The idea behind the Consumer Data Right (CDR) – which is initially implemented under the Open Banking arrangements – is that people can "access data about themselves held by businesses, and direct that data to be shared with accredited third parties of their choice," according to the Australian Competition and Consumer Commission (ACCC).
So an individual might make their banking data available to a different financial institution in the hope of securing better loan terms, or they might allow their electricity consumption details to be visible to another energy retailer when looking for a more competitive tariff.
Consumers have always been able to provide such data manually – eg, by sending copies of electricity bills – but CDR is about granting access securely, automatically and efficiently.
Currently, the rules allow consumers to grant an accredited data recipient (ADR) access to their CDR data. But they do not allow the ADR to disclose the data to anyone else – even with the consumer's consent – except as necessary to deliver the good or service, such as when part of the supply is outsourced.
The ACCC has proposed that (among other things) consumers should be able to give their consent for an ADR to "disclose CDR data to a trusted advisor who falls within a specified professional class, and disclose limited 'insights' derived from CDR data to any nominated person."
The rationale is that such disclosure "is consistent with the principles of consumer choice and control which underpin the CDR regime," and only occurs at the customer's request and with their separate consent.
The 'trusted advisors' would include accountants, lawyers, tax agents, BAS agents, financial advisors, financial counsellors, and mortgage brokers. The ACCC points out that "Consumers routinely share their banking data with members of these professionals and we consider there will be consumer benefit in allowing this to occur via the CDR."
As for 'insights', they would include such things as "income and expense verification, verification of payments, or outcomes of responsible lending assessments." Importantly, actual CDR data cannot be provided to such recipients.
However, Financial Rights Legal Centre director of casework Alexandra Kelly thinks the new rules could enable access to private and sensitive consumer data by companies which are not required to meet the CDR regime's higher security and safety standards for privacy.
"This proposal will fundamentally undermine consumer trust and confidence in the CDR," she said.
"It is also likely to open the floodgates to non-accredited companies to obtain sensitive data without having to meet higher privacy standards. In some cases they won't have to meet any privacy standards at all."
Financial Rights is also critical of the proposed new rules to allow more direct marketing and the sale of consumer data.
"These proposals could result in financially vulnerable people being targeted by new Open Banking players and sold expensive credit and inappropriate debt and credit solutions they can't afford," Kelly said.
"We urge the ACCC to reconsider these erroneous recommendations and instead put consumer interests at the heart of the new data regime."
Financial Rights' submission to the ACCC seems to imply that it thinks the arguments about increasing consumer choice and improving the customer experience are little more than a smokescreen for reducing compliance costs despite a recent survey conducted by the Office of the Australian Information Commissioner finding that "Eighty-three percent of Australians would like the government to do more to protect the privacy of their data."
The Centre called on the ACCC to design a different tiered accreditation proposal that is primarily concerned with consumers' best interests, with "strong, consistent and unavoidable safety and security measures"; a consent model that allows consumers to be genuinely informed and to easily withdraw their consent, and that "prevents pressure or dark patterns... [being] used by CDR participants to maintain consents".
Furthermore, it appears to regard the proposal to allow disclosures to non-accredited persons as being fundamentally flawed. Among the objections are that:
"Disclosure to a "trusted advisor" is not just inherently risky but is contrary to the entire point of the CDR to provide a safe and secure data environment
"Referring to "Trusted" advisors is misleading since many will not have to provide a safe and secure data environment [and]
"Disclosure to "trusted advisors" facilitates the creation of two data protection regimes – one safe and secure environment, one with fewer if any consumer protections".
Financial Rights also expressed concerns about the proposed rules around joint accounts.
The ACCC consultation on proposed changes to the CDR rules closed yesterday. The Commission proposes to amend the rules in December 2020.