Treasury considers relaxing consumer data sharing rules

Businesses accredited to receive data under the consumer data right may soon be able to share it with unaccredited parties they work with, under changes being considered by the federal government.

New guidance released by Treasury late on Friday reveals plans to broaden the scheme’s data access arrangements, including opening two “new pathways” for businesses to obtain data, after consultation with the CDR community.

At present, only accredited data recipients (ADRs) are able to receive a consumer’s data from an accredited data holder, and use it to provide an enhanced product or service.

Nine ADRs are currently accredited, including fintechs Frollo, Ezidox, Yodlee and Adatree, credit bureau illion, the Regional Australia Bank, software provider Intuit, and, most recently, the Commonwealth Bank.

But in a bid to make it easier for smaller players to gain accreditation, which has been labelled “costly” and “laborious” by some, ADRs could soon “sponsor other parties to become accredited or allow their agents to participate”.

Treasury said this will “enable ADRs to share CDR data with other businesses in their data sharing ecosystem who aren’t accredited but who act on their behalf as an authorised agent, with liability for the acts of the agents attaching to the ADR”.

For ADRs unwilling to assume liability for the actions of others businesses, another planned pathway will allow ADRs to “assist another fintech to become accredited by ‘sponsoring’ them into the system”.

Treasury said the rule changes are intended to “reduce the costs of accreditation for smaller participants and startups, without reducing the overall security and privacy protections of the regime”.

However, the plans – which are currently under development and yet to be released for formal consultation – could have significant implications if and when ‘Big Tech’ companies become ADRs under the scheme.

Last week, a senate committee said [pdf] the “giant reach” and poor track record of data use by Big Tech firms meant that “additional rules or safeguards may be required” in the future.

Other changes under consideration include the ability for consumers to permit trusted advisors to access CDR data and “share certain ‘insights’ obtained from CDR data to verify a consumer’s identity, their account balance, income level and expenses”.

“In the coming weeks, the Data Standards Body within Treasury will commence discussions with the CDR community on developing supporting standards prior to the release of the draft rules,” Treasury said.

Separately, Treasury has released two discussion papers to inform the development of draft CDR rules and standards for the scheme’s expansion to the energy sector, including the “peer-to-peer model” that the government has chosen over a gateway data access model.

One discussion paper goes to ensuring that consumers with join accounts in either the energy or banking sectors can both “authorise the sharing of account data by default unless one or both account holders choose to opt-out”.