Data, the European Union General Data Protection Regulation (GDPR) and Australia's New Consumer Right
Peter Harris delivered a speech to the International Institute of Communications (IIC) Telecommunication and Media Forum (TMF) on 4 July 2018 in Sydney.
Read the speech
The Productivity Commission produced our final report on Availability and Use of Data in March last year.
In the course of multiple inquiries by our organisation over the past decade, two things in the data world made it a clear priority for root and branch review.
The first was the stark shift that has occurred between governments as data collectors — an area they have dominated for a century or more — and the private sector, which has with great rapidity in the early years of this century challenged if not replaced government as the key repository of information about us.
This hasn’t in Australia simply been caused by great digital strides in both commercial and social use of data well known to everyone. It has been magnified by low levels of new public investment in tools and skills necessary for data analysis and linkage; plus fear in the public sector about whether we even have permission — social licence — to improve the extraction and linkage of data sets for public interest research and analysis.
Little wonder then that we get so much policy determined today by who has the loudest voice rather than best evidence.
A minor but spectacular example of data suppression is the insistence by our national government that any linked data sets created for the purposes of public-funded research should be destroyed at the end of the project. This in my view is akin to burning books.
Second, it was equally observable to us as a national inquiry body that our State governments — not usually leaders in risk-taking — were moving with data reforms within their own spheres more rapidly than the national government.
Techniques of data analysis now common in the private sector were being considered and applied in NSW and South Australia.
Western Australia too has long been a leader in population health data.
This is all to the good, except for one thing: there has been no effective national approach to the big shift that is going on around us.
For a country where the principal enablers of, and incentives for, economic growth and societal welfare — education, health, taxation, research — are split amongst nine different governments, to further entrench a data access divide makes no sense at all.
It can be hard work to draw attention to these matters.
Such a worthy but apparently dull area as data use has much less instant media appeal than those things that the general public could readily associate with Productivity Commission inquiries: finally exiting subsidised motor vehicle production, lowering international trade barriers or exposing the billions of dollars sacrificed in under-performing mandatory superannuation funds.
But the Data inquiry data has belied its apparently dull moniker.
It rates still today, a year on, as one of most highly accessed pieces of work with the general public.
And its impact in Ministerial circles has been no less notable.
Indeed, if immediate implementation and breadth of response are success measures, 2017’s Data report is just about the clearest success of my 5 years in this job.
Inside 12 months, the Government has committed to support the two most structurally significant of the recommendations — the passage of national legislation to remove barriers to data sharing and integration across major public interest data sets, and create trusted user access; and the complementary legislated concept of a new general Right for Consumers to exercise joint control in the sharing and use of their data.
And that effort extends to new funding for both these work-streams.
The full detail won’t be known until legislation emerges in draft form later this year.
But the concept is taking shape and a serious process is under way to make it a reality.
Of the two, the new Consumer Right is of greatest interest to this meeting, although from our perspective the two definitely belong together: that is, if people have a new, clear form of joint control with data collecting firms and agencies over data sharing, they are likely to have more trust in governments integrating and sharing their data.
And trust is vital in this area.
We spent a substantial part of the Report on the question of trust. It’s an unusual thing for a Productivity Commission report, to be sure, but one which was strongly indicated in our Inquiry as deeply relevant.
And which in turn suggests that, if not addressed, could see an asset like this jeopardised — to all our cost — in the future.
Survey work suggests around 50% of people in Australia think they are better protected as they hand over their data by providing collectors with some false identifiers.
There are at least two problems with this: first, it’s generally ineffective as a strategy in a world filled with Artificial Intelligence; and secondly, if it ever becomes a serious rather than an ad hoc response to loss of trust, it will affect the quality of our future data resources.
It’s one thing if Facebook doesn’t know your real age (hint: they really do), but quite another if your hospital doesn’t know it.
The Consumer Right
What will Australians get, at least in principle, from this new Right?
