Federal Treasury has sought feedback from industry on a proposal to ban screen scraping as Consumer Data Right (CDR) APIs are established as the preferred consumer data-sharing mechanism.
The consultation comes off the back of a 2022 Statutory Review [pdf] of the CDR scheme, which recommended that screen scraping “be banned in the near future in sectors where the CDR is a viable alternative”.
As part of the latest consultation, Treasury will also seek views on “the nature of the screen scraping market, risks to consumers, the broader regulatory context and the comparability of data accessed through screen scraping with the [CDR]”.
Screen scraping, also referred to as ‘digital data capture’, involves the collection of screen-displayed data, at a point in time, for use by third-party organisations. This includes the collection of personal data from public-facing webpages.
Screen scraping technology can be used for both ‘read’ access – that is, giving third parties access to see and collect a user’s data – and ‘write’ access – which allows a third party to take actions with this collected data on the consumer’s behalf once log in details (effectively, the consumer’s consent) are provided.
The current consultation focuses on screen scraping practices that involve consumers sharing their login details, such as their internet banking logins (recognised as its most common use), with third parties. With this data, a third party can provide a value-added product or service, such as loans or financial management products, or facilitate creditworthiness checks or identity verification.
Treasury noted in its Discussion Paper that the use of screen scraping “is particularly prevalent in financial services and may be used by some banks, lenders, mortgage brokers, financial advisers, accounting services and more”.
The practice of consumers sharing their login details was identified by Treasury as “inconsistent with cybersecurity advice”, adding that it “may pose consumer protection risks… due to how the data is collected and handled”.
With access to a consumer’s login details, a third party could access a broad range of a consumer’s data and, perhaps more concerningly, potentially have ongoing access to the consumer’s accounts in the future.
Treasury noted that it also runs counter to the security protocols of many Australian banks, which generally stipulate in their terms and conditions that customers must not share their login details.
The CDR scheme, first introduced in July 2020, is seen to have largely superseded many of the functions of screen scraping, with the scheme avoiding the need for consumers to share their login details with a third party.
As well, the scheme, which uses APIs to securely transfer data between systems from different entities, offers, Treasury said, “protections around what data is collected and how this data can be used and disclosed”.
As well, with its strict consent and opt-in rules, the CDR can offer consumers better protections that cover what data is collected and how it can be used and disclosed.
CDR legislation, for instance, includes 13 legally binding privacy safeguards that set out privacy obligations for users of the scheme, and cover the collection, use, disclosure, quality and correction of CDR data.
According to the Government, CDR-based data sharing now covers nearly 100 per cent of the banking sector as measured by the share of household deposits.
Submissions for the consultation close on 25 October 2023.