Chapter 1Introduction

Referral of the inquiry

1.1The Treasury Laws Amendment (Consumer Data Right) Bill 2022 (the bill) was introduced into the House of Representatives and read a first time on 30November 2022.[1]

1.2On 9 February 2023, the Senate referred the provisions of the bill to the SenateEconomics Legislation Committee (the committee) for inquiry and report by 23March 2023.[2]

1.3On 6 March 2023 the committee was granted an extension of time for reporting until 3 May 2023.[3]

Background

1.4In August 2019, the Australian Parliament passed the Treasury Laws Amendment (Consumer Data Right) Act 2019 creating the Consumer Data Right (CDR)—an economy-wide reform empowering consumers to access better products and services across a range of industries.[4]

1.5The creation of the CDR framework followed a range of reviews, including the Productivity Commission’s Inquiry Report into Data Availability and Use, and the Review into Open Banking in Australia.[5]

1.6The CDR is also known as ‘Australia’s national data portability initiative’ and has been designed to give customers, including individuals and business, the right to safely access certain data held by businesses, and direct that their information be transferred to accredited, trusted third parties of their choice.[6]

1.7The framework places consumers at the centre of a data-sharing system that protects their privacy, giving consumers the ability to opt-in and determine when and how their data is shared with accredited businesses and professionals of their choosing.

1.8The CDR scheme is being rolled out progressively across the Australian economy on a sector-by-sector basis. It has been in operation in the banking sector for over two years and has recently commenced in the energy sector. The telecommunications and ‘Open Finance’ sectors are the next priority areas for expansion of the CDR.[7]

Relevant reviews and inquiries

Inquiry into Future Directions for the Consumer Data Right

1.9On 23 December 2020, the former Treasurer, the Hon Josh Frydenberg MP, announced the Inquiry into Future Directions for the CDR (the Inquiry).[8] The Inquiry examined the risks and benefits of various actions which are considered high value such as payments and switching providers. It analysed how the CDR’s functionality could be expanded to include action initiation, and discussed the potential process to bring new action types into the CDR.[9]

1.10On 23 December 2020, the former Minister for Superannuation, Financial Services and the Digital Economy, Senator the Hon Jane Hume, announced the release of the Final Report for the Inquiry, which was informed by extensive targeted consultation with industry, consumer and privacy advocates, regulators, and academia.[10]

1.11The Final Report provided options to expand and enhance the functionality of the CDR and made 100 recommendations. A key recommendation was to expand the CDR framework to enable accredited third parties, with the consumer’s consent, to initiate actions beyond requests for data sharing (known as action initiation), building on trust developed in the system through the successful operation of the regime in enabling data sharing.[11] The report recommended that action initiation first apply in the banking sector and include the initiation of payments.[12]

1.12The rationale for the implementation of an action initiation framework was outlined in the report as follows:

The CDR provides a secure set of channels through which accredited persons can communicate with data holders. These channels should also be opened to suitably accredited persons to initiate actions on a consumer’s behalf with the consumer’s consent. Enabling action initiation in this way would allow the CDR to facilitate a much broader range of functions, and increase the range of products and services available to consumers. The legislation that gives legal basis to the CDR should be amended to enable action initiation.[13]

1.13On 14 December 2021, the former Coalition Government released its response to the Inquiry, endorsing its findings. The then government committed to expand the functionality of the CDR regime to include support for consumer-directed third-party action initiation with appropriate consumer and privacy safeguards.[14]

Statutory Review of the Consumer Data Right

1.14On 14 February 2022, the government announced a statutory review on the operation of the CDR. The review explored the extent to which implementation of the CDR statutory framework supported the core policy objectives of driving value for consumers, increasing competition within designated sectors, and driving innovation across the data services sector. Focus was also on the government’s response to the Final Report of the Inquiry into Future Directions for the CDR.[15]

1.15The report found that there was significant enthusiasm for the delivery of action initiation under the CDR, with many submissions noting, where possible, that the CDR should ‘minimise potential friction points and reduce regulatory compliance for participants, with the objective to create more streamlined consumer experiences’.[16]

