The Australian Government should introduce an outcome-based definition of consumer data that is, as an overarching objective, data that is sufficient to enable the provision of a competing or complementary service or product for a consumer.
In the relevant service or product context, consumer data is digital data, provided in machine-readable format, that is:
- held by a product or service provider
- identified with a consumer
- associated with a product or service provided to that consumer.
Participants in an industry should determine the scope of consumer data relevant to their industry (where an industry in this context would be determined by a broad description of the service). This should be in the form of a data-specification agreement.
Data-specification agreements should also articulate: transfer mechanisms, and security of data, to ensure that data use is practical and robust to technology updates; and the requirements necessary to authenticate a consumer request prior to any transfer.
These agreements should be registered with the ACCC, which may offer interim approval where an agreement has been reached but other industry agreements have been prioritised for approval.
In the absence of such agreement, consumer data must be in machine-readable form and include all of:
- personal information, as defined in the Privacy Act 1988 (Cth), that is in digital form
- information posted online by the consumer
- data created from consumers’ online transactions, Internet-connected activity, or digital devices
- data purchased or obtained from a third party that is about the identified consumer
- other data associated with transactions or activity that is relevant to the transfer of data to a nominated third party.
Data that is solely imputed by a data holder to be about a consumer may only be included with industry-negotiated agreement. Data that is collected for security purposes or is subject to intellectual property rights would be excluded from consumer data.
A consumer for the purposes of consumer data should include a natural person and an ABN holder with a turnover of less than $3m pa in the most recent financial year.
Data that is not able to be re-identified to a consumer in the normal course of business within a data holder should not be considered consumer data.
The definition should be included in a new Act for data sharing and release (recommendation 8.1). Given the need for consumer data to have broad applicability, the outer boundary definition and reference to ACCC registered industry-specific definitions should also be included within the Acts Interpretation Act 1901 (Cth). Consequential amendments to other legislation in the future would ensure harmonisation across federal laws.