They will get standards on the safe exchange of data, tailored by industry sector.
There’s a strong economic case for this. One of the most persistent features of economic development around the world is the presence of reliable market rules. A crucial rule is that related to property rights, which make many assets tradable. With these rights, markets function to become self-sustaining mechanisms for effective and efficient resource allocation.
Despite wide recognition of its burgeoning significance, the market for data via digital sharing has until this point had almost no rules related to the public interest.
Where poor practice has arisen, the cost has been borne by individuals and corporate reputations, and even that hasn’t slowed the torrent of data-sharing.
Our 2017 Report took this basic thinking — of data as a traded asset — and applied it to the basic question government had asked of us: how can we improve access and use of data?
From announcements by the Australian Government to date, there are some elements of our Report that are confirmed as applying to legislation for the new consumer data Right; and some that are as yet unclear.
I will try to cover key aspects of each, and with the latter I will try to relate the potential influence of the General Data Protection Regulation (GDPR), which is today’s topic.
First, Australian consumers will get the ability to direct a current collector of their digital data to package that data safely and send it to another accredited data collector, being a collector which a consumer believes will offer a better or complementary service or price for that consumer’s custom.
Collectors will not be required to go back and turn analogue data into digital data. But wherever data on a consumer is held in a digitally-accessible form and meets the other requirements that link it to that consumer, it is and will forever remain that consumer’s data, and accessible as such.
This creates a Right for you to trade in your own data.
It puts Australia in the forefront of countries attempting to claw back some community and individual control over their data, by treating the asset as just that — a valuable object which can be shaped and used over and over again with no loss of utility, to generate benefits in the near future not just for the collectors of it, but also — if they choose — for those who are its source.
Viewing data as an asset should not conflict with privacy standards. Indeed, if the model of joint control of the asset is given full consideration, it may provide a better foundation for setting standards that protect consumers than will privacy rules as currently practiced.
Privacy is for us just one facet of the diamond called data. Polishing only that one facet will not reveal the true value of this, the 21st century’s great new renewable resource.
It was suggested to us that it expects too much of risk-averse politicians to switch focus from fear of data to opportunity.
But to date it has not proved to be very difficult. One sound reason is that something practically equivalent to a trading regime in rights to data assets has already emerged all around us, but created between firms and with their interest primarily in mind.
At the Productivity Commission, we don’t find this trading to be a matter that must be discouraged.
But it isn’t balanced, as quality market rules should be, between buyer and seller. Governments in their essential role as guardians of our interests in such transactions have been left behind.
And in a competitive sense as consumers it may be costing us dearly.
In a country like ours with a retail service structure that in most industries features a bare handful or fewer firms – oligopolies, in the parlance – finding ways for consumers to improve the price and quality choices offered to them is a serious public policy need.
The dominance of incumbency is otherwise likely to be enhanced, if anything, by inaction on consumer data Rights. Future services are sure to be data-laden, and services are 70-80% of developed economies.
And this could even be compounded by one of the newly emphasised aspects of privacy law: the obligation to delete data when the collector no longer feels a need for it could prove to be a serious future barrier to digital-based competition.
Effective control of your digital data also offers opportunities for you to receive better services in non-market situations too.
Your health record is not your property in Australia. Legally, it is your doctor’s record, not yours. We proposed that this too be altered, to form a joint record. Then changing doctors or transferring your e-health record to hospital with you (and seeing it come back, up-dated) could be driven by active consumers.
Investment in systems to enable this is very common, and yet in Australia, about 20% of GPs say they receive data back from hospitals after a patient emergency admission, even though we have long had a national e-health patient record system.
The rates in comparable developed countries are 50% or better. Active consumer interest might alter this paradigm.
There is other evidence of poor data use in health, with limited roles for consumers. The US, UK and Canada all publish Patient-Reported Outcomes (PROMs and PREMs) data online. These are of significant value in addressing bad outcomes, and for research purposes.
