Gilbert + Tobin Special Counsel Albert Yuen and Paralegal Erin Kirker discuss the recent introduction of a Consumer Data Right law into Australia and what this means for businesses and consumers. 
Albert recently presented on the topic of Data as an Asset at the Legalwise Seminars Privacy and Data Security conference in Melbourne in March 2019.
We all know the amount of data produced and collected by businesses is increasing exponentially. The nature and use of data in the current commercial landscape is changing. We are welcoming the emerging ‘data economy’: the new infrastructure, new businesses, and new opportunities that are created by the flow and exchange of large amounts of data.
Data, in and of itself, has little inherent value. It derives its value from what insights can be generated from it. As a result, businesses are becoming more sophisticated in their approach to the commercial use of data, investing heavily to exploit it and foster these insights. We’ve seen large conglomerates such as Wesfarmers and Woolworths restructure their entire operations around data, resulting in initiatives such as the Advanced Analytics Centre[1] and an investment in the data analytics firm Quantium[2] respectively. There is a growing trend in the Australian market, with companies realising that data is steadily becoming their most valuable asset.
Though data isn’t a new concept for businesses, it is increasingly becoming a focus for generating value, including driving some interesting commercial ventures. The key change is corporate relationships and data ecosystems are far more complicated than ever before and the increasing regulatory environment businesses need to consider and comply with around the use and protection of data.
Regulatory overlay
The time, resources and energy being put into the exploitation of data has inevitably resulted in increased regulatory scrutiny. Data exists on a sliding scale: where value is being created, this value is at risk of being undermined by regulation. Any significant investments in data ought to be balanced against the prospect of regulatory overlays, particularly those that enforce competition and data protection/privacy.
Australian businesses investing in data will soon have a new balancing act to perform with the impending introduction of the ‘Consumer Data Right’ (CDR).[3] The CDR represents fundamental competition and consumer reform in Australia. The CDR is designed to enable consumers to safely share their transaction, usage and product data with trusted service providers, but only if the individual chooses to do so.[4] It is essentially a data portability right granted to customers. It is important to note that it is not a fully-fledged access regime, the right is a consumer right only.
The CDR will first apply to the banking sector (also known as “Open Banking”), followed by the energy sector, then the telecommunications sector and then potentially other sectors. The initial 1 July 2019 start date for the CDR is now a ‘pilot’ phase for the Big 4 banks, intended to “test the performance, reliability and security” of the new CDR system and certain CDR data to be implemented in phases (with initially bank CDR data on credit and debit cards, deposits and transaction accounts to be made available by this date). Major banks will then apply the CDR to its other products in phases with all remaining CDR data to apply to all products by July 2020. The ACCC has indicated that it aims to begin implementing the CDR in the energy sector during the first half of 2020.
The lead regulator for the CDR will be the Australian Competition and Consumer Commission (ACCC), who will be given a number of new roles in relation to the CDR, including developing rules and an accreditation scheme to govern the implementation of the CDR, approving technical standards, and taking enforcement action to ensure compliance by participants. The ACCC will be supported by the Office of the Australian Information Commissioner (OAIC) and the Data Standards Body as it develops the regulatory framework.
Breaches of most CDR safeguards attract significant civil penalties, with no requirement for breaches to be serious or repeated, with penalties of up to the greater of, for individuals, $500,000 or, for corporations, the greater of $10 million, three times the total value of the benefits that have been obtained, or 10% of the annual domestic turnover of the entity committing the breach.
The risks to value
Despite this, the privacy implications of the consumer data right are still an emerging threat to any investment in data. The CDR proposes an extension to the core privacy right of individual access to their data; it will provide a framework to enable individuals to give direct access to their data to third parties.[5] While this is aimed at assisting the development of third party services that will enhance privacy rights, the insights created from data will lose their value when they are no longer exclusive to the business that created them.
Furthermore, the CDR will introduce a robust set of Privacy Safeguards, more stringent than the APPs. The definition of data that is captured will be broadened: the Privacy Act covers data ‘about’ an individual, whereas the CDR will cover data that ’relates’ to an individual.[6] As a result, the power of consumers may extend into datasets that were previously untouched. This puts a financial onus on businesses to seek new sources of information.
While the CDR represents a positive step in the recognition of individual powers over data, data is equally an important asset to businesses. It is underpinning innovation. Ultimately, businesses need to get ahead of curve and ensure appropriate future data use rights. The CDR will require those sectors affected by it to understand the increasing rules and requirements of the CDR regime, undertake internal reviews and implement a number of measures to ensure the entity is compliant with the new CDR regulatory regime, including contract management, IT systems reviews/updates and data governance reviews and implementation of processes.
[1] Wesfarmers Annual Report 2018: https://www.wesfarmers.com.au/docs/default-source/asx-announcements/2018-annual-report.pdf?sfvrsn=O
[2] Woolworths Annual Report 2013: https://www.woolworthsgroup.com.au/icms_docs/183561_Annual_Report_2013.pdf.
[3] On 26 November 2017, the Australian Government announced the introduction of a consumer data right (CDR) in Australia. The CDR will be introduced by the Treasury Laws Amendment (Consumer Data Right) Bill 2019 (Cth), once passed.
[4] ACCC, ‘Data economy drives dynamic changes’, https://www.accc.gov.au/media-release/data-economy-drives-dynamic-changes.
[5] Australian Government, ‘Privacy Impact Assessment: Consumer Data Right’ (2018) https://treasury.gov.au/consultation/c2018-t350370, 18.
[6] Australian Government, ‘Privacy Impact Assessment: Consumer Data Right’ (2018) https://treasury.gov.au/consultation/c2018-t350370, 21.
Albert Yuen is a Special Counsel in Gilbert + Tobin’s Technology + Digital team and has over 18 years’ experience advising a broad range of clients in technology, media, telecommunications and commercial transactions. Albert also regularly advises on intellectual property commercialisation, agile contracting, privacy and data protection, big data, IoT, cybersecurity and emerging technology issues. He has undertaken senior in-house legal secondments with Telstra in Australia and for Ooredoo in Myanmar, and has spent a number of years working as an Of Counsel attorney in a top tier TMT group of a leading US law firm in Los Angeles, USA. Albert is dual law qualified in USA (California) and Australia. He is recognised as a ‘Next Generation Lawyer’ in the IT and Telecoms category in Australia by Legal 500 Asia Pacific 2017, 2018 and 2019, and recognised as a “Best Lawyer” in 2019 and 2020 for Information Technology Law for Melbourne, Australia. Albert is currently a Committee Member and Secretary of the Australia Indonesia Business Council, Pro Bono Co-ordinator for the firm’s Melbourne office and a current Certified Practising Project Practitioner (CPPP) with the Australian Institute of Project Management. Contact Albert at ayuen@gtlaw.com.au or connect via LinkedIn 
.
Erin Kirker is a Paralegal in Gilbert + Tobin’s Technology + Digital team and a final year law student at Monash University, with a keen interest in the intersection between law and technology. Connect with Erin via LinkedIn .
Find out more about Gilbert + Tobin here or you can connect via Facebook 
, Twitter 
and LinkedIn
