Bills Digest No. 68, 2018–19

Treasury Laws Amendment (Consumer Data Right) Bill 2019

Treasury

Author

Mary Anne Neilsen

Go to a section

Introductory Info Date introduced: 13 February 2019
House: House of Representatives
Portfolio: Treasury
Commencement: Schedule 1, Parts 1 and 2 commence the day after Royal Assent. Part 3 of Schedule 1 commences on either the day after Royal Assent or when section 3 of the Federal Circuit and Family Court of Australia Act 2019 commences, whichever is the later. However Part 3 is a contingent amendment and commences only if section 3 of the Federal Circuit and Family Court of Australia Act has commenced.

Purpose of the Bill

The purpose of the Treasury Laws Amendment (Consumer Data Right) Bill 2019 (the Bill) is to amend the the Competition and Consumer Act 2010 (CC Act), the Privacy Act 1988, and the Australian Information Commissioner Act 2010 (AIC Act) to introduce a consumer data right and open banking.

Structure of the Bill

The Bill consists of one Schedule divided into three Parts.

Part 1 contains the main amendments. It inserts a new Part IVD into the CC Act establishing the framework for the consumer data right.

Part 2 contains consequential amendments to the AIC Act, the CC Act and the Privacy Act.

Part 3 contains a contingent amendment dependent on section 3 of the Federal Circuit and Family Court of Australia Act 2019 commencing.[1] It will make the necessary changes to references to the ‘Federal Circuit Court’ in provisions inserted by the Bill.

Background

The Consumer Data Right (CDR) has been described as providing consumers, both individuals and businesses, with a right to effectively and efficiently access specified data in relation to them held by businesses.[2] Consumers will also be able to direct this information be transferred to accredited trusted third parties of their choice.[3]

In the banking sector, the term often used to describe a consumer data right is Open Banking. It is called ‘Open’ Banking because it opens up ‘read access’[4] to data recipients in accordance with directions of a consumer. It also uses standards that are developed and maintained collaboratively and transparently and are openly licensed for anyone to access and use. Open Banking is not the same as Open Data. Open Data refers to data that is accessible to anyone, published under a licence that allows people to use, share and modify it for any purpose. In contrast, Open Banking only allows access to data when a consumer has authorised that access.[5]

While various reports dating back several years have promoted the concept of data portability rights,[6] the development of this legislation and the CDR model more broadly emerged from the Government’s response to both the Productivity Commission’s Inquiry into Data Availability and Use Report[7] and the Treasury’s Review into Open Banking in Australia.[8]

The Productivity Commission report includes a set of 41 recommendations, including a new legislative regime for the creation of an economy-wide Comprehensive Data Right.[9]

On 26 November 2017 the Government announced as a partial response to the Productivity Commission report, the introduction of a CDR with application initially in the banking, energy and telecommunications sectors.[10] The Government confirmed its commitment to the CDR and announced the creation of a new National Data Commissioner, as part of its full response to the Productivity Data Report on 1 May 2018.[11] Budget Review 2018–19 124

The Review into Open Banking in Australia (Open Banking Review) was commissioned by then Treasurer Scott Morrison in July 2017.[12] Lead by Scott Farrell, the Review was asked to recommend the best approach to implementing Open Banking.[13]

The Review made recommendations in relation to the legal and regulatory arrangements for the economy-wide CDR; and more specifically how it should be applied to banking data.[14]

The Government accepted the recommendations of the Review on 9 May 2018 and committed to implement the CDR in line with these recommendations from July 2019.[15].

Since the Government’s acceptance of the Review recommendations in May 2018, the development of the CDR has proceeded with haste. The process of drafting and consultation on the Bill and the various instruments has been complex and unusual, with the legislation, the rules, data standards and privacy impact assessment being drafted in parallel.

On 15 August 2018 Treasury released its first exposure draft of the Treasury Laws Amendment (Consumer Data Right) Bill 2018.[16] After a three week consultation period with interested stakeholders, a second exposure draft of the Bill along with the draft designation instrument for open banking was released.[17] Further consultations occurred from 24 September 2018 until 12 October 2018.[18]

The ACCC, in parallel, developed and consulted on the Consumer Data Right Rules Framework in September and October 2018.[19] This was followed by the release of the Rules Outline in December 2018 which set out the ACCC’s position on the CDR Rules. These are expected to be published for consultation in the first quarter of 2019.[20]

Meanwhile the interim Data Standards Chair working within CSIRO’s Data61, has been developing data standards with draft documents being released for comment in November and December 2018.[21]

A draft of the Privacy Impact Assessment was presented to consumer advocates in November 2018 and Treasury then released a first version of the Privacy Impact Assessment for the CDR on 21 December2018. In response to criticism from stakeholders, particularly that the risks were being underestimated, a further version was released in mid-February 2019 and again on 1 March 2019.[22]

Some stakeholders have questioned the speed of this consultation process noting that it has occurred in compressed timeframes, touching on multiple issues all at once. As one submitter to the Senate inquiry into the Bill observes, these numerous parallel processes have resulted in a very challenging environment for those involved to analyse, assess and provide advice on the varying instruments all of which interact with each other.[23]

Another submitter, AGL Energy (AGL), is concerned at the pace of developing this regime and the short cuts taken in the engagement and analysis stages. It argues this ‘will impact the final product and potentially result in negative impacts to consumers and competition’.[24]

The various CDR draft documents are available on the Treasury website. An analysis of the instruments and rules to be made under the Bill is beyond the scope of this Bills Digest.

Short outline of the Bill and the CDR framework

This outline is included to assist the reader in understanding the stakeholder views as set out below. For a more detailed description and analysis of the Bill’s provisions see the Key issues and provisions section.

The Bill is essentially a principles based legal framework, meaning that it provides the broad architecture for drawing different sectors of the economy into a CDR regime. Much of the detail of how it will operate, its obligations and the regulatory burdens established are to be set by the Minister, the ACCC and other entities through a range of legislative instruments and rules.

The CDR will apply to different sectors of the economy that have been designated by the Minister via legislative instrument. The designation process requires a range of matters to be taken into account and requires consultation with the ACCC, the Australian Information Commissioner and ‘any person or body prescribed by the regulations’.[25]

‘CDR data’ is central to the CDR scheme. It is:

  • information that is within a class of information, specified in an instrument designating a sector, or
  • information that is not so covered but is subsequently directly or indirectly derived from that designated sector information.[26]

The CDR rules are to provide more detail.[27] The extent of derived data may vary across the various sectors.

The Bill outlines three key participants in the CDR system: data holders, CDR consumers and accredited data recipients:

  • data holders are original holders of the data that the right of transfer applies to.[28] For example in the banking sector these would be the banks and credit unions
  • CDR consumers for CDR data can be either individuals or a businesses (both large and small)[29] who holds the ‘rights’ to access the data held by a data holder and to direct that this data be shared with an accredited person[30]
  • an accredited data recipient for CDR data is a person or entity that has been accredited, and who has received CDR data as a result of a disclosure made in accordance with the consumer data rules.[31] The ACCC is to be the Data Recipient Accreditor, which will require the regulator to undertake a process to establish third parties’ suitability to become an accredited data recipient.[32]

Data may also become subject to the CDR through a reciprocity mechanism, meaning those who wish to become accredited and receive designated data at a consumer’s request must be willing to share equivalent data, in response to a consumer’s request. The detail and extent of reciprocity will be dealt with under the CDR rules.[33]

Privacy and security of CDR data will be governed by 13 new Privacy Safeguards which will operate in parallel with the Australian Privacy Principles in the Privacy Act. The OAIC will advise on and enforce privacy protections, and provide complaint handling for breaches of the Privacy Safeguards.

The ACCC will be the primary regulator of the CDR. In addition to advising what sectors should be added to the scheme and writing CDR rules, the ACCC will be responsible for accrediting new participants, overseeing a new data standards body, and enforcing serious and systemic breaches of consumers' rights. The CDR enforcement and remedy regime is to be consistent with the regime operating under the CC Act.

Data standards will explain the format and process by which data needs to be provided to consumers and accredited data recipients within the CDR system. Data standards will be made by the Data Standards Chair who is to be appointed on a part-time basis by the Minister by written instrument.[34]

Benefits of the CDR

The Treasurer Josh Frydenberg, in his second reading speech on the Bill, described the consumer data right as a ‘game changer for consumers and small businesses’ that will enable them to ‘better harness their data for their own benefit’.[35] The speech continues on the benefits stating:

The consumer data right is a fundamental structural reform that will drive competition and improve the flow of information around the Australian economy.

And the right will incentivise Australian entrepreneurs to develop new products and applications that reach more consumers and are better tailored to their needs.

