Disclosure: Privacy Australia is community-supported. We may earn a commission when you buy a VPN through one of our links. Learn more.
Consumer Data Right: What Is It and Should You Care?
The CDR is due to be phased on July 1st, and with it comes some far-reaching implications for Australian citizens and small business owners alike.
What is the CDR?
The CDR is an economy-wide reform focusing on providing consumers with more access to their data. It will be applied sector by sector, starting with banking, followed by energy and telecommunications.
CDR began when on July 20th, 2017, then-Treasurer Scott Morrison commissioned the Review into Open Banking. The review recommended expanding beyond solely the banking data of Europe’s Open Banking system, and through time the more general “Consumer Data Right” was born.
One of its main goals is to encourage competition within the sectors that it’s phased into, and through this be able to offer a wider range of services and products at a more affordable rate to the consumer.
This comes in three components: data access, data portability, and data transparency.
- Data access – customers, whether individuals or businesses, will have a right to access data held about them, and the products and services provided to them, by businesses in specific industries;
- Data portability – customers will have the ability to direct that their data be transferred to and shared with accredited third parties, including other service providers and comparative services;
- Data transparency – businesses will be required to allow public access to information about specific products and services they have on offer.
Consumers will be able to access information held about them by data holders, and either take that information and pass it onto an Accredited Data Recipient or have the data holder directly transfer that information itself to an ADR. This information can then be used to offer a more finely-tailored selection of services or products.
The process for accreditation is still being outlined and technical standards within the CDR are still being developed by digital research company, Data 61.
In terms of security, the CDR currently has 13 different privacy safeguards, with more amendments possible as the reform progresses.
Great, now let’s dig into this, as there’s a lot to take into consideration here.
On the surface, the convenience of being offered services and products specifically tailored to your needs at a lower cost may sound appealing.
This comes at a massive cost: your digital privacy.
The Australian government is sacrificing it’s people’s digital privacy in favor of consumer convenience and in our current ever-changing digital climate, the importance of maintaining our digital privacy has never been greater.
If you’re like me, and 88.3% of Australians that we surveyed, the convenience isn’t worth the cost.
How Much Data Are We Talking About Here?
Think for a second about the amount of data your bank has on you. Your name, contact details, transaction history, transaction amounts and descriptions, account numbers, account names, balances, authorizations, mortgage payments, and investments just to name a few. Now that’s just the first stage of this entire thing.
Once this ‘CDR data’ envelops the energy and telecommunication sectors as well, this will just become an overwhelming trove of valuable data.
Not only is it that ‘CDR data’ from each relevant sector that will be made accessible, but it’s also any information derived from that data, and any information derived from that derived information, and so on.
Once these sections of the CDR are all up and running, there will also be a lot of exchange of data between industries, if given consent by the consumer.
With data often being labelled as the new oil, I don’t think it would be a leap to say this is a potentially thunderous siren call for felony.
Consider this situation, a consumer could hypothetically send their energy usage data to a solar provider. The solar provider gets their energy usage data for the month, and analyzes it using whatever metrics they have available. They can then bunch that data together with banking data to see what financially feasible options are available to that consumer to install solar panels.
Now think about how many times that data has to change hands to get to that point, and think about just how much data each one of those hands is holding and how much a small error could cost the average person or business.
Opening the floodgates on this massive sum of data just feels a bit like tempting fate for a payoff that just doesn’t quite feel adequate.
Doubt has even been cast from within the Australian parliament. The Labor Opposition has criticized the short timeframe for review, and raised concerns with various aspects of the Bill with respect to the privacy and the treatment of derived data.
Granted, there are plenty of privacy measures in place, and whopping fines are in the future of many different businesses should they fail to meet the requirements.
In fact, breaches of the CDR rules can incur civil penalties up to $500,000 for individuals, or for corporations, the greater of $10,000,000; three times the total value of benefits that have been obtained; or 10% of the annual turnover of the entity committing the breach.
Data Breaches on the Rise
Now, let’s use the rest of the world as an example.
Since the inception of the General Data Protection Regulation in Europe or GDPR, on May 25th, 2018, there have been over 160,000 data breaches. One of the most noteworthy being British Airways receiving a £183 million fine, as well as losing the data of over 500,000 customers.
In the US, there has been a steady rise in data breaches every single year resulting in the exposure of millions and millions of records. The average cost of a data breach in the US alone costs $3.92 million USD.
Not only are these protective measures set out by various countries concerning businesses and their consumer data being defied from malevolent forces without, but also from within by companies like Facebook abusing their platform to mine data in insidious ways.
And, when human error is the cause of 90% of data breaches in places like the UK, should we really increase the likelihood of these breaches happening by giving the population even larger quantities of data to exchange?
Sure, you can fine the hell out of those businesses and impose incredibly restrictive measures, but once the data is gone, it’s gone.
What This Means for Small Businesses
This entire ordeal means a number of things for small businesses, none of them particularly good.
Small businesses will need to consider becoming Accredited Data Recipients in order to stay competitive in the market, which will put them in harm’s way should they not be able to maintain the high level of security demanded by the CDR.
An adequate budget is necessary to develop new systems and technologies, identify and collect relevant data, comply with consumer requests, and support ongoing reporting and record-keeping.
This is a massive add-on for businesses that don’t already possess the necessary resources. There are also no levies being put in place, so the cost for implementation of these safety measures falls entirely onto the businesses themselves.
Small businesses (businesses that make less than $3 million per year) are usually except from any obligations under the Privacy Act. But now with the new CDR rules, an accredited small business recipient of CDR data loses it’s right to bank on that exemption.
Any breach of those CDR rules will come with a hefty fine that these businesses may not be able to shoulder like some of the giants.
If businesses do manage to take these hits and keep going, the damage to reputation that comes along with the exposure of security vulnerabilities is often one of the heaviest prices to pay. Brand trust can drop, and paying customers to look elsewhere for services. For some, a data breach can mean the end of their business.
Lastly, this increased competition obviously does not favour the small guy. Even stated bluntly on the CDR fact sheet, with the ease of data portability, this will give power to the consumer to negotiate a better deal with their current provider or just switch to someone else that offers something better.
Larger businesses will be able to lure new customers away as Australians get used to the idea of just picking up and changing service providers with less hassle. This will become fertile ground for the expansion of larger international companies as open banking will now lower the barriers of entry into the Australian market.
The Australian government is being reckless with the private data of millions of its own people. Systems aren’t infallible, and it seems the onus for caring for our digital privacy will slowly fall onto our own shoulders.
There is no one that is entirely safe from data breaches, and we have to do what little we can to maintain sovereignty over our own digital privacy. Find yourself the best VPN within your budget, stay up-to-date on the best internet practices for staying anonymous online, and be mindful of the places that you share your data, moreso now than ever.