OAIC urges prep for 'big tech' entry into consumer data right

Australia’s privacy watchdog has suggested outlawing “certain uses of data” under the consumer data right to mitigate the threat posed by ‘big tech’ companies if they were able to get their hands on detailed banking data.

The Office of the Australian Information Commissioner (OAIC) raised fears that ‘big tech’ companies could exploit consent mechanisms in the consumer data right (CDR) scheme to build even more detailed digital profiles of individuals.

The OAIC has asked a senate committee examining financial technology issues to consider establishing more ‘no go zones’ - or to explicitly prohibit some uses and disclosures of data - before the first ‘big tech’ firm gains CDR accreditation.

“The CDR is currently open to large non-bank technology companies, such as Google or Facebook, to become accredited under the CDR system,” the OAIC said in a submission [pdf].

“We note the participation of these entities in the CDR may raise a range of significant privacy risks, given the volume of data already held by these entities. 

“For example, it would be open to accredited data recipients to ask consumers to consent to combining sensitive financial data with the extensive amount of personal information already collected by these large technology companies (through social media profiles, messages, emails, search histories, and other sources), to deliver products or services. 

“This would allow a large non-bank technology company accredited under the CDR to build profiles of individual consumers, and to derive and provide deep and rich insights into those individuals.”

While acknowledging that ‘big tech’ would still need a consumer’s consent in order to access the banking data, the OAIC questioned whether consumers could “provide fully informed and voluntary consent to certain data handling practices” by ‘big tech’ companies.

Already, the OAIC said there were “information handling practices” used in existing ‘big tech’ business models “which do not meet the expectations of the Australian community.”

The office raised examples such as “inappropriate surveillance or monitoring” of individuals through smartphones and smart home devices; scraping personal information from online platforms; and the “collection, use and disclosure of location information”.

The OAIC said the CDR scheme had “a number of protections” aimed at preventing privacy-invasive use cases, but expressed a view that more could be done.

“In the OAIC’s view consideration could be given to whether further strengthening of the consumer protections under the CDR is required to prohibit certain uses of data under the CDR, where these uses do not meet the expectations of the Australian community,” it said.

“The OAIC notes that there are many other complex regulatory matters to consider in relation to such a proposal, which go beyond privacy.

“The OAIC therefore recommends that the committee consider whether there are specific uses or disclosures of data that should be prohibited in the CDR (rather than relying on an individual’s ability to consent to protect them).”

There are currently no 'big tech' companies accredited as data recipients under the CDR; as it is, there are very few recipients at all.

The government has indicated in recent months it intends to encourage the entry of more participants into the CDR scheme, with Treasury taking on a greater oversight role.