We don’t do this, in any accessible fashion. The US has over 4000 hospitals rated for patient experience and outcome for more than 100 comparison points in most cases. Again, we don’t.
Control of this data, to the extent it is collected at all, primarily remains with the health professional.
An effective catalyst is likely to be created via making records lawfully a joint right with the patient.
Second, we proposed and the government appears to have agreed that a wide range of forms of digital data may be covered by the new Right, wider than is commonly the case with privacy and its focus on personal information.
This is important because data is now collected or held in ways that allow convenient re-identification with you as a consumer but which may not amount to personal information. And ownership of data has in some cases unreasonably been transferred to parties who are not interested in competitive outcomes.
Electronic metering for example is paid for by consumers in this country, but the data is not theirs. This should change.
Currently, if you want a better deal on your electricity bill, you are required to download complex data from one website and upload it to another. More often than not, that receiving website is not objective in its review of your data, even if you upload it accurately, which you may well not. In a digital world, there is no reason for this clunky download/upload step, other than to discourage consumers acting in their own best interests.
Coverage of a wide range of data collecting industries and extension of the Right to the public sector is important for another reason: much of data collection occurs in circumstances where consumers currently pay little attention to the activity, perceiving no real value at all.
But as data use gets better and better, as it will with Artificial Intelligence, such collections may well matter.
Years down the track, when some of it proves to be of value, you should be able to access it.
And wide coverage means that tomorrow’s nascent collectors should know from the outset that this data will be subject to joint control.
Third, consumers are a much larger group in our new Right than persons, who are the focus of privacy.
We had recommended that consumers include all small businesses as well as individuals, for the purpose of the new data Right. Much of small business, as we defined it, is composed of one or two individuals who are trading under an ABN but are otherwise no different to a household.
The Government has however gone one better and proposes to offer the new Right to all business customers as well as individual customers. So coverage here too will also be much wider than under privacy law, either in Australia or the EU.
There are strengths and weaknesses to this breadth of coverage, which may become evident in Open Banking, which is the first sector where the fully detailed Right will start to apply, from mid-2019.
Fourth, a collector of data will be required to hold your data in a form that makes the exchange of it digitally practicable.
Regulation that locks in a poor choice or no choice at all regarding the form in which data is held can make transfer untenable.
Here lies a significant difference with the GDPR, presumably due to its limited interest in this asset-driven focus of ours.
It is possible, as I read it, for data trading to occur under the GDPR, but collectors do not appear to be under a serious obligation to facilitate that.
Whereas in our Right, determining that form and how the transfer can best be facilitated safely are major matters of public policy interest, including in creating opportunity for innovation and supporting new forms of competition.
Fifth, reciprocity of data exchange and ability to meet the required standard of safe transfer will be a requirement of accreditation as a third party recipient of a consumer’s traded data. Industry-based working groups, familiar in other standards-setting areas, would be the primary tool.
Thus a strong incentive towards establishing an ecosystem of trusted investors in the handling and retention of consumers’ data will be created.
This is a good example of what a thoughtful focus on joint property rights generates. Just as with other markets, so in the case of the consumer data exchanges, the standards to be met will not only facilitate trading but provide some basic form of order in what has been a very disorderly — if innovative — system.
And such a foundation is better capable of keeping pace with the capabilities of technology and commercial practice.
Yet there is also the prospect that standards can shut out some competitors.
So accreditation rules will be vetted by the Australian competition regulator, the ACCC, to ensure they do not become a barrier to entry or otherwise used in anti-competitive fashion. The Government has acknowledged and resourced this.
While the Right will apply generally across the economy, it will be triggered by declaration — sector by sector.
Energy and telecommunications are the next two sectors to be covered, after banking.
The selection of sectors to which it will apply (and the definition of a sector) is primarily in the hands of the ACCC, with a final approval by the Treasurer.
I will turn now to a few comments on whether the GDPR will alter approaches to data in Australia.
We are not experts in the GDPR, so these are just thought-provokers for discussion today.
