The Australian Government should introduce an outcome-based definition of consumer data that is, as an overarching objective, data that is sufficient to enable the provision of a competing or complementary service or product for a consumer.
In the relevant service or product context, consumer data is digital data, provided in machine-readable format, that is:
- held by a product or service provider, and
- identified with a consumer, and
- associated with a product or service provided to that consumer.
Participants in an industry should determine the scope of consumer data relevant to their industry (where an industry in this context would be determined by a broad description of the service). This should be in the form of a data-specification agreement.
Data-specification agreements should also articulate: transfer mechanisms, and security of data, to ensure that data use is practical and robust to technology updates; and the requirements necessary to authenticate a consumer request prior to any transfer.
These agreements should be registered with the ACCC, which may offer interim approval where an agreement has been reached but other industry agreements have been prioritised for approval.
In the absence of such agreement, consumer data must be in machine-readable form and include all of:
- personal information, as defined in the Privacy Act 1988 (Cth), that is in digital form
- information posted online by the consumer
- data created from consumers’ online transactions, Internet-connected activity, or digital devices
- data purchased or obtained from a third party that is about the identified consumer
- other data associated with transactions or activity that is relevant to the transfer of data to a nominated third party.
Data that is solely imputed by a data holder to be about a consumer may only be included with industry-negotiated agreement. Data that is collected for security purposes or is subject to intellectual property rights would be excluded from consumer data.
A consumer for the purposes of consumer data should include a natural person and an ABN holder with a turnover of less than $3m pa in the most recent financial year.
Data that is not able to be re-identified to a consumer in the normal course of business within a data holder should not be considered consumer data.
The definition should be included in a new Act for data sharing and release (recommendation 8.1). Given the need for consumer data to have broad applicability, the outer boundary definition and reference to ACCC registered industry-specific definitions should also be included within the Acts Interpretation Act 1901 (Cth). Consequential amendments to other legislation in the future would ensure harmonisation across federal laws.
The Government notes this recommendation, and further consideration will be given to its implementation.
The Consumer Data Right will be progressively rolled out on a sector-by-sector basis, with each sector to develop standards governing access and transfer of data, including the definition of ‘consumer data’ that can be transferred to consumers and third parties. The default expectation would be that ‘consumer data’ would include the transaction or product usage data needed to enable identification or provision of a competing or complementary service or product.
The initial sectors the Consumer Data Right will be rolled out will be in the banking, energy and telecommunications sectors. The rollout of the Consumer Data Right in future sectors will be designated by the Government, based on advice from the ACCC and the OAIC.
Data standards will be assessed by the ACCC and OAIC through a joint process against criteria specified in legislation. Where agreement cannot be reached by a sector, the ACCC and OAIC will develop the data standard, including the definition of consumer data.
Individuals and small-medium enterprises will both be considered to be consumers for the purposes of the Consumer Data Right.
The Act (or Acts) that establish the Consumer Data Right will be determined when the Consumer Data Right is designed in legislation.
Lead Agencies: The Treasury and the Attorney-General’s Department.