CBA and NAB have reacted with alarm at a proposal that would allow a recipient of banking data under the consumer data right to pass it directly to another recipient.
The data transfer proposal was floated by the Australian Competition and Consumer Commission (ACCC) at the end of September amongst a swathe of possible rule changes [pdf] for the consumer data right (CDR) scheme.
The rule changes are intended to lift participation in the scheme and get more parties working with CDR data. They propose, among other things, new accreditation tiers for data recipients.
But perhaps more controversially, one of the plans floated is to allow recipients “to collect and disclose CDR data between themselves”, instead of limiting data flows to between a data holder (such as a bank) and a data recipient (such as a fintech).
The ACCC said data transfers directly between accredited recipients could be permissible, such as in circumstances where a comparison website recommends a third-party service and then transfers CDR data to facilitate the consumer being signed up to that service.
The ACCC said a fee could be charged for the data transfer, though interpretations of this varied. Some CDR participants took it to mean that the first recipient could charge the second a fee for the data transfer; others saw it as the chance to charge a consumer directly for the convenience.
The commission also said there would need to be consents from the consumer in place for all parties in a chain to transfer and receive the CDR data.
But banks reacted with alarm, saying that consumers could find it hard to unpick or stop such data sharing arrangements.
In addition, as the original data holder sits outside of the transfer process, it loses sight over how the data is treated, which – the banks argue – could be problematic in the event of a data breach.
“In order to prove informed consent, consumers would need to understand the transfer of their data between accredited data recipients (ADRs),” NAB said in a submission published late last week. [pdf]
“From a user experience perspective, consumers would require an explanation of the arrangement within a consent flow in order to provide this consent.
“Further, there are challenges in the event the consumer withdraws consent or where there is a data breach.
“As the DH [data holder] is no longer party to the sharing of data, in the event of a data breach by an ADR, the DH will be unable to trace whether that consumer’s data has been compromised.
“In order to manage data breaches, OAIC [the Office of the Australian Information Commissioner] and ACCC would need to perform analysis to enable DHs to trace compromised identities so that appropriate controls can be put in place to protect consumers.”
The Commonwealth Bank was similarly concerned at the “transfer of CDR data in a manner that has not previously been considered.”
CBA said that the rule change, if allowed, meant consumers could no longer “manage their consents from the data holder’s dashboard”, since the holder – CBA – would no longer have visibility over where the data is being sent.
“Under the proposed draft rules, a consumer would need to log in to multiple accredited persons’ dashboards to stop [a data] sharing [arrangement],” CBA said. [pdf]
“Of particular concern is the lack of any requirements for the accredited data recipient to ensure the consumer is informed about, or able to choose whether they consent to, the selling of their CDR data.”
CBA also said that if data transfers are to proceed in such a manner, that “technical standards” should apply to the transfers.
As envisaged by the ACCC, how the CDR data is transferred between parties would be left up to “commercial arrangements”.
CBA argued this was inadequate.
“It is vital that all links in the chain of custody for CDR data have the same levels of protection,” CBA said.
“Without end-to-end security standards being mandated, the security and privacy of the CDR data cannot be guaranteed”.
Overall, CBA said it did not support the idea of third parties being able to share CDR data with each other, “due to the risk of consumer harm and diminution of existing privacy and security protections”.
An amended privacy impact assessment (PIA) incorporating the ACCC’s draft rule changes [pdf] recommended more work be undertaken on the data transfer proposal – and indeed on many of the draft rules.
The banks said that the amended rules could make the CDR even more complex to implement and confusing to navigate for consumers, which may not be desirable given the scheme’s infancy.