Open Banking Report Recognises Consumer Data Security and Privacy Issues But the Solution is Yet to Be Settled
Australia came a step closer to Open Banking today with the Treasurer releasing the Report of the Review into Open Banking, chaired by Scott Farrell, a highly-regarded banking lawyer.
The Report makes a number of recommendations about how to make Open Banking work in practice and achieve its promises of empowering consumers to choose – and switch – between banking offers. It also gives some recognition to the fact that these promises could be substantially undermined unless consumer data privacy and security are adequately protected.
Here we provide a brief first-look at the Report and some key issues for consumers.
Key recommendations from the Review Report released today include the following:
- Open Banking should not be the only way that banking data may be shared. Instead different approaches should be allowed to compete, testing the design quality of Open Banking (Recommendation 1.1);
- Open Banking should be limited to certain kinds of accounts, including home loans, savings accounts, personal loans and credit cards, and only to data held in digital form (Recommendations 3.1, 3.2);
- The Australian Competition and Consumer Commission should be the regulator with primary responsibility for Open Banking competition and consumer issues and standard-setting, with the Office of the Australian Information Commissioner taking primary responsibility for privacy protection (Recommendation 2.2);
- All data recipients under Open Banking should be subject to the Privacy Act – that is, the exemption for small businesses under the Privacy Act should not apply (Recommendation 4.1);
- Data recipients should be subject to additional privacy obligations, for example, requiring express, informed, unbundled consent (Recommendation 4.5);
- Data recipients should comply with security standards, which will need to be set by the Data Standards Body following consultations (Recommendation 4.8).
Open Banking Promises and Privacy Problems
The open banking concept was recommended by the Productivity Commission (PC) in its March 2017 Report on Data Availability and Use. The PC advocated increased release, sharing and linking of data, including personal data, across a number of sectors, arguing that this would make Australian government more efficient and Australian businesses more innovative and internationally competitive. The PC also noted that governments would need to “generate community acceptance”, or “social licence”, for such a change. To secure that “licence” it recommended the Australian government promise consumers increased control over their own data in the form of a consumer data right.
Essentially, data would be shared more widely but consumers could also have a right to access their own data more easily and require it to be transferred between service providers. The PC argued that this would empower consumers to choose between providers, leading to consumer benefits from increased innovation and competition. However, the plausibility of these claims depends critically on how consumer data privacy is protected in the process.
Promises of consumer control and empowerment will not be fulfilled if, in the process of transferring their data between banks and other providers, consumers are required to agree to their personal data being shared and aggregated for much broader purposes. Providers could attempt to impose these requirements through standard form contracts and privacy policies.
Consumers might then get a small window on some of their own information while corporations would be allowed to construct a “god view” of individual consumers, including their vulnerabilities, pressing needs and weaknesses in bargaining, which can be used to unfairly discriminate, exploit and exclude.
Australia does not have strong privacy regulation in the context of modern data practices. Australia would not, for example, qualify for an “adequacy” assessment under the existing European Union Data Protection Directive 95/46/EC, or under the EU General Data Protection Regulation which will come into effect in May this year.
The PC expressed some views about privacy issues in its Report on Data Availability and Use. It commented that consumers could choose whether or not to use certain classes of services at all, for example, social media, “without adversely affecting their quality of life” and thus these service providers have “stronger incentives to respond to customer data needs and interests”. It also expressed the view that there is a “privacy paradox” in Australia. Australians, it is said, express concern about their privacy but numerous Australians continue to use services which share their data in various ways.
However, a December 2017 Digital Rights in Australia Report by Sydney University researchers revealed that only 38% of Australians feel in control of their privacy online and that 78% want to know how social media companies are actually using their data. The same report found that 57% of Australians were concerned about corporations violating their privacy and 47% worry about government violating their privacy. This lack of trust is also a problem for the efficiency claims of open data: efficient outcomes cannot be built on "dirty data" if consumers provide incomplete or inaccurate information because they do not trust the recipient.
Open Banking Review Responses to Privacy Problems
The Report of the Review into Open Banking gives some recognition to potential data security and privacy issues under Open Banking.
For instance, the Report states that:
If Open Banking achieves its objective of making it easier for customers to share their data, it will be held by more entities than is currently the case. More points of storage will increase the number of potential stages at which data can be compromised — by being hacked or subject to unauthorised access or disclosure. Similarly, transferring data more often increases the possibility of that data being intercepted or inadvertently sent to an unauthorised party, or the wrong data being sent to an authorised party.
Ensuring that consent is genuinely informed is becoming increasingly difficult in the ‘big data’ and digital age. Many customers are unlikely to be fully aware of how much data is being collected about them and used, as it is common practice for customers to simply accept terms and conditions of service (by clicking on ‘I agree’ on a screen), without fully understanding what they are agreeing to, or having any real choice but to agree if they want the service.
The Report recommends that a customer’s consent under Open Banking “must be explicit, fully informed and able to be permitted or constrained according to the customer’s instructions”. That is, customers should be able to choose from a list of possible uses of their data, giving them the opportunity to choose which they agree to and which they do not.
The Report also proposes that the government engage in further consultation to set standards for open banking data security protections.
The extent to which Australian consumers are empowered under Open Banking will depend on the content of these standards and, just as importantly, the consequences of not complying with privacy and security obligations. If the consequences of non-compliance are sufficiently affordable for a corporation, they can simply be priced into the business model while the standards are flouted.
We will provide further analysis of the recommendations made under the Report following a detailed review in the coming weeks.
Further Background and Broader “Consumer Data Right” Regime
The Government announced that it would introduce an open banking regime in Australia in the 2017-18 Budget, with the Treasurer commenting then that this would “empower consumers to seek out banking products better suited to their needs and create further opportunities for innovative business models”. In July 2017, the Treasurer published Terms of Reference for an independent Open Banking Review to recommend the best approach to implement this regime. The Review received 40 public submissions and consulted with numerous stakeholder groups.
The open banking right regime will ultimately be part of the broader “consumer data right” regime announced by the government in November 2017, which will allow broader sharing of data from numerous other sources, including energy companies.
The open banking regime will be implemented first, essentially as the pilot for the broader scheme.
Dr Katharine Kemp
Lecturer, Faculty of Law, UNSW Sydney