For consumers, improved access to data will support better price comparison services, taking into account their unique circumstances, and promote more convenient switching between products and providers. It will also leverage new technology such as artificial intelligence and allow consumers to make more informed decisions on where they spend their money.

For small and medium businesses, it will allow for more effective budgeting tools that can deal with data in real time and help them manage their cash flow and working capital more effectively than they can do today.

Improved access to data will also enable the development of new, better and more convenient products and services, many customised to individual needs.[36]

Proposed timeframe of implementation

In a press release on 21 December 2018, Treasurer Josh Frydenberg provided details of the timeframe for the phased implementation of the CDR.[37] The timeframe currently proposed is as follows.

  • From 1 July 2019, the big four banks will be required to publicly share product data about credit and debit cards, deposit accounts and transaction accounts.
  • Also from 1 July 2019, the ACCC and Data 61 will launch a pilot program with the big four banks to test the performance, reliability and security of the Open Banking system. Consumers and FinTechs will be invited to participate in these pilots and the ACCC and Data61 will also work closely with other banks who have expressed an interest in participating in Open Banking earlier than originally envisaged.
  • On 1 February 2020, product and consumer data for mortgage accounts will be made available.
  • Once the ACCC is comfortable with the robustness of the system, banks will publicly share consumer data about credit and debit cards, deposit accounts and transaction accounts, which will be no later than 1 February 2020.
  • In addition, from 1 July 2019, the ACCC will begin formally engaging with parties interested in accreditation.[38]

In evidence to the Senate Committee inquiry into the Bill, a Treasury official said the delayed commencement of the consumer data aspect to February 2020 is in response to feedback from stakeholders about the need to allow more time for consumer-level testing.[39] Treasury also indicated that the passage of the Bill in the final week of the current Parliament is an important and critical part of meeting this timeline.[40]

Committee consideration

Senate Economics Legislation Committee

The Bill has been referred to the Economics Legislation Committee for inquiry and report by 21 March 2019 (the Senate Committee inquiry). Details of the inquiry are at the inquiry homepage.[41] Some of the evidence presented to the inquiry is included in the Position of major interest groups and Key issues and provisions sections of this Digest.

It is of note that the Bill was expected to be introduced into Parliament in December 2018 but due to other business was delayed until February 2019.[42] The delayed introduction also meant a reduced time for Committee consideration. The Bill will need to have been considered by the Parliament in April, otherwise it will lapse on prorogation of the Parliament.

Committee Report

The Committee recommended that the Bill be passed. While noting a number of the concerns raised during the inquiry, the Committee is comfortable that these issues have the capacity to be dealt with. It states that at the very least the CDR ‘will improve on current arrangements and it has the potential to protect and empower consumers and drive competition and innovation’.[43]

Additional comments by Labor Senators

Labor Senators Chris Ketter and Jenny McAllister did not dissent from the Committee report and are supportive of the broad policy intent of the CDR. However, the Senators included in the report an additional 17 page analysis detailing some of the concerns of stakeholders that in their view need further consideration. The Senators comments begin:

Labor Senators want to make sure that we get the details right in this legislation. Given this legislation is framework legislation, enacting policies that will eventually cover the entire economy, it is important that the bill is thoroughly reviewed.

What is clear is that this bill has undergone a truncated development process. Labor Senators believe all those involved in working on the legislation, rules and standards have given their best efforts, but are working to deadlines set by government. Labor Senators believe it is politics, not policy that are driving these compressed timeframes, a government desperate to get a headline, but have failed to deliver the substance behind the headline.[44]

The Senators set out the key concerns and state that they ‘will continue to work with stakeholders to find ways to improve the legislation and give those involved with the consumer data right project sufficient time to get the details right’.[45] The list of concerns is:

  • The rushed policy development process;
  • The nature of the policy work occurring in parallel;
  • The lack of consumer testing, and the results of the testing that has occurred;
  • Possible impacts on vulnerable cohorts of people;
  • The consultation processes in the banking, energy and telecommunications industries;
  • The Privacy Impact Assessment process;
  • Consumer privacy protections;
  • The lack of funding and details on a consumer education campaign;
  • Intellectual property concerns; and
  • The application of reciprocity.[46]

Senate Standing Committee for the Scrutiny of Bills

The Senate Standing Committee for the Scrutiny of Bills had not reported on the Bill at the date of publication of this Digest.

Policy position of non-government parties/independents

Labor supports the CDR but opposes what it perceives as the Government’s rushed implementation process. This position is articulated by Labor Senators in the Senate Committee report (above).

At the time of writing, the views of other non-government parties and independents are not known.

Position of major interest groups

The Senate Committee inquiry into the Bill received 31 submissions from a range of stakeholders including consumer and privacy advocates, representatives of the banking industry, the digital industry, fintech companies and professional legal bodies.

While most submitters supported the concept of a CDR there were differing views about the implementation process with some criticising the compressed time frames for consultation. Others expressed disappointment about the incremental approach and the delayed start. Concerns were also expressed about the extent of ministerial delegation and the lack of detail in the Bill. Numerous submitters criticised the proposed privacy framework for being unnecessarily complex, lacking in clarity and providing inadequate levels of privacy protection.

A selection of stakeholder views is summarised below. Further analysis is included in the Key Issues and Provisions section of this Digest.

Law Council of Australia

The Law Council of Australia prefaces its submission noting that due to the short time frame for the Senate committee inquiry, it has been unable to comprehensively examine the Bill. The submission highlights three key concerns with the Bill to date:

  • the complexity involved in implementing ‘reciprocity’ as an initial requirement to be universally imposed on accredited data recipients
  • the broad Ministerial discretion in making designation instruments and
  • the lack of clarity and the unnecessary complexity in how the privacy safeguards division of the Bill will interact with the provisions of the Privacy Act.[47]

Australian Banking Association

The Australian Banking Association (ABA) supports a comprehensive right for consumers to access data across the economy. It also suggests three areas where the Bill could be improved:

  • the principle of reciprocity should be more comprehensively embraced in the Bill to ensure consumers are able to fully participate in a vibrant data sharing regime
  • the Privacy Safeguards should be aligned with the Australian Privacy Principles where possible, particularly in relation to Privacy Safeguard 4 (the treatment and destruction of unsolicited data)
  • provisions around the creation and regulation of chargeable fees for derived and value-added data be revised to require an economic study prior to designating derived datasets.[48]

The ABA also made a submission on the Treasury’s Privacy Impact Assessment (PIA) that was released in December 2018. The ABA had concerns with the Assessment and in particular challenged some of the PIA’s assessed risks of ‘unlikely’. In ABA’s view, by assessing various risks as unlikely Treasury is downplaying the dangers. For example the ABA argues that the risks associated with third party misuse of data and malicious attacks by hackers and other cyber criminals are higher than the ‘unlikely’ given by the PIA.[49]

Financial Rights Legal Centre

Financial Rights Legal Centre[50] has fundamental concerns with the Bill, with its submission arguing that the CDR as proposed will result in increased complexity and choice for consumers resulting in increased inequality and financial exclusion.[51]

Amongst its many criticism of the Bill, the Financial Legal Centre states:

  • the Bill is misleading in being presented as an all-encompassing comprehensive consumer data right when in fact it is only a ‘consumer data portability right’
  • the portability rights created by the CDR will only apply to designated sectors as approved by the Minister and given the timelines proposed, the application of strengthened privacy standards will take decades to spread to all aspects of the economy. It argues that this compares poorly with the approach being taken by the EU with the new General Data Protection Regulation[52] and
  • the CDR establishes multiple privacy standards, confusing consumers and placing them at risk.[53]

The submission states:

The introduction of the CDR is an explicit acknowledgement that the current APPs are out of date, no longer fit for purpose, and are generally weaker than what is required for a modern data-based economy, ie the APPs are not good enough to provide the privacy protections that consumers require.

