be CDR data (see section 56AI of the Competition and Consumer Act 2010). Data holders may be required to disclose CDR data in accordance with the consumer data rules. The rules may also authorise data holders to choose to share this data through the consumer data right.

Consistent with the findings of the Review into Open Banking, the banking data specified as information by this designation is customer provided data, data about the use of banking products, and data about banking products.

The Treasury Laws Amendment (Consumer Data Right) Act 2019 amended the Competition and Consumer Act 2010 to establish a consumer data right.

The consumer data right provides individuals and businesses with a right to efficiently and conveniently access specified data that relates to them held by businesses, and to authorise secure access to this data by accredited third parties. The consumer data right also requires businesses to provide public access to information on specified products that they offer.

The consumer data right is designed to give customers more control over their information leading, for example to more choice in where they take their business, or more convenience in managing their money and services.

The Government conducted three weeks consultation on the draft designation instrument from 24 September 2018, and a further four weeks of consultation on a revised draft from 14 June 2019. Stakeholder feedback was considered as part of the development and finalisation of the designation.

Subsection 56AD (1) of the Competition and Consumer Act 2010 obliges the Minister to consider a range of factors when exercising the power to make a designation instrument. Item 2 of Part 1 of Schedule 1 of the Treasury Laws Amendment (Consumer Data Right) Act 2019 relieves the Minister, the Australian Competition and Consumer Commission, and the information Commissioner from associated consultation obligations in relation to the designation for the banking sector, provided that it is made prior to 1 July 2020 or 3 months following the commencement of that Part, whichever is the latter. This is provided for because the relevant consultations have already taken place. The Open Banking review undertook consultation with the banking sector and the community on the scope and application for the consumer data right to the banking sector. The Government subsequently consulted on the recommendations in the Open Banking Report.

Details of the Consumer Data Right (Authorised Deposit‑Taking Institutions) Designation 2019 are set out in Attachment A.

The Consumer Data Right (Authorised Deposit‑Taking Institutions) Designation 2019 commenced on the day after it was registered.

A statement of compatibility with human rights is set out in Attachment B.


 

ATTACHMENT A

Details of the Consumer Data Right (Authorised Deposit‑Taking Institutions) Designation 2019

Section 1Name

This section provides that the title of the designation is the Consumer Data Right (Authorised Deposit‑Taking Institutions) Designation 2019

Section 2Commencement

This section provides that the Consumer Data Right (Authorised Deposit‑Taking Institutions) Designation 2019 will commence on the day after the instrument is registered.

Section 3Authority

This section states that the Consumer Data Right (Authorised Deposit‑Taking Institutions) Designation 2019 is made under subsection 56AC(2) of the Act.

Section 4 Definitions

The Consumer Data Right (Authorised Deposit‑Taking Institutions) Designation 2019 includes a number of definitions. These are:

Act means the Competition and Consumer Act 2010.

Associate has the same meaning as in section 318 of the Income Tax Assessment Act 1936. This includes an individual’s relatives such as spouse, children or siblings, or a company’s parents or subsidiaries. This definition of associate is also used in the definition of CDR consumer in section 56AI of the Competition and Consumer Act 2010. The expression associate is used in the designation so that, where a banking product is supplied to multiple persons, information about each of those persons and their use of the product is captured by the designation. This may occur where the product has more than one account holder, or where the primary account holder has given access to other persons such as a relative or spouse.

Australian law has the same meaning as subsection 6(1) of the Privacy Act 1988. This definition includes an Act of the Commonwealth, State or Territory or subordinate legislation made under one of these Acts, a Norfolk Island enactment, or a rule of common law or equity. This definition is used when determining if an exclusion for materially enhanced information applies.

Authorised deposit‑taking institution has the same meaning as it would under the Banking Act 1959. An authorised deposit‑taking institution is a body corporate that has been authorised by the Australian Prudential Regulation Authority to carry on a banking business.

Product means a good or service that is or has been offered or supplied to a person in connection with:

                taking money on deposit, for example a savings account;

                making advances of money, for example a mortgage or credit card; 

                another financial activity prescribed by regulations for the purposes of the definition of a banking business.