Purpose of the bill

1.16This bill would implement the recommendations from the Inquiry into Future Directions for the Consumer Data Right that introduce reforms to the CDR framework, referred to as the ‘action initiation reforms’.[17]

1.17The overall intent of the bill was explained by the Assistant Treasurer and Minister for Financial Services, the Hon Stephen Jones MP, on 30November2022. The Minister stated that the measure to enable action initiation is a function of the CDR that is expected to empower consumers to authorise, manage and facilitate actions securely in the digital economy[18]:

[…] these changes will support a range of innovative business models, driving the development of new CDR-powered products and services. This will offer entirely new ways of doing things, boost competition and reduce the time pressures, cost and complexity experienced by consumers and small businesses when carrying out everyday tasks.[19]

1.18The bill proposes to make amendments to the Competition and Consumer Act 2010 (CCA) to expand the CDR from a data sharing scheme to a scheme that allows consumers to act on information they receive.[20]

1.19Under the current framework, consumers initiate the sharing of their data by giving consent to an accredited data recipient to request a transfer of their data from one or more data holders. The consumer then authorises each data holder to transfer their data to the accredited data recipient.[21]

1.20The introduction of action initiation into the CDR will allow accredited third parties to initiate actions beyond their current capacity of data sharing with a customer’s consent.[22] A third-party would be able to receive powers equivalent to a ‘digital power of attorney’.[23]

Source: Treasury, Exposure draft legislation to enable action initiation in the Consumer Data Right, September2022, p. 4.

Action initiation is made up of two parts: the instruction layer and the action layer. The instruction layer would sit within the CDR scheme and enable a consumer to give consent for a third party, known as an Accredited Action Initiator (AAI), to send an action initiation request to an Action Service Provider (ASP). The ASP would then authenticate the consumer and carry out the action as they would if the request came directly from the consumer. The ASP would carry out the action in the action layer, which is outside the scope of the CDR.

1.21Increasing the functionality of the CDR scheme to include action initiation would empower consumers to authorise, manage and facilitate actions securely in the digital economy. As outlined in the Explanatory Memorandum (EM), this would ‘reduce complexity, time and cost for consumers looking to securely get better deals and services that meet their needs, unlock new business models, drive innovation and increase competition’.[24]

1.22Details and context of the proposed amendments within the bill are outlined below.

Provisions of the bill

Overview of amendments

1.23The bill consists of one schedule, divided into nine parts, and amends the CCA to establish enabling provisions for action initiation in the CDR. The proposed legislation is designed to build on the existing CDR infrastructure, where individuals and businesses can directly access or direct that their data be shared with certain participants.[25]

1.24The bill contains several amendments which will, among other things, outline ministerial declarations regarding types of actions that can be initiated under the consumer data right, insert key terms and changes to Ministers powers to make rules in relation to action initiation, compliance obligations and amendments to privacy safeguards.

1.25Under the proposed action initiation framework, the Minister would have the ability to declare types of actions that can be initiated under the CDR, akin to the current designation process for new sectors for data-sharing. Prior to declaring an action type declaration, a period of public consultation would need to occur, and the Minister would be required to consider the likely effect on the interests of consumers, market efficiency, competition, innovation and the public interest.[26]

1.26The declaration of action types would specify which data holders would be obliged to accept valid action instructions received from third party accredited action initiators, in the same way as if those instructions came directly from the consumer. The instrument would also declare classes of data holders that are to be action service providers—entities that would receive instructions through the CDR to perform an action.[27] The framework would also allow for other entities to participate voluntarily in CDR action initiation upon approval with appropriate safeguards.[28]

1.27Following a declaration, the Minister would be able to make high-level rules for an action type that would enliven the obligations for the action type set out in the declaration.[29] Accredited action initiators would need to meet strict accreditation requirements set by the rules and would also be required to:[30]

act efficiently, honestly, and fairly when initiating CDR actions initiated on the consumers behalf with their consent;

only initiate actions in accordance with a consumer’s valid request; and

comply with existing privacy safeguards.[31]