Implementing the CDR alongside the APPs therefore implements multiple privacy standards. This will be confusing for consumers and industry alike. It also leaves consumers vulnerable to lower protections in different situations given the inevitability [of] non-accredited parties accessing consumers’ CDR data.[54]

Australian Privacy Foundation

The Australian Privacy Foundation (APF) in principle supports the CDR but has fundamental concerns about the level of privacy protection provided in the Bill arguing ‘it leaves people exposed to harm’.[55] Amongst other things PPF’s criticisms of the Bill focus on the following points:

  • the Government’s rushed process for implementing the CDR
  • the lack of proper privacy protections in Australia compared to Europe and the United Kingdom[56]
  • the under-resourced Office of the Australian Information Commissioner (OAIC) as an effective privacy regulator
  • the lack of attention to the detail of the CDR rules. APF argues that the Rules will have the most critical detail of how the scheme will protect people from harm and therefore Members of Parliament need to consider both the Rules and the CDR Bill together to ensure they work as intended as a package and
  • the Privacy Impact Assessment conducted by the Government has been inadequate and the risks severely underestimated. The APF argues this could be rectified by ‘ensuring that an external rigorous and independent Privacy Impact Assessment is performed with the implementation of the recommendations from this assessment’.[57]

APF also argues that robust consumer testing must be completed before implementing the CDR for any sector.[58]

ID exchange

ID exchange’s criticisms of the Bill are numerous.[59] It notes that the incremental method of designation means that the benefits of the CDR will be delayed and argues that its preferred approach is for the sectoral limitations on the CDR to be removed so that it applies to all of the private sector from the beginning.[60]

ID exchange argues that as framework legislation the CDR Bill ‘leaves too many decisions that will have the effect of legislation to be made by too many entities’. These include the Minister, the ACCC, the OAIC, the Data Recipient Accreditor, the Accreditation Registrar and the Data Standards Body. The submission states:

All of these entities or bodies have substantial law and rulemaking powers. This division of functions and responsibilities creates an opaque decision-making matrix. It is a complex, costly and burdensome implementation of a simple policy – enabling consumers to access their personal information in digital form and/or to direct that it be supplied to a third party.[61]

Business Council of Australia

The Business Council of Australia states that industry has participated constructively in the consultation process for the CDR and would like to see the scheme work. However the Business Council remains concerned about the preparedness of all stakeholders involved in implementation. It states:

This is because the objectives and structure of the scheme have evolved significantly—from a scheme about simple transactional data portability for consumers to one that covers performance information, derived data and includes businesses' transaction data as well as personal consumer data—with short consultation periods at each stage. In addition, multiple, complex, interlinked tranches of work have progressed concurrently while the framework was developed (the development of the CDR Bill, CDR Rules Framework and CDR Rules for the Energy Sector, for example, have all progressed on their own separate but concurrent tracks) and continues to develop through the parliamentary process. Given the difficulty other jurisdictions have had in implementing similar schemes, the Committee should consider carefully the timelines for implementation.[62]

A major concern raised by the Business Council relates to the Bill’s inclusion of derived data, which potentially captures proprietary value-added data. A related concern is the very wide delegation to the ACCC to make rules concerning the disclosure, collection, use, accuracy, storage, security and deletion of CDR data as well as a range of other matters.

In the Business Council’s view capturing value-added data in the CDR framework risks:

  • discouraging investment or innovation in such data
  • transferring proprietary data to competitors which could give insights into the strategic decisions of the provider and
  • raising contractual issues where derived data includes data (or is derived from data) obtained from a third party.[63]

Related to the issues of derived data, the Business Council also raises concerns about chargeable data observing:

... the delegation of broad power to the ACCC to set prices for the transfer of data is concerning and goes far beyond the power delegated to regulators in other jurisdictions, such as the [Competition and Markets Authority] in the United Kingdom’s Open Banking regime.[64]

The submission continues:

Central price setting in such a dynamic area of the economy risks undermining the incentives for companies to invest in new capabilities and services for consumers and would significantly disadvantage Australian companies competing against multinational Internet-based businesses – the opposite of what the CDR Bill seeks to achieve.[65]

The Business Council also calls for greater scrutiny to be applied to the CDR rules and designation instruments. Its submission argues:

Given the scope of the CDR Bill—applying to all sectors, all businesses, most data, and all consumers—it is reasonable that parliament should have ongoing oversight of the application of the legislation and that the minister and regulators should be required to meet objective standards before designating sectors and making CDR rules.[66]

CHOICE

The consumer advocate CHOICE, while broadly supportive of the Bill, has some concerns and offers comments and recommendations to ‘ensure that the implementation of the CDR improves consumer access to data while simultaneously protecting consumers from harm’.[67]

Amongst other things CHOICE recommends:

  • Treasury should commission a more comprehensive Privacy Impact Assessment, which will give consideration to the final Rules, Standards and insights from consumer testing.
  • Treasury should fund additional consumer research. This should be undertaken prior to the ACCC Rules being finalised. Attention should be given to examining processes around revoking consent, managing consent, and the re-authorisation process.
  • Treasury must provide clarity on the interaction between the standards, Rules and legislation with regard to comprehension, privacy, design of the payloads or data batches, accreditation and authorisation.[68]

FinTech Australia

FinTech Australia welcomes progress on the Bill and supports the Governments current timeline of passing the Bill through the Senate in April.[69] In its view a delay with the Bill will drive Australia’s ‘fintech ecosystem into other markets and hinder the competitive advantage Australia has over other jurisdictions that are yet to develop an Open Banking regime’.[70]

FinTech agrees that more work needs to be done on privacy and security measures and that there is still a risk of some confusion between the application, and interplay of, the two privacy regimes. However FinTech does not consider these privacy and security concerns as a reasonable reason to delay the Bill.[71]

Telecommunications sector submissions

A number of submissions to the Senate inquiry came from stakeholders in the telecommunications industry who focussed on different aspect of the Bill. For example the Communications Alliance is concerned that the Bill was developed with a banking focus even though the legislation (and Rules Framework) will apply to all sectors of the economy:

If the process to develop an Open Banking regime (as the first sector to adopt the CDR) is already rushed and raises a large number of concerns with stakeholders, as evidenced in numerous submissions, it appears almost impossible to ensure that the legislation and associated rules are appropriately considered for other sectors of the economy which follow later in the process.

This bears the very real risk that those later sectors will be forced to operate within a legislative and regulatory framework that has a distinct ‘banking flavour’ but lacks sufficient consideration of the particularities of other industry verticals.[72]

The Australian Information Industry Association (AIIA), the peak member body for the digital industry, expresses a similar view. AIIA is concerned at the lack of evidence for a sound policy rationale for the application of the CDR to the telecommunications industry. It believes the legislation and the rules framework is overly complex. Two specific areas of concern include definitional boundaries of ‘derived data’ and the obligations on an accredited data recipient under the principle of ‘reciprocity’. While these concepts are both mandated attributes of the CDR, there is in fact ‘no available guidance to inform practical implementation’.[73]

Energy sector submissions

AGL has participated in the consultation processes run by Treasury, the ACCC and CSIRO’s Data61 group. In its submission to the Senate Committee inquiry into the Bill AGL states that throughout these processes, it has continued to express concern about the timing and changing scope of the CDR Bill. AGL expresses significant concern about a range of matters including:

  • the regulatory tools (for example the cost-benefit analysis and Privacy Impact Assessment) used in this process are insufficient/not-fit-for-purpose
  • the Bill expands CDR definitions relating to captured data and consumer beyond what was initially recommended in earlier reviews. As a result the Bill intentionally goes beyond the scope necessary to enable data portability and access for individuals
  • the introduction of new Privacy Safeguards remains unnecessarily confusing, complex and a potential risk to consumer privacy and have not been given appropriate consideration or stakeholder consultation and
  • the ambitious implementation date for banking set initially for 1 July 2019 impacted on the quality and effectiveness of consultation and regime consideration and meant that ‘energy and telecommunications have effectively been left behind in the discussions’.[74]

The Australian Energy Council (AEC) supports introducing a CDR into the energy sector and wider economy stating:

If supported by an appropriate regulatory framework, we believe the CDR has the potential to enhance competition in the retail market and provide better outcomes for consumers. Providing a common framework to give consumers access to their energy consumption data will better enable them to compare energy offers and engage in the market with confidence. It can also provide a valuable platform for more innovative products and services in the sector.[75]

However in relation to sector designation, the AEC would like to see a more robust consultation process, including appropriate cost-benefit analysis applied throughout all stages of designating the relevant sector and developing both the consumer data rules and data standards. In particular, this consultation process should be designed to give sufficient consideration to the unique aspects of industry in which the data relates, such as the range of regulatory frameworks already in place, the availability of data and interaction of various market participants with consumers and the data that relates to them.[76] It cites the example of the energy sector where a national regulatory framework already exists and would be impacted by the introduction of the CDR regime.[77]

AEC also suggests a number of amendments including that the standing definition of a consumer in the Bill be narrowed to exclude large businesses. The ARC finds the inclusion of large businesses somewhat concerning given the purpose of the Bill is to empower consumers who are in a lower position of power relative to the company holding their information (whether it be a bank, energy retailer or otherwise). It also notes that the Productivity Commission’s Report into Data Availability and Use, which laid the groundwork for this Bill, did not recommend the inclusion of large businesses.[78]

Like many submitters the AEC also raises concerns regarding the inclusion of value-added data which it says ‘risks disincentivising business to continue using data in innovative ways’. It is the AEC’s preference that CDR data should simply cover personal information rather than anything that ‘relates to’ the consumer. It argues this approach is consistent with the provisions of the Privacy Act and avoids creating unnecessary confusion for regulators, data holders and consumers.[79]

Financial implications

The Explanatory Memorandum states that the Bill fully implements the National Consumer Data Right measure from the 2018–19 Budget.[80] The financial impact will be $45 million from 2018–19 to 2021–22. [81]

Statement of Compatibility with Human Rights

As required under Part 3 of the Human Rights (Parliamentary Scrutiny) Act 2011 (Cth), the Government has assessed the Bill’s compatibility with the human rights and freedoms recognised or declared in the international instruments listed in section 3 of that Act. The Government considers that the Bill is compatible.[82]

Parliamentary Joint Committee on Human Rights

The Parliamentary Joint Committee on Human Rights had not reported on the Bill at the date of publication of this Digest.