These elements reflect the elements of the definition of banking business in section 5 of the Banking Act 1959.

A product also includes a purchased payment facility that is or has been offered or supplied to a person.

Purchased payment facility means a facility, other than cash, which is:

                purchased by a person from another person; and

                is able to be used as a means of making payments up to an amount available under the conditions applying to the facility; and

                the payments are made by the provider of the facility.

The criteria that a product must satisfy to be a purchased payment facility reflect the criteria in section 9 of the Payments System (Regulation) Act 1988. However, unlike the Payments System (Regulation) Act 1988, if a product meets the relevant criteria it will be a purchased payment facility regardless of a declaration by the RBA, or a determination by APRA.

Section 5 Designation of sector subject to the consumer data right

This section sets out:

                The classes of information that are prescribed and therefore subject to the consumer data right (see the detailed explanation for sections 6, 7 and 8);

                That the information prescribed in section 6, and 8 is specified unless it falls within the scope of section 9, and that the information prescribed in section 7 will be specified unless it falls within the scope of section 9 or 10 (see the detailed explanation for sections 9 and 10);

                That authorised deposit-taking institutions are specified as the persons that hold this information, or who the information is held for; and

                That the earliest date that the classes of information can become subject to the consumer data right is 1 January 2017.

The note to section 5 clarifies that the information specified in Consumer Data Right (Authorised Deposit‑Taking Institutions) Designation 2019 will not be ‘chargeable data’. That is, a fee cannot be charged for CDR data covered by this designation.

Sections 6 to 8 Classes of information

Sections 6 to 8 specify the three types of information which is subject to the consumer data right.

Information about the user of the product – Section 6

The first type of information covered by the designation is ‘customer’ information. This is information to which section 6 applies. This is information about the person to whom the product has been or is being supplied, or the person’s associate where the product has also been or is also being supplied to the associate.

The information must have been either:

                provided directly by the person or their associate when acquiring or using a product, for example, the person’s name and address; or

                otherwise obtained by or on behalf of the ADI (or the entity that holds information on the ADI’s behalf). This will be information that the ADI has obtained externally, for example information that an ADI has received from another ADI with the consent of the relevant customer.

Subsection 6(2) provides for specific information that is covered by subsection 6(1). This list of information is not exhaustive. The reference to ‘eligibility’ in paragraph 6(2)(b) is intended to cover matters such as a customer’s membership of a particular group or association where that is a precondition of accessing a product or service.

Information about the use of the product – Section 7

The second type of information covered by the designation is information about the use of the product by the person or an associate of the person who is also supplied with the product. This is information to which section 7 applies.

This includes the type of information that a customer would typically see on a statement, such as the balance of their account, debits and credits on the account and when these occurred, and to whom payments were made.

Information on the use of a product also includes information on the authorisations attached to a product. For example, persons who are authorised to use, access or view information about the account or an authorisation to make a payment to a third party.

However, the designation limits the information about the use of the product where this information has been materially enhanced as a result of analysis or insight by the provider. Materially enhanced information, to which section 10 applies, is excluded from section 7. A more detailed explanation is given below in the note on that section.

Information about a product – Section 8

The third type of information covered by the designation is information about a product. This is information to which section 8 applies.

This would include information such as information identifying or describing a product, the price of a product such as fees and charges or interest rates, terms and conditions and eligibility criteria that a customer needs to meet to be provided with the product.

The product information can be about a certain type of product for a particular customer or group of customers, such as savings accounts for students or retirees. It can also relate to legacy products that are no longer offered but continue to be provided to existing customers.

Sections 9 and 10 – Exclusions from specified classes of information

Information that is not information about the user of a product – Section 9

As noted above, any information that to which section 6, 7 or 8 applies is not specified by this designation if section 9 applies to the information.

Part IIIA of the Privacy Act 1988 regulates the privacy of information relating to consumer credit reporting in Australia. It does this by regulating the handling of personal information about individuals’ activities in relation to consumer credit. In particular, Part IIIA of the Privacy Act 1988 outlines:

                the types of personal information that credit providers can disclose to a credit reporting body for the purpose of that information being included in an individual’s credit report;

                what entities can handle that information; and

                the purposes for which that information may be collected, used and disclosed.

