Back in 2017, The Economist published a headline that became a meme. It said data had become the new oil.
By that it meant that the world’s biggest and most profitable companies no longer worked with oil, as they had throughout the 20th century, but with data.
By 2022, three of the world’s five most profitable companies specialised in data – Apple, Microsoft and Alphabet. Only two of the five specialised in oil.
Oil did indeed shape our cities in the 20th century. It facilitated our post-war urban sprawl and connected our cities by air and sea.
But before that, our cities were shaped by plumbing, making it more accurate to say that data is the new water. Like water, controls over its flow will build the next economy.
In a paper accepted for publication in the Australian Business Law Review, we argue the new “consumer data right” will do for our data-driven economy of the future what plumbing has done for our cities.
Like water, data flows through pipes
We have a photo on our office wall of Manhattan in the late 1800s, showing multistorey buildings surrounded by horses and carts, and presumably manure. The smell in summer must have been quite something!
Yet over time, a much bigger more developed Manhattan became habitable, largely because of sanitation. Clean water was piped in and sewerage was piped out, safely and efficiently.
We see Australia’s little-known new Consumer Data Right in the same way, as a foundation on which the future will be built.
In the process of being rolled out across a number of industries, beginning with banking and energy, it gives consumers the unquestioned right to direct data businesses hold about them to other providers of their choice so these providers can offer a better value for money service. That means we can share our own data with accredited recipients, who can help us manage our affairs better or access better deals on products and services.
Just as water supply and sewerage disposal systems need to be regulated to be reliable and to protect our health, the flow of data needs to be regulated so its potential can be realised, and breaches and misuse contained.
Until recent decades there was little flow to regulate. Data was generally contained within organisations and kept offline. Few organisations analysed it at scale.
A landmark Productivity Commission report in 2017 made Australia a global leader in planning to regulate data. The resulting 2019 Consumer Data Right mimics plumbing in the way it facilitates flows and removes effluent.
What does the Consumer Data Right do?
As with plumbing, the regime establishes technical standards that specify the format of the data exchanged between organisations, and determine the design and configuration of the data transmission channels which act as pipes through which the data flows.
Concern for the quality and integrity of the transported data is built into the system’s architecture: data holders and accredited data recipients have to ensure the data they transfer is “accurate, up to date and complete”.
Nothing is allowed to flow without the consent of the consumer whose data it is, which at multiple stages serves as a “valve” that can start or stop the flow.
Data holders have to ask consumers to authorise disclosures of their data and keep records and explanations of such authorisations.
Businesses accredited to receive consumer data can only receive it with the consumer’s consent. And consent cannot be “implied” or “open-ended”. Consumers have to understand what they are consenting to, explicitly say yes, and be able to revoke their consent to data disclosure, collection or use at any time.
Making data breaches less likely
Importantly, when an accredited data recipient no longer needs consumer data (and is not required to retain it for another reason) the recipient has to either destroy or de-identify it.
As well, consumers have the right to require deletion of their data. Until now, they have had no such right.
Accredited businesses are also required to destroy unsolicited data.
Had Optus been accredited under the consumer data right before exposing the data of as many as 10 million current and former customers last year, in what has been labelled “the worst data breach in Australia’s history”, it would most likely have been found to be in breach of its obligations by holding on to data it no longer needed.
Even better, the breach would have been less likely because of the requirements and the stringency of the accreditation process.
Running parallel to the consumer data right for firms that haven’t applied for accreditation are the old practices.
Old pipes are unsafe
All sorts of firms regularly share information about consumers with credit reporting agencies such as Equifax and Illion, regulated by laws including the Privacy Act.
Other data aggregators, such as Envestnet|Yodlee and Mint (which offers a popular personal finance management app), have long accessed consumer data through ‘screen-scraping’ – a technology that relies on consumers handing over their bank login details in return for a service.
The Treasury regards screen scraping as inconsistent with cyber security advice and is seeking advice about banning it as the consumer data right becomes available as an alternative.
The sooner these old practices are replaced with practices governed by the consumer data right, the stronger Australia’s data economy will become.
What we find strange about the changes taking part in Australia is that overseas they are regarded as pioneering. Here, they get little media attention.
It is time for Australian businesses to embrace what’s coming and start developing uses for the consumer data right that will appeal to customers.
Those that do will help determine how the pipelines of the future are used.
Ross Buckley, ARC Laureate Fellow, Scientia Professor of Law, UNSW Sydney and Natalia Jevglevskaja, Research Fellow on the ARC Laureate Project on the data revolution (www.fintechrevn.org), UNSW Sydney