Key issues and provisions

Part 1—Main amendments

Part 1 of Schedule 1 to the Bill consists of three amendments. Item 1 is the key amendment and inserts new Part IVDConsumer data right into the CC Act. Items 2 and 3 are transitional provisions that are specific to the banking and energy sectors.

New Part IVD—Consumer data right

The object of Part IVD

Proposed section 56AA provides that the object of the new Part IVD is two-fold:

  • to enable consumers in certain sectors of the Australian economy to require information relating to themselves to be disclosed safely, efficiently and conveniently to themselves or to accredited persons
  • to enable any person to efficiently and conveniently access information in those sectors that is about goods or services and does not related to any identifiable or reasonably identifiable consumer.

As a result of achieving these objectives Part IVD should also:

  • create more choice and competition or otherwise promote the public interest.
Comment

The Law Council argues that this objective is framed to indicate that this is not intended to be an instrument to effect competition reform. Rather it is intended to be an instrument to give customer choice and customer control over data that relates to them and it may have the by-product of affecting competition structure.[83]

It is the Law Council’s view that this clear objective is relevant when considering the extent or the limit to be placed on reciprocity.[84]

Designated sectors subject to the consumer data right

The Bill establishes a framework to enable the CDR to be applied to various sectors of the economy over time. Proposed sections 56AC–56AH deal with the process for establishing or designating the sectors.

Proposed section 56AC provides that the Minister may by legislative instrument designate a sector of the Australian economy to which the CDR applies. The Minister designates a sector by amongst other things specifying:

  • classes of information (‘designated information’)
  • persons (both individuals and entities[85]) who hold one or more specified classes of the designated information (or on whose behalf such information is held)
  • the earliest date applicable to the sector for beginning to hold the designated information[86]
  • each of the classes of information for which a person may charge a fee and the circumstances of charging and
  • if required, the particular person or persons who are to be gateways.[87]

The classes of information that are designated are subject to geographical limitations and require an Australian connection as set out in proposed subsection 56AC(3).

Proposed section 56AD sets out a range of factors the Minister must consider prior to making a sector designation. These factors include the likely effect of designation on:

  • consumers within the designated sector[88]
  • the efficiency of relevant markets
  • the privacy or confidentiality of consumers’ information
  • promoting competition
  • promoting data-driven innovation
  • any intellectual property in the information to be covered by the instrument and
  • the public interest.

The Minister must also consider:

  • the regulatory impact of designation
  • certain matters to do with cost associated with data disclosure
  • whether one or more gateways need to be specified and
  • any other matters the Minister considers relevant.

Before designating a sector, the Minister must consult with the ACCC as well as any other person or body prescribed by regulations (proposed subsection 56AD(2)). When considering the effect of making the instrument on the privacy or confidentiality of a person’s information, the Minister must consult the Information Commissioner (proposed subsection 56AD(3)). The ACCC and Information Commissioner’s responsibilities regarding this consultation are set out in proposed sections 56AE and 56AF respectively.

Amongst other things the ACCC must analyse the factors that the Minister has had to consider and must consult the public. After a public consultation period of at least 28 days, the ACCC must report to the Minister and publish that report on the ACCC’s website.

The Information Commissioner has similar responsibilities. He/she must analyse the likely effect of designating that sector on the privacy or confidentiality of consumers’ information and report to the Minister on that analysis (proposed subsection 56AF(1)).

If the ACCC publishes a recommendation that the Minister make an instrument designating a sector, the Minister must wait at least a further 60 days before making the instrument (proposed paragraph 56AD(2)((b)).

A designation instrument is not invalid if the Minister or the ACCC fail to consult about the instrument or if the Information Commissioner fails to analyse the likely effect on the privacy or confidentiality of consumers’ information (proposed section 56AH).

The ACCC may also, on its own initiative, recommend to the Minister that a sector is designated or that an existing instrument designating a sector, is varied or revoked. The ACCC must publish this recommendation on its website (proposed section 56AG).

Exemptions from the consultation process: banking industry and energy sector

Items 2 and 3 in Schedule 1 provide certain exemptions from this consultation process for the banking and the energy sectors subject to specific time limits.[89] The rationale for this exemption for the banking sector is:

[...] the Open Banking Review undertook consultation with the banking sector and the community on the scope and application of the CDR to the banking sector. The Minister subsequently consulted on the recommendations of the Open Banking Report. Requiring the ACCC to undertake consultation and provide the Minister with a report following the extensive consultation undertaken in preparing the Open Banking Report is not considered to be necessary.[90]

In the case of the energy sector the Explanatory Memorandum notes that the Government has indicated that the energy sector will be designated as the second sector of the economy to which the CDR applies. Public consultation has been undertaken as part of the process of preparing the Council of Australian Government’s (COAG) report Facilitating Access to Consumer Energy Data and for that reason the Minister is not required to consult the ACCC or the Information Commission regarding the energy sector. However the ACCC will still be required to conduct consultations in regard to CDR rules.[91]

Comment

AGL considers the COAG consultation is insufficient in the energy sector as it was developed for another purpose and done before the scope of the CDR regime was fully understood by Government or industries.[92] Likewise, the AEC suggests that further consultation and analysis is required, perhaps via a Regulatory Impact Statement, before a data set is designated to come under the CDR.[93]

Key terms

Proposed sections 56AI, 56AJ, 56AK, 56AL and 56AM define key terms underlining the new regime. Some of these terms are described below.

CDR data, directly or indirectly derived

‘CDR data’ is central to the CDR scheme and is defined as:

  • information that is within a class of information, specified in an instrument designating a sector or
  • information that is not so covered but is subsequently directly or indirectly derived from that designated sector information (proposed subsections 56AI(1) and (2)).

The Explanatory Memorandum states CDR data can include product information or records of usage of a good or service. The data can relate to natural and legal persons, for example a company.[94]

Derived data

The Law Council raises an issue with this definition and particularly with the concept of derivation of data. It has concerns there that there is no limit specified as to the extent of derivation and considers that there must be some class-closing rules. In relation to the banking sector, the Law Council suggests that without specifying limits there may be the risk of distant derivations such as bank divisional reports and ‘other aggregations and transformations of data could be subject to the CDR’.[95] The Law Council’s submission continues:

By current provisions of the Bill it is left to the Ministerial designation to create class closing rules, or to the CDR Rules as promulgated by the Australian Competition and Consumer Commission (ACCC) to describe what the Minister intended [...][96]

The Law Council submits that it is contrary to good legislative practice for Ministerial discretion to effectively determine the nature of a right that should be appropriately stated in the statue. It argues:

The Bill as drafted creates the substantial risk that (through default or intentionally) the Minister includes within the CDR substantially value-added, valuable and business confidential transformations and analytically derived insights from transactional data. The Law Council recommends that the Minister’s discretion be appropriately confined, preferably by exclusion of value-added data from being within scope of possible designation, or less preferable by ensuring that any designation of value added data is only after consideration of objectively stated factors to be taken into account by the Minister, with possibility of independent review.[97]

The Explanatory Memorandum acknowledges that the scope of CDR data appears broad but states that there are limits on the data that data holders may be required to give access to.[98]

For data that relates to a CDR consumer, a data holder can only be required to disclose that data to an accredited person, designated gateway or the consumer themselves. In this circumstance the data is also limited to data that is specified in the instrument and does not include data that is derived from data specified in the instrument (proposed subsection 56BD(1)).[99]

In relation to data about a product, goods or service, a data holder can only be required to disclose data about the eligibility criteria, terms and conditions, price, availability or performance of the product, good or service. Disclosure about the availability or performance can only be mandated where this data is publicly available (proposed subsection 56BF(1)).[100]

In evidence to the Committee, a Treasury official explained that the designation instrument will be explicit about and make clear whether data is materially or immaterially derived data. The designation instrument for banking will make it clear that it is only the immaterially derived data that is the relevant data for the purpose of open banking.[101]

Key participants in the CDR framework

The CDR framework relies on three key participants – CDR consumers, data holders and accredited data recipients. There is a fourth group—designated gateways—however there will be limited circumstances when a gateway will be designated.

