Overview
Data61 has been appointed as the Consumer Data Standards (CDS) team by Treasury to develop standards for the Consumer Data Right (CDR). These standards will enable consumers to access and direct the sharing of data about them with third parties flexibly and simply, and in ways that ensure security and trust in how that data is being accessed and used. The Australian Competition and Consumer Commission (ACCC) will be the lead regulator for the CDR with support from Data61 and the Office of the Australian Information Commissioner (OAIC). Data61’s work includes validating the technical workstreams and putting into effect the ACCC’s Rules.
Introducing a Consumer Data Right requires the creation of common technical standards that make it easier and safer for consumers to access data held about them by businesses, and — if they choose to — share this data via application programming interfaces (APIs) with trusted, accredited third parties. The Consumer Data Right will first be implemented in the financial sector before expanding into the energy sector, followed by telecommunications, and then intended to apply sector by sector before applying economy-wide. A precedent for the Consumer Data Right was set with the implementation of Open Banking in the UK, and the Consumer Data Right has looked to their implementation for reference.
The Consumer Experience Workstream
The API standards, Engineering, and Information Security workstreams have operated primarily through GitHub. The Consumer Experience (CX) workstream will rely more heavily on publication through consumerdatastandards.org.au and our Medium publication to help make the work more accessible to non-technical audiences and the general public.
The key output of the CX Workstream will come in the form of CX Guidance, which will provide data recipients and data holders with standards and guidance for seeking and receiving consent from consumers. Following advice in the the Farrell report, the CX Workstream has looked to the UK implementation of Open Banking and their accompanying CX Guidelines for reference.
The ultimate aim of the CX workstream is to help organisations provide consumers accessing their rights under the CDR with a trusted and usable consent experience. This involves the development of design requirements and guidelines for organisations seeking consent from consumers and facilitating authorisation and authentication under the Consumer Data Right that meet the ACCC’s standards for consent.
The ultimate aim of the CX Workstream is to help organisations provide consumers with a trusted and usable data sharing experience.
The ACCC sets the rules surrounding the implementation of the Consumer Data Right and provides the framework within which the Data Standards Body and the Consumer Experience Workstream operates. The ACCC has proposed requiring the Data Standards Body to develop standards relating to the design of consent screens and permissions, the user experience of authentication and authorisation, and making testing of consumer comprehension of consent be required as part of the standards-setting process.
The ACCC Rules on Consent
The ACCC Rules propose a number of requirements in relation to consent, within which the practical guidance on consent design must sit.
For consent to be valid, it must meet the following requirements:
- Consent must be voluntary, express, informed, specific as to purpose, time limited and easily withdrawn.
- An accredited data recipient must not make consent a precondition to obtaining another unrelated product or service. The collection of CDR data must be reasonably necessary or required to provide the service the accredited data recipient is offering.
- An accredited data recipient must not bundle consent with other directions, permissions, consents or agreements.
- An accredited data recipient must present each consumer with an active choice to give consent, and consent must not be the result of default settings, pre-selected options, inactivity or silence.
A request for consent must be presented to a consumer using language and/or visual aids that are concise and easy to understand. An accredited data recipient must provide consumers with a straightforward process to withdraw consent and provide information about that process to each consumer prior to receiving the consumer’s consent.
Consent must also be voluntary and consistent with the OAIC’s Australian Privacy Principles guidelines on voluntary consent. Consent is voluntary if an individual has a genuine opportunity to provide or withhold consent. Consent is not voluntary where duress, coercion or pressure is applied by any party involved in the transaction.
Factors relevant to deciding whether consent is voluntary include:
- the alternatives open to the individual if they choose not to consent
- the seriousness of any consequences to the individual if they choose not to consent
- any adverse consequences for family members or associates of the individual if the individual chooses not to consent.
Breaches of the specific ACCC Rules, in addition to any of the privacy safeguards, can attract civil penalties up to an amount specified in the Rules, capped at, for individuals, $500,000, or for corporations, the greater of $10,000,000; three times the total value of benefits that have been obtained; or 10% of the annual turnover of the entity committing the breach.
The CX Workstream Approach
To put the ACCC Rules into effect and to achieve the CX objectives, the CX workstream will be research-driven and informed by community consultation. We will engage with consumer groups, data holders and data recipients using email newsletters, blog posts, workshops, and ongoing sharing of research findings and preliminary recommendations for wider feedback.
The CX Workstream will also engage with participants considered to be vulnerable or in vulnerable circumstances, and seek diversity in research recruitment so that a wide range of scenarios, participants, and needs can be better understood and inform the development of the CX Guidance.
A human-centred design approach will be adopted to create solutions that are useful, usable, and that will be used. This means that where timeframes and process allow it, we will begin with an investigation of the problem space to generate insights; solutions will be co-designed through community consultation; and any proposed solutions will be tested and refined before they are recommended as a standard. This approach will often be non-linear. More information on the human-centred design approach is available.
Keep in touch
These blog posts will provide you with a variety of updates on the Consumer Experience (CX) Workstream. The focus will be on outwardly communicating the work we’re doing to create standards for the Consumer Data Right.
You can sign up to our mailing lists; find past updates; find our Medium publication; and find other information on the Consumer Data Standards website. The other technical workstreams also have an online presence on GitHub.
If you would like to participate in any of our discussions across the four streams or provide any feedback, you can do so via email to cdr-data61@csiro.au.
The Consumer Data Standards Team have a very busy year ahead and we look forward to your participation and support!