First, it is worth observing that Europe has long had digital data protections (from 1995) which other countries have not copied.
But my guess is that history is probably not a good guide, when it comes to inputs. The nature of IT systems investment necessary to cope with the GDPR will mean that large Australian firms now adapting to it will not be keen to see any duplication.
And it also seems quite plausible to have both a GDPR set of inputs to monitoring and consent and a Right to a tradeable asset for consumers to use in their own interests. The key thing will be to define well enough what is a consumer data holding; and to clarify primacy in areas where there may be cross-over.
One area I cited earlier, a renewed encouragement to delete data — not so much the ‘Right to be Forgotten’-style data deletions, but deletions with anti-competitive intent — will need to be addressed.
But otherwise I can see that as we come to implement our own new data Rights, there is a good chance that the EU concepts could be influential in issues where there are no ready guides.
There is no once-size-fits-all solution to what is consumer data, and the GDPR may expand people’s thinking. We are certainly looking to do that. We know that whatever prove to be the industry-negotiated standards of consumer data in banking will not match those in energy. Telecommunications will be different to, say, motor vehicle repair.
And for small businesses, an ABN may be the identifier.
And then there is the public sector, where descriptors relevant to consumer interest in their health data will be different again.
Due to these complications, we settled on a set of principles to guide industry-led negotiation, and to help the ACCC with its accreditation.
From my reading of the GDPR, the other area where an important cross-over may be found between our new Right and the GDPR is with consent.
In our case, we advocated consent when viewed from the point of view of a joint asset owner. That is, you need not only to know your data is being collected but you also need to know who is subsequently sharing in it.
In our view, this must apply regardless of whether you are a passive supplier of data or an active consumer using it, just as you would with any other property in which you had a shared right.
Yet we did not want consumers and firms burdened with email after email listing a new commercial relationship.
One of the clear lessons of the current Ts&Cs on websites is that consumers do the tick-a-box thing too readily, and are encouraged to do so by the sheer drudgery of worthy but ultimately self-defeating attempts to make them better informed. You’ll find evidence for this in our 2017 Report.
I say this is an interesting point of cross-over as the government’s announcements have not addressed this issue clearly. Which they eventually will.
There is a good case now, following the Facebook/Cambridge Analytica debacle, for a close look at our approach or something similar to it.
A list of parties who have had access to a firm’s consumer data holdings should be published on its website every twelve months, or perhaps even more often than that. It should be an offence for that list to be misleading or deceptive.
In the real digital world, we are all aware that trading is taking place, we just don’t know who is receiving our data. The better direction of change is to ensure that there is clear identification of this. Sunlight is a powerful disinfectant.
There are signs internationally that some consideration is now being given to this question of digital data-gathering being an impediment to competition.
The UK has been active for some time with open banking data transfer and may be considering more such options.
Academics at the University of Chicago Booth School last year proposed a legislated reallocation of property rights, via a mechanism they called the ‘social graph’. This would enable the instantaneous transfer of your data from one data collector to another, with the graph available to collectors you chose to accredit.
Their argument was that guaranteeing access to new customers’ data would reduce economic externalities of existing dominant digital platforms, and curb monopoly-like behaviour by competition rather than direct regulation.
The Federal Trade Commission made similar comments at the time Mark Zuckerberg appeared before Congress.
The thinking behind this is the same as ours: we see the future treatment of data as joint property as a healthier foundation for future policy development.
Past disruptive discoveries show this quite well. The motor vehicle was initially seen as a threat — people with torches had to walk in front of one, warning others.
Inherently, motor vehicles are still threats, they still kill people.
But a switch in regulatory mind-set from fear of the new to setting safety standards that simultaneously embrace the benefit whilst reducing the risk, is always a stronger regulatory foundation than fear alone.
Which means, in my view, that what is happening today in Australia to treat data as an asset in regulatory terms is a first step in a better foundation for managing both the threat and the benefit.