The Privacy Act 1988 excludes the consumer data right and associated subordinate legislation as an Australian law that would permit the use or disclosure of credit reporting information or credit eligibility information under Part IIIA.

Under the Privacy Act 1988, credit providers may also disclose credit information to other credit providers where the customer consents to the disclosure. In this context, to reduce overlap between the regulation of credit information and the consumer data right, the designation excludes the following information from the consumer data right:

                a statement that an information request under Part IIIA has been made for the individual by a credit provider, mortgage insurer or trade insurer (consistent with paragraph 6N(d) of the Privacy Act 1988);

                new arrangement information about serious credit infringements (consistent with subsection 6S(2) of the Privacy Act 1988);

                court proceedings information about the individual (consistent with paragraph 6N(i) of the Privacy Act 1988);

                personal insolvency information about the individual (consistent with paragraph 6N(j) of the Privacy Act 1988); and

                the opinion of a credit provider that the individual has committed a serious credit infringement (consistent with paragraph 6N(l) of the Privacy Act 1988).

Information that is materially enhanced – Section 10

Section 10 carves out information about the use of a product from being specified under section 7 where that information has been materially enhanced.

The concept of materially enhanced information refers to information which is the result of the application of insight or analysis of information to significantly enhance its useability and value in comparison to its source material. The insight and analysis may be conducted by a human, a machine, or a combination of both. For the purposes of the materially enhanced test, source material is information to which subsection 7(1) applies. This means that while materially enhanced information may have been derived either entirely from information to which subsection 7(1) applies, or from a combination of information covered by subsection 7(1) and other information, the test only requires the enhanced information to be significantly more valuable than the subsection 7(1) inputs.

The intention is that information whose value has been largely generated by the actions of the data holder will be carved out by the ‘materially enhanced’ test. For example materially enhanced information may include: the outcome of an income, expense or asset verification assessment; a categorisation of transactions as being related to groceries or rent;  significantly improved descriptions of transactions utilising geolocation or business name information from external sources; assessments of a customer’s ability to meet loan repayments (also known as loan serviceability); or inferences that a customer has recently experiences a life event, such as a house purchase .

While section 10 excludes materially enhanced information from the class of information to which section 7 applies, such information may nonetheless be CDR data due to paragraph 56AI(1)(b) of the Competition and Consumer  Act 2010, which captures information that is wholly or partly derived from information that falls within a class of information specified in this instrument. This means that:

                the consumer data right applies to materially enhanced information, and

                while data holders are not required to disclose materially enhanced information under the consumer data right, customers can still authorise data holders to disclose this information through the consumer data right, where this is authorised under the consumer data rules.

Section 10 also provides examples of information that is not materially enhanced. The purpose of this list is to both avoid any doubt in relation to these items, and to illustrate where derived information would not be significantly enhanced to aid in the interpretation of the materiality test. These examples are:

                a calculated balance;

                an amount of interest earnt or charged;

                a fee charged;

                a reference number, including a routing number, a clearing house number or a swift code;

                information identifying a person, body, product, transaction or account;

                information about authorisations;

                the categorisation of source material based on a feature of the product to which it relates, including categorisation by the fees or interest rates applicable to the product;

                information that results from filtering or sorting source material by reference to a date, period, amount or categorisation.

ATTACHMENT B

Statement of Compatibility with Human Rights

Prepared in accordance with Part 3 of the Human Rights (Parliamentary Scrutiny) Act 2011

Consumer Data Right (Authorised Deposit‑Taking Institutions) Designation 2019

The Consumer Data Right (Authorised Deposit‑Taking Institutions) Designation 2019 is compatible with the human rights and freedoms recognised or declared in the international instruments listed in section 3 of the Human Rights (Parliamentary Scrutiny) Act 2011.

Overview of the Legislative Instrument

The Treasury Laws Amendment (Consumer Data Right) Act 2019 amended the Competition and Consumer Act 2010 to establish a consumer data right.