The relevant definitions in the Bill are described below.

Data holders

In broad terms data holders are original holders of the data that the right of transfer applies to.[102]

Proposed section 56AJ provides that data holders of CDR data are:

  • persons ((individuals or entities) that hold the CDR data included in the designation instrument, or data derived from that data and
  • who began to hold that data within the timeframe specified in the designation instrument and
  • where any of the following three conditions apply to the person and the CDR data:
    • the person is specified in the designated instrument as the data holder, providing the data and derived data was not disclosed to the person according to the consumer data rules
    • the person is an accredited data recipient of other CDR data, provided none of the data was disclosed to the person under the consumer data rules
    • the person is accredited and the data was disclosed under the consumer data rules and the conditions specified in the rules are met.

The Explanatory Memorandum provides scenarios to further clarify how these three conditions apply.[103]

CDR consumer

In general terms a CDR consumer for CDR data is a person or entity that holds the ‘rights’ to access the data held by a data holder and to direct that this data be shared with an accredited person.

Proposed subsection 56AI(3) provides that a CDR consumer is:

  • an identifiable or reasonably identifiable person (both individual or entity) to whom the CDR data relates because of the supply of a good or service either to the person or an associate and
  • the CDR data is held by another person who is either a data holder of the CDR data or an accredited data recipient.

The Explanatory Memorandum provides further explanation and examples of how this rather broad and complex provision is to be interpreted:

Determining whether a person can be ‘reasonably’ identified from the data requires contextual consideration, including the nature and amount of information, other information that may be available to the persons who will have access to the information, and the practicability of using that information to identify a person.

An important consideration in whether data can be considered to relate to a ‘reasonably identifiable’ person is what motivations there may be to attempt re‑identification. A person will be reasonably identifiable where:

  • it is technically possible for re-identification to occur (whether from the information itself, or in combination with other information that may be available), and
  • there is a reasonable likelihood of re-identification occurring.[104]
Comment

Some submitters to the Senate inquiry into the Bill have argued for a simpler legislative definition of CDR consumer. For example the Business Council states that a definition based on the tested scope of the Privacy Act would be a preferable starting position for the CDR. Considering the risk associated with capturing value-added data, it argues that amending the term 'relates' in proposed paragraph 56Al(3)(a) to 'is about' would reflect the tested scope of personal data as currently set out in the Privacy Act. In the Business Council’s view this would still allow broad and meaningful datasets to be provided under the CDR.[105]

The Law Council takes a similar view, supporting an amendment that would align the concept of CDR data relating to an individual to the Privacy Act concept of being about an individual. In evidence to the Senate Committee, Professor Peter Leonard said:

That's an example of where a relatively minor amendment could address the significant concern and create closer alignment to the current Privacy Act.[106]

Accredited data recipient

An accredited data recipient for CDR data is defined in proposed section 56CA as a person or entity that has been accredited,[107] and who has received CDR data as a result of a disclosure made in accordance with the consumer data rules and is neither a data holder nor a designated gateway in relation to that CDR data.

The Explanatory Memorandum explains that being an accredited data recipient will be essential in order to be able to receive data about a consumer. The consumer data rules will provide that a CDR consumer’s right to direct a data holder to transfer the data to another entity under the CDR, exists only where the entity is an accredited person.[108]

Accreditation of data recipients

Proposed section 56BH provides that consumer data rules may be made about the accreditation of data recipients including:

  • about the powers and functions of the Data Recipient Accreditor
  • specifying the criteria for a person to be accredited
  • outlining that accreditations may only be provided subject to applicants meeting certain conditions, including that conditions may be applied after accreditation has been granted
  • allowing for accreditation to be provided at different levels taking into account the different risks associated with the kind of activities undertaken within that designated sector or the kinds of applicants
  • about the period, renewal, transfer, variation, suspension, revocation or surrender of accreditations
  • outlining transitional rules for when an accreditation is suspended or ends and the treatment of data under such circumstances and
  • about the Register of Accredited Data Recipients.

Any rules which enable decisions to be made about the granting, revocation, variation or suspension of accreditations must also allow for the review of those decisions by the Administrative Appeals Tribunal.

Reciprocity

Data may also become subject to the CDR through a reciprocity mechanism. This mechanism will provide that those who wish to become accredited and receive designated data at a consumer’s request must be willing to share equivalent data, in response to a consumer’s request.

The principle of reciprocity is not directly referred to in the Bill, however the Explanatory Memorandum describes the relevant concepts, noting the matter would be dealt with under the rules. It states:

The consumer data rules may provide that a consumer can direct an accredited data recipient to provide access to certain CDR data to the consumer or other accredited persons. This is known as the principle of reciprocity.[109]

The Explanatory Memorandum states that the principle of reciprocity may apply in three circumstances:

First where an entity is included in a designation instrument but there is not a consumer data rule requiring that data holder to disclose that information.

An example of this would be where a small ADI [Authorised Deposit-taking Institution] is not required to disclose banking information at a consumer’s request before 1 July 2020. However, if the small ADI becomes an accredited data recipient before this date, the consumer data rules may require the small ADI to transfer data at the request of the consumer.

Similarly, the principle of reciprocity may apply where an accredited data recipient is not included in the designation but holds data that it has generated or collected itself outside of the CDR. For example, a non-ADI lender would hold data that is included in the designation instrument. The consumer data rules may require the accredited data recipient to transfer data at the request of the consumer.

The final circumstance where the principle of reciprocity may apply is where the ACCC writes rules requiring accredited data recipients to disclose data that they have received through the CDR to another accredited person at the consumer’s request.

If an accredited data recipient does not hold data that falls within a class designated in a designation instrument, reciprocity cannot apply. That is, reciprocity only applies to data included in the designation instrument. This is because the transfer of the data needs to be supported by data standards to occur efficiently.[110]

Several submitters including the Law Council raised concerns with the reciprocity concept and how it would apply. The Law Council warned that there are complexities in implementing reciprocity which raises a question as to whether ‘reciprocity’ need be an element of the initial Open Banking framework, or whether any need and specification for reciprocity might be better understood when the market dynamics as to inter- Accredited Data Recipient (ADR) transfers become clearer. In evidence to the Senate Committee Ms Ganopolsky states:

Datasets that evolve and transform downstream become more complex and more difficult to track and identify as CDR data, and the cost burden of imposing that obligation upon ADRs may be prohibitive and may result in fewer comparisons being available to the very consumers that this legislation seeks to serve.[111]

In the Law Council’s view this concern should promote caution in implementing reciprocity as an initial requirement universally imposed on ADRs. Rather there may be a case for a ‘sandbox or other reasoned or controlled differential treatment in relation to some ADRs’.[112]

The Law Council further notes that, other than an indirect reference, the Bill does not address the issue of reciprocity as a legal concept. It is of the view that it would be beneficial if the Bill itself addressed the matters explained in the Explanatory Memorandum.[113]

Chargeable CDR data

The CDR framework includes the concept of chargeable data.

Proposed section 56AM defines ‘chargeable CDR data’ as information that a person is required to disclose where the Minister has stated in the designation instrument that specific persons can charge a fee, either for the use or disclosure of the data, or both.

The Minister may also specify, in the designation instrument, the circumstances when a person can charge a fee for that data (proposed paragraph 56AC(2)(d)). The Minister cannot make determinations about fees regarding merely authorised (but not required) disclosures of CDR data (paragraph 56AC(2)(d) and section 56AM). If data is not listed as chargeable data in the designation instrument the person cannot charge a fee for the data. Similarly, the person cannot charge a fee for the use or disclosure where the circumstances specified in the designation instrument have not been met (proposed section 56BT).

Data that is not chargeable is referred to as fee-free CDR data (proposed subsection 56AM(4)).

Specific factors the Minister must consider before designating data sets for which a fee can be charged are listed in proposed subparagraph 56AD(1)(c). These factors are:

  • whether requiring the data to be disclosed or used would constitute an acquisition of property under Australia’s Constitution
  • whether the data holder currently charges consumers for access to that data set
  • whether requiring that data to be disclosed would reduce the incentives to generate, collect, hold or maintain that data set and
  • the marginal cost of disclosing that data.