The consumer data right provides individuals and businesses with a right to efficiently and conveniently access specified data that relates to them held by businesses; and to authorise secure access to this data by accredited third parties.

The consumer data right also requires businesses to provide public access to information on specified products they have on offer. The consumer data right is designed to give customers more control over their information leading, for example to more choice in where they take their business, or more convenience in managing their money and services.

Subsection 56AC(2) of the Competition and Consumer Act 2010 provides that the Minister may designate a sector of the Australian economy to be subject to the consumer data right, by making a legislative instrument.

The Consumer Data Right (Authorised Deposit‑Taking Institutions) Designation 2019 designates the banking sector as a sector that is covered by the consumer data right. It does this by setting out the classes of information that are subject to the consumer data right, the persons who hold this information and will be required or authorised to transfer the information under the regime.

Human rights implications

The Consumer Data Right (Authorised Deposit‑Taking Institutions) Designation 2019 engages the right to protection from arbitrary or unlawful inference with privacy under Article 17 of the International Covenant on Civil and Political Rights (ICCPR) because it enables, in the context of the banking sector, a person to directly access or to direct another person or entity to transfer personal information about themselves to another person or entity.

In order for an interference with the right to privacy to be permissible, the interference must be authorised by law, be for a reason consistent with the ICCPR and be reasonable in the particular circumstances. The UN Human Rights Committee has interpreted the requirement of ‘reasonableness’ to imply that any interference with privacy must be proportional to the end sought and be necessary in the circumstances of any given case.

The consumer data right is a right for consumers to authorise data sharing and use. The consumer data right will provide individuals and businesses with a right to access data relating to them; and to authorise secure access to their data by persons who have been ‘licensed’ to receive the data – ‘accredited data recipients’.

Underpinning the consumer data right is a requirement that the disclosure between entities of personal information is generally only permitted with the express consent of the individual. The consumer data right does not generally allow businesses who hold or receive data to transfer or use data without the customer’s consent.

It is intended that the consumer data right in the banking sector, by giving consumers improved access to data, will support better comparison services by taking into account Australians’ actual circumstances and promoting more convenient switching between products and providers.

The Competition and Consumer Act 2010 protects against arbitrary interference with privacy by establishing a set of consumer data right specific privacy safeguards, modelled off the existing Australian Privacy Principles (APPs) but with additional obligations. The privacy safeguards included in the consumer data right are:

                restrictions on the use, collection and disclosure of information received through the consumer data rules, including information derived from this information, generally to circumstances where the consumer has given express consent;

                requirements to have privacy policies in place which are easily accessible and clearly explain the complaints handling process;

                obligations on data holders and accredited data recipients to correct information;

                obligations on data holders and accredited data recipients to notify the consumer when information is disclosed;

                requirements to destroy information that is purported to have been shared under the consumer data rules but has been disclosed in error;

                strong powers for regulators, including the Office of the Australian Information Commissioner (OAIC);

                restrictions on direct marketing; and

                remedies for breaches, including through external dispute resolution arrangements.

The OAIC will advise on and enforce privacy protections, and provide complaint handling for breaches of the Privacy Safeguards. Consumers will have a range of avenues to seek remedies for breaches of their privacy or confidentiality including access to internal and external dispute resolution and direct rights of action.

The Competition and Consumer Act 2010 also established an accreditation process that provides protection against arbitrary or unlawful interference with privacy. Only trusted and accredited third parties will be able to access data from data holders at the customer’s direction. The ACCC will initially be responsible for accrediting entities. The requirements that need to be met will be set out in the consumer data rules will address matters such as:

                having systems, resources and procedures in place which enable the entity to comply with their consumer data right obligations including the security of information; and

                having internal dispute resolution procedures in place and being a member of a recognised external dispute resolution body.

These limitations are consistent with the prohibition on arbitrary interference with privacy as they are directed at legitimate objectives and are reasonable and proportionate to those objectives.

Conclusion

This Legislative Instrument is compatible with human rights because to the extent that it may limit human rights, those limitations are reasonable, necessary and proportionate.