The Explanatory Memorandum states that it is anticipated that the majority of designated data sets would be made available for free. Only in rare circumstances, for example, where the marginal cost of disclosure would be significant, would it be appropriate for a data set to be designated as a chargeable data set.[114]

Designated gateway

The Bill also includes the concept of a ‘designated gateway’. Proposed subsection 56AL(2) provides that a person is a designated gateway for CDR data if it is specified in the designation instrument, the CDR data is within the class specified in that instrument, and the data is to be disclosed by a data holder to an accredited data recipient or the consumer according to the consumer data rules.

The Explanatory Memorandum states that the Government expects that there will be limited circumstances when a gateway will be designated:

A factor that would be considered in deciding whether to designate a gateway would be whether there was an entity that already had a relationship with the data holders and that transferring data through the gateway would be an efficient and cost effective way to exercise the data right. Another factor may include the relative risk of the data sets that would be expected to flow through the gateway.

The Government expects that the gateway would be a Commonwealth body or entity, or within the effective control of the Commonwealth or a State or Territory.

An example of where a gateway may be designated is for the energy sector. One option being considered would be to designate the Australian Energy Market Operator (AEMO) as the gateway. In this scenario, the ACCC would make rules requiring the data holders in the energy sector to meet an obligation to disclose CDR data by disclosing the data to AEMO. Similarly the ACCC would make a rule requiring AEMO to disclose the data to the accredited persons or the consumer in accordance with the request made by the consumer.[115]

Extraterritorial operation of the CDR provisions

The proposed CDR regime generally applies both within and outside of Australia (proposed section 56AN and subsection 56AO(1)).

Where the CDR data is held within Australia, obligations under the CDR regime apply to both Australian and foreign persons (proposed subsection 56AO(2)).

Where the CDR data is held outside of Australia, the CDR applies to acts or omissions:

  • by (or on behalf of) an Australian person
  • that occur wholly or partly in Australia[116] or
  • that occur wholly outside Australia and an Australian person suffers, or is likely to suffer financial or other disadvantage as a result of the conduct (proposed subsection 56AO(3)).

Power to make consumer data rules

Proposed section 56BA provides that the ACCC may by legislative instrument make rules (consumer data rules) for designated sectors. Proposed section 56BB sets out the matters that the rules may deal with including:

  • disclosure, use, accuracy, storage, security or deletion of CDR data
  • designated gateways for CDR data
  • accreditation of data recipients
  • reporting and record keeping and auditing and
  • any other matters incidental to the CDR system.

Further detail about the various types of rules is set out in proposed sections 56BC to 56BJ and these are described at pages 33-37 in the Explanatory Memorandum.

Limitations on consumer data rules

Proposed sections 56BD, 56BF, 56BG and 56BK set out some of the limitations on the consumer data rules. For example the rules cannot:

  • require a CDR participant to disclose CDR data before 1 July 2019 or impose a retrospective commencement or application (proposed subsection 56BK(1))
  • require the disclosure of information about a consumer unless that information is specified in the designation instrument and the disclosure is to a CDR consumer, accredited person or designated gateway (proposed subsection 56BD(1))
  • require the disclosure of information about a product or a good or service unless the data is about eligibility criteria, terms and conditions, price, or publicly available information about the availability or performance of the product (proposed subsection 56BF(1))
  • allow a fee to be charged for data for which a fee cannot be charged (proposed subsections 56BD(2) and 56BF(2))
  • impose deletion obligations on a data holder for CDR data about a consumer (proposed paragraph 56BD(3)(a)) or
  • require the data holder to do anything in relation to the use, accuracy, storage or security of the CDR data unless those rules also relate to the disclosure of the CDR data under the consumer data rules (proposed paragraph 56BD(3)(b)).

Regulations may further limit matters that the consumer data rules are able to deal with (proposed subsection 56BK(3)).

Process for making consumer data rules

Proposed section 56BP provides that before making the consumer data rules the ACCC is required to consider certain matters. These are mainly the same matters that the Minister must consider before designating a sector—the likely impact of the proposed rules on consumers, competition, innovation, privacy and confidentiality, the public interest, intellectual property and relevant markets. The ACCC must also consider the regulatory impact of the proposed consumer data rule.

Proposed section 56BQ sets out consultation obligations. Before making the consumer data rules, the ACCC is required to consult with the public, the Information Commissioner, the primary regulator of the particular designated sector and any other persons prescribed by regulations.

The ACCC must consult for at least 28 days and is unable to make the rules for at least 60 days from when the rules were released for public consultation. A failure to consult will not invalidate the rules.

The consumer data rules are disallowable instruments and therefore subject to parliamentary scrutiny.

The ACCC must, except in emergency circumstances, obtain the Minister’s consent, in writing, prior to making a rule (proposed sections 56BR and 56BS).

Emergency rules

Proposed subsection 56BS(1) allows the ACCC to make consumer data rules without public consultation and without the Minister’s consent in emergency situations after it has consulted with the Information Commissioner. Emergency situations are when the ACCC is of the view that making the rules is necessary to avoid a risk of serious harm to the efficiency, integrity or stability of any aspect of the Australian economy or to the interests of consumers.

If the ACCC makes an emergency rule then it is required to advise the Minister on the following day and to provide the Minister with a written explanation of the need for the emergency consumer data rules (proposed paragraph 56BS(2)(a)).

The Minister may respond by advising that the consumer data rule be either amended or revoked, in accordance with a written direction of the Minister (paragraph 56BS(2)(b) and subsection 56BS(3)).

The Explanatory Memorandum states that given the nature of the CDR regime, a significant data breach could be considered to cause serious harm to the interests of consumers:

The ACCC is provided with this emergency rule making power to respond to an emerging issue, for example a previously unforeseen practice which presents a risk of harm to consumers, swiftly and with flexibility. The appropriate checks and balances still exist with Ministerial oversight and the ability of the Minister to amend or revoke the emergency consumer data rule, if the Minister considers that action necessary.[117]

A failure to consult the Information Commissioner does not invalidate the emergency consumer data rules (proposed subsection 56BS(4)). However, if the ACCC does not consult the Information Commissioner before making the emergency rules and the Minister does not direct the ACCC to vary or revoke the emergency rule, the rule will cease to be in force six months after the day it was made (proposed subsection 56BS(5)).

Consumer data rules are able to be made with respect to other matters including the data standards, de-accreditation and suspension of accreditation, and other related matters as well as extensions or clarification of the Privacy Safeguards.[118]

Data standards, the Data Standards Chair and the Data Standards Body

Data standards will explain the format and process by which data needs to be provided to consumers and accredited data recipients within the CDR system.

Data standards will be made by the Data Standards Chair who is to be appointed on a part-time basis by the Minister by written instrument (proposed sections 56FA, 56FF and 56FG).

Proposed subsection 56FA(1) provides that the Data Standards Chair may make data standards about:

  • the format and description of CDR data
  • the disclosure of CDR data
  • the collection, use, accuracy, storage, security and deletion of CDR data
  • de-identifying CDR data and
  • matters included in regulations.

If the consumer data rules require the Data Standards Chair to make a data standard about a particular matter, the Data Standards Chair must do so and must specify in that data standard that it is binding if the consumer data rules so requires (proposed subsection 56FA(3)). Such standards are referred to as binding data standards.

The data standards will not be a legislative instrument but they must be published on the internet and be freely available (proposed sections 56FA(4) and 56FC).

Matters to be covered in the data standards will be subject to consumer data rules (proposed subsection 56FA(3)).

Proposed section 56FD sets out the legal effect of a binding data standard. Effectively such a data standard will operate as a multilateral contract between data holders, accredited persons and designated gateways, under which they agree to observe the standard and to engage in conduct required by the standard.[119] Under proposed section 56FE a person may seek enforcement of or compliance with a binding data standard in court.

Data Standards Chair

As noted above, data standards are made by the Data Standards Chair who is appointed by the Minister under a written instrument. Proposed sections 56FG, 56FH, 56FI, 56FL, 56FM, 56FN, 56FO, 56FQ and 56FR deal with a variety of matters to do with the Chair including appointment procedures, terms of office, functions and powers.

Proposed section 56FS provides that the Chair may delegate his or her functions to staff of the Data Standards Body, the ACCC or in the Department. The delegation power does not include the Chair’s ability to make data standards.

Data Standards Body

Proposed section 56FJ provides for a Data Standards Body. The Minister may appoint the Department (that is the Treasury) or another Commonwealth entity to perform the functions of the Data Standards Body. The function of the Data Standards Body is to assist the Data Standards Chair. The Data Standards Body must comply with any rules that have been made by the ACCC.

CDR privacy framework

Proposed sections 56EA to 56EP establish a privacy framework to protect the privacy or confidentiality of CDR consumers’ CDR data. It applies to CDR consumers both individuals or bodies corporate. It is based on a set of 13 Privacy Safeguards which will operate in parallel with the existing APPs in the Privacy Act. The Privacy Safeguards broadly mirror the APPs but in many ways provide a higher standard of protection. A summary of the Privacy Safeguards is set out below.

Proposed section 56EB provides that the Privacy Safeguards apply to CDR data for which there are one or more CDR consumers (individuals or bodies corporate).[120]

Relationship between the Privacy Safeguards with other laws

Proposed section 56EC sets out how the Privacy Safeguards will interact with the consumer data rules and the Privacy Act.

Consumer data rules and the Privacy Safeguards

Proposed subsections 56EC(1) and (2) provide that if there is an inconsistency between the Privacy Safeguards and the consumer data rules, the Safeguards will prevail over the rules to the extent of the inconsistency. The consumer data rules are taken to be consistent with the Privacy Safeguards to the extent that they are capable of operating concurrently. A note states that this means that the Privacy Safeguards do not cover the field that they deal with.

The Explanatory Memorandum further elaborates:

The privacy safeguards provide minimum protections for the treatment of CDR data. They can be supplemented by the consumer data rules to ensure CDR data is adequately protected. This also means that the system is able to respond flexibly to any emerging risks.[121]

Credit reporting under the Privacy Act and the Privacy Safeguards

Part IIIA of the Privacy Act regulates privacy issues relating to consumer credit reporting in Australia. Proposed subsection 56EC(3) provides that this credit reporting regime is not limited by the Privacy Safeguards in relation to CDR data. However the regulations may declare that in specified circumstances Part IIIA may be varied in relation to its effect on CDR data.

Australian Privacy Principles and the Privacy Safeguards

Under the Privacy Act the APPs apply to the the handling of personal information, including its collection, use, disclosure and storage, as defined in the Act. With some exceptions, the Privacy Act does not bind small businesses. Unlike the APPs, the Privacy Safeguards will also apply to CDR data where the CDR consumer is a business (proposed section 56EB).

The Explanatory Memorandum explains this difference:

The Privacy Act principally applies to ‘personal information’ which is defined at section 6 of that Act to include information or an opinion about an individual from which the individual may be capable of being identified.

Similarly, the Privacy Safeguards only apply to information that relates to identifiable or reasonably identifiable CDR consumers, including business consumers who wish to participate in the system. As such, the Privacy Safeguards have been created to ensure that business information is also protected.[122]

Proposed subsections 56EC(4) and (5) deal with the interaction between the APPs and the Privacy Safeguards and the Explanatory Memorandum provides a general explanation of how these provisions work.

In very broad terms the APPs and the Privacy Act will continue to apply to data holders under the CDR with the exception of accuracy and correction rights and notification of disclosure obligations once a valid request for CDR data has been received. In these cases the Privacy Safeguards (Privacy Safeguards 11 and 13) apply and the APPs do not.

For accredited data recipients, the APPs will not apply to CDR data that has been received by an accredited data recipient through the CDR regime. Instead the Privacy Safeguards will apply.

For a designated gateway, the Privacy Act and the APPs will continue to apply with the exception of use and disclosure of the CDR data, including for direct marketing purposes and the security of the CDR data (APPs 6, 7 and 11). In these cases the Privacy Safeguards (Privacy Safeguards 6, 7 and 12) apply and the APPs do not.

The Explanatory Memorandum includes a comparative table detailing how the interaction occurs.[123]

Another complicating factor arising from the operation of two privacy frameworks running in parallel is that the APPs and the Privacy Safeguards rely on differing definitions of information. The Explanatory Memorandum explains:

The use of the term ‘relates’ creates a lower threshold for information to be protected by the Privacy Safeguards than applies to information protected by the APPs. The APPs apply to information ‘about’ a person. This means that CDR data held by an accredited data recipient will continue to be protected by the Privacy Safeguards until that data ceases to ‘relate’ to an identifiable or reasonably identifiable consumer. It is intended that the term ‘de-identification’ be interpreted by reference to this threshold.[124]

Comment

The Law Council considers that it remains unclear as to how the privacy safeguards division of the Bill will interact with the provisions of the Privacy Act. The Law Council remains concerned that the provisions of the Bill will create:

  1. unnecessary complexity, through the establishment of a second legislative regime of privacy requirements (through provisions of the CCA as well as the provisions of the Privacy Act), in addition to the provisions of any State or Territory legislation that may also apply (such as when organisations hold contracts with State or Territory agencies which compel them to also comply with State laws);
  2. different classes of privacy protection depending on whether the relevant data is CDR data under the privacy safeguards or only personal information under the Australian Privacy Principles of Schedule 1 of the Privacy Act (APPs);
  3. a situation where the same data may be both CDR data and personal information and consequently must be dealt with under separate, and potentially in inconsistent, privacy regimes;
  4. confusion as to the operation of Part IIIA of the Privacy Act;
  5. additional uncertainty as to what is covered as personal information and what is covered as CDR data; and
  6. unnecessary complexity as to the available remedies under the working combinations of the regimes.[125]

A number of other submitters to the Senate inquiry into the Bill also expressed concerns about the complexity of the privacy framework, arguing it would be a potential risk to consumer privacy.[126]

Summary of the Privacy Safeguards

With the exception of Privacy Safeguard 2, all Privacy Safeguards are civil penalty provisions which are enforceable under the Regulatory Powers Act (proposed section 56EU)).

Privacy Safeguard 1—Open and transparent management of CDR data

Proposed section 56ED provides that each CDR entity (that is data holders, accredited data recipients and designated gateways) must have policies, procedures and systems in place that ensure compliance with the CDR regime and proper management of CDR data. The CDR entity’s policy must be publicly and freely available, in accordance with the CDR rules.

Privacy Safeguard 2—Anonymity and pseudonymity

Proposed section 56EE provides that unless the consumer data rules provide otherwise, a CDR consumer must be provided with the option of utilising a pseudonym, or not identifying themselves, when dealing with an accredited data recipient in relation to their CDR data.

The Explanatory Memorandum gives further explanation of circumstances where a pseudonym would not be appropriate noting the ‘Government would not expect that a consumer could use a pseudonym when exercising their consumer data right in the banking sector. A consumer cannot typically engage with the banking sector without identifying themselves’.[127]

Privacy Safeguard 3—Soliciting CDR data from CDR participants

Proposed section 56EF provides that an accredited person must not seek to collect CDR data in accordance with the CDR regime unless:

  • a CDR consumer has requested this by a valid request under the consumer data rules, and
  • complied with all other consumer data rule requirements.

The collection of the data could also be made via a designated gateway.

Privacy Safeguard 4—Dealing with unsolicited CDR data from CDR participants

Proposed section 56EG provides that an accredited person that receives unsolicited CDR data must destroy it as soon as practicable.

Privacy Safeguard 5—Notifying the collection of CDR data

Proposed section 56EH provides that any collection of CDR data done in accordance with Privacy Safeguard 3 must be made known to the relevant CDR consumers and that notification must be done in accordance with the consumer data rules.

Privacy Safeguard 6—Use or disclosure of CDR data by accredited data recipients or designated gateways

Proposed subsection 56EI(1) provides that an accredited data recipient of CDR data must not use or disclose CDR data unless:

  • in the case of a disclosure—the disclosure is required under the consumer data rules in response to a valid request from a CDR consumer for the CDR data
  • the use or disclosure is otherwise required, or authorised, under the consumer data rules, or
  • the use or disclosure is required or authorised by Australian laws other than the APPs.

Proposed subsection 56EI(2) provides a similar regime of use and disclosure in relation to designated gateways for CDR data.

Proposed subsection 56EI(3) clarifies that these rules do not apply to the use or disclosure of CDR data for the purposes of direct marketing. Privacy Safeguard 7 (section 56EJ) deals with direct marketing.

Privacy Safeguard 7—Use or disclosure of CDR data for direct marketing by accredited data recipients or designated gateways

Proposed subsection 56EJ(1) provides that an accredited data recipient of CDR data must not use or disclose it for direct marketing unless:

  • in the case of a disclosure—the disclosure is required under the consumer data rules in response to a valid request from a CDR consumer for the CDR data or
  • the use or disclosure is authorised under the consumer data rules in accordance with a valid consent of a CDR consumer for the CDR data.

A note to this provision clarifies that the valid request referred to could be given through a designated gateway (see section 56BG).

A designated gateway for CDR data must not use or disclose it for direct marketing unless:

  • in the case of a disclosure—the disclosure is required under the consumer data rules or
  • the use or disclosure is authorised under the consumer data rules.

Comment

The Law Council is concerned about the potential misuse of CDR data, including de-identified aggregated CDR data, for direct marketing purposes. It argues that the privacy safeguard in proposed section 56EJ is not sufficient to cover this risk. It suggests:

One measure that could address that risk would be to legislate a definition for 'valid consent' – for example, consent must be current (no less than 12 months old etc.), expressly provided and relevant to the service provided by the access seeker to the consumer. The Bill could also prohibit holders of de-identified CDR data from cross-matching that information with other databases in a manner that would allow a de-identified, aggregated data set to be re-associated with a particular identifiable individual.[128]

Privacy Safeguard 8—Overseas disclosure of CDR data by accredited data recipients

Proposed section 56EK deals with disclosure of CDR data outside of Australia and provides a more limited regime of disclosure. In very general terms cross-border disclosure must not be made unless the person receiving the CDR data is an accredited recipient, or meets certain requirements specified by the consumer data rules. Overseas disclosure may also be made to an overseas recipient which is not an accredited entity if:

  • the accredited data recipient takes reasonable steps to ensure the recipient does not breach the Privacy Safeguards or
  • the accredited data recipient reasonably believes the recipient is subject to a law or scheme that provides at least the equivalent protections as the Privacy Safeguards and the CDR consumer will be able to enforce those protections.

Privacy Safeguard 9—Adoption or disclosure of government related identifiers by accredited data recipients

Proposed section 56EL provides rules about use and disclosure of government related identifiers.[129]

An accredited data recipient must not use a government related identifier as an identifier of a CDR consumer unless doing so is required by laws other than the Consumer Data Rules, or subclause 9.3 of the APPs applies (that is, the identifier and the accredited data recipient are prescribed in the regulations and the adoption, use or disclosure of the identifier occurs in circumstances prescribed by the regulations). Similar restrictions apply preventing accredited data recipients from disclosing government related identifiers.

Privacy Safeguard 10—Notification of the disclosure of CDR data

Proposed section 56EM provides that where a data holder has disclosed CDR data consistent with the consumer data rules, the data holder must notify the consumer as required by the consumer data rules. A similar obligation applies to an accredited data recipient.

This obligation to notify the consumer applies even if the disclosure was made via a designated gateway.

Privacy Safeguard 11—Quality of CDR data

Proposed section 56EN deals with quality of CDR data. It requires that holders of CDR data required or authorised to disclose the CDR data must take reasonable steps to ensure the data disclosed is accurate, up to date and complete. Similar obligations apply to accredited data recipients. In addition, if either of these CDR participants makes such a disclosure and later becomes aware that the data was inaccurate, out of date or incomplete the participant must advise the CDR consumer in accordance with the consumer data rules.

Privacy Safeguard 12—Security of CDR data

Proposed section 56EO provides that accredited data recipients and designated gateways must take the steps specified in the consumer data rules to ensure that CDR data is protected from misuse, interference and loss as well as from unauthorised access, modification or disclosure.

In addition, if the entity no longer needs the data for the purposes permitted by the CDR rules or for the purposes as allowed under the CDR regime, and the data is not required to be retained under Australian law, then the redundant data must be destroyed or de-identified according to the consumer data rules (proposed subsection 56EO(2)).

Comment

The Consumer Policy Research Centre argues for a higher standard of security and recommends that redundant data should be deleted by default. It argues:

Retaining de-identified data contains presents significant risk of re-identification. This risk may increase as the CDR framework enables more data sharing and amalgamation across sectors.[130]

Privacy Safeguard 13— Correction of CDR data

Proposed section 56EP sets out obligations on data holders and accredited data recipients in relation to requests by CDR consumers for correction of CDR data. When responding to requests for data correction, the data holder and the accredited data recipient must respond to the request by taking action according to the data rules and either:

  • correct the data or
  • include a statement with the data to ensure that having regard to the purpose for which it is held the data is accurate, up to date, complete and not misleading (proposed subsection 56EP(3)).

Compliance and enforcement of the Privacy Safeguards

Proposed sections 56EQ and 56ER deal with the Australian Information Commissioner’s role in promoting compliance with the Privacy Safeguards. Amongst other things the Information Commissioner has the following functions:

  • to make guidelines concerning breaches of the Privacy Safeguards
  • promote an understanding of the Privacy Safeguards and
  • undertake educational programs for the purposes of promoting the protection of CDR data.

Part IIIC of the Privacy Act sets out requirements for notification of certain data breaches. Proposed section 56ES provides that the Information Commissioner also has a role in notification of data breaches that may occur under Part IIIC in relation to accredited data recipients and gateways and their handling of CDR data.

As noted above a number of the Privacy Safeguards are civil penalty provisions and these provisions are enforceable under Part 4 of the Regulatory Powers Act (proposed subsections 56EU(1) and (2)).

Proposed section 56ET has the effect of extending Part V of the Privacy Act (which deals with investigations) to a CDR consumer’s data, creating the power for the Information Commissioner to handle complaints and undertake investigations under the Privacy Act regarding the management and handling of consumers’ CDR data.

Compliance and enforcement (apart from the Privacy Safeguards)

The enforcement and remedy regime which will apply under the CDR is consistent with the existing regime in the CC Act. The Explanatory Memorandum states that this approach allows courts the flexibility to deal with large and small business and serious and minor contraventions.[131]

Proposed sections 56BN and 56BO create two new criminal and civil penalty provisions dealing with misleading and deceptive conduct. Proposed section 56BN prohibits conduct which misleads a person to believe that a person is a CDR consumer or is acting in accordance with a valid request or consent from a CDR consumer when in fact they are not.

The maximum penalty for an offence committed by a body corporate is a fine of not more than the greater of the following three amounts:

  • $10,000,000
  • three times the value of the benefit received by the body corporate or
  • ten per cent of the annual turnover of the body corporate.

The maximum penalty for an offence committed by a person other than a body corporate is imprisonment for not more than five years, a fine of not more than $500,000, or both.

Proposed section 56BO provides a civil penalty for the same conduct.

For both the criminal offence penalty and contravention of the civil offence, the provisions do not apply if the conduct is not misleading or deceptive in a material particular. However, a person who wishes to rely on this defence bears the burden of adducing or pointing to evidence. This is considered appropriate as this ‘evidence’ would most likely be known to the person (proposed subsections 56BN(2), 56BO(2) and 56BO(3)).

The Bill includes a number of provisions that extend existing enforcement and remedy provisions and associated powers of the ACCC, to the CDR regime. Pages 67–69 of the Explanatory Memorandum describe these provisions in full. They include for example:

  • section 80 of the CC Act provides that a person, including the ACCC, may apply to the court for an injunction where another person is undertaking, or proposing to undertake conduct which would contravene parts of the CC Act. Items 28 and 29 in Schedule 1 amend section 80 with the effect of extending this provision to apply to contraventions of the consumer data right and the consumer data rules
  • section 82 of the CC Act creates an action for damages. Item 30 amends this section with the effect of providing that a person who suffers damage or loss, as a result of a breach of the CDR regime or the consumer data rules, is able to recover the amount of the damage or loss sustained
  • Part XID of the CC Act gives the ACCC search and seizure powers to discover whether there has been a contravention of the CC Act. Items 60-62 in Schedule 1 amend sections 154, 154A and 154V to clarify that these search and seizure powers also apply in relation to the consumer data rules.

Concluding comments

The Bill is significant in providing the legal framework for creating a consumer data right which may eventually apply to all sectors of the economy. Being framework legislation, much of the detail of how it will operate, its obligations and the regulatory burdens established are to be set by the Minister, the ACCC and other entities through a range of legislative instruments and rules. The Bill and these various instruments have been developed in parallel and within shortened timeframes since the Government’s policy announcement in May 2018. As many stakeholders have commented, this approach has presented a challenging environment for those involved in analysing, assessing and providing advice on the Bill and its various instruments, all of which interact with one another.

While the concept of a CDR would appear to have bipartisan parliamentary support, the Labor Party is critical of what it perceives as the Government’s rushed timetable of implementation and would like more time to ensure that such significant legislation is properly reviewed.

In the wider community, stakeholders in their submissions to the Senate Committee inquiry generally support the concept of a CDR although many raise concerns about a number of features of the Bill. Amongst other things, they question the extent of ministerial delegation; the lack of detail in the Bill; the effectiveness of the proposed privacy framework; the possible implications for intellectual property; the lack of consumer testing and the potential impact of the Bill on vulnerable sections of the community.

If this complex and technical Bill is to be passed by the Parliament prior to the forthcoming election, then the parliamentary debate in the April sitting will necessarily be truncated. Otherwise the Bill will lapse on prorogation and the implementation of the CDR will stall. While some stakeholders such as fintech companies would be disappointed with such an outcome, others including consumer and privacy advocates would welcome the opportunity for further review at a later date.