1.28The framework for action initiation in the CDR would primarily regulate the ‘instruction layer’ of an action (the communication channel between the accredited action initiator and the action service provider), including:

consumers’ requests to give instructions;

accredited action initiators giving instructions to action service providers;

how action service providers process instructions; and

communication from the action service provider back to the accredited action initiator (including after action has been performed).[32]

1.29While the bill does not seek to reach into the ‘action layer’, or the performance of the action itself, it would not alter how performing the action operates, and would prevent action service providers from discriminating against a valid action request that came through the CDR.[33]

1.30As outlined above, the bill proposes amendments to privacy protections (‘privacy safeguards’) within the current CDR framework, comparable to the Australian Privacy Principles. These safeguards are intended to provide a higher level of protection for data used and shared within the CDR framework and would generally apply to action service providers in relation to the instruction layer (action service providers would handle any data received in accordance with the Privacy Act).[34]

1.31The privacy safeguards would apply to Accredited Action Initiators (AAI) (who are required to be Accredited Persons) and would mean that the safeguards would continue to apply to CDR data regardless of whether they receive CDR data as an AAI or an Accredited Data Recipient.[35]

Consultation

1.32The Department of the Treasury (Treasury) sought stakeholder views on the exposure draft legislation to enable action initiation in the CDR.

1.33A detailed consultation process was undertaken between 26 September and 24October 2022, receiving 36 submissions, including two confidential submissions, from a broad range of industry stakeholders representing a range of sectors.[36]

Commencement

1.34The proposed amendments would commence on the day after Royal Assent, except for a small number of amendments (to Part IIIC of the Privacy Act 1988 to ensure their application to the CDR operates as intended[37]), which commence:

immediately after the commencement of the balance of the bill; and

on commencement of the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022 (PLA Act).

1.35The later amendments would not commence at all if the PLA Act does not commence.

1.36However, before any substantive rights or obligations can come into effect, the Minister must make an action type declaration and make CDR rules establishing such rights and obligations. The substantive rights or obligations would then come into effect on the application date set by those CDR rules.

1.37An exemption under proposed subsection 56GD(2) of the CCA that is in force immediately before the commencement of the amendments continues in force (and may be dealt with) as if the exemption had been given under that subsection as amended by the bill.[38]

Financial impact

1.38The EM states that this measure has no financial impact over the forward estimates period.[39]

Legislative scrutiny

1.39In its Scrutiny Digest 1 of 2023, the Senate Standing Committee on the Scrutiny of Bills (the Scrutiny Committee) raised concerns with the bill regarding several significant matters which are outlined in more detail below.

Reversal of the evidential burden of proof

1.40The bill seeks to establish several defences which reverse the evidential burden of proof.[40] Proposed section 56BN of the bill makes it an offence where a person engages in conduct that the person knows is misleading or deceptive and the conduct has the effect of making another person believe a person is CDR consumer for CDR data, or is acting in accordance with a valid request or consent for the disclosure of CDR data. Subsection 56BN(2) provides an exception (offence-specific defence) to this offence, stating that the offence does not apply if the conduct is not misleading or deceptive. A defendant bears the evidential burden of proof in relation to this defence.

1.41The Scrutiny Committee considers that the rational for the evidential burden of proof be comprehensively justified in the EM, with the EM stating that it would be unduly onerous to require the prosecution to prove the materiality of a matter, and that by contrast, being able to produce this material should place no additional burden on the defendant.[41] The Scrutiny Committee commented that this justification made in the statement of compatibility with human rights is overbroad, given the number of matters that could be included within an assessment of whether a matter is significant enough to be considered a material particular. As such:

The committee requests the Treasurer’s advice in relation to the inclusion of subsection 56B(2) as an offence-specific defence, rather than as an element of the offence.[42]

Incorporation of external material as in force from time to time

1.42Item 179 of Schedule 1 of the bill seeks to introduce paragraph 56GB(1)(aa) to extend the power to make instruments as in force from time to time in paragraph 56GB(2)(b) to CDR declarations for types of CDR actions.

1.43The Scrutiny Committee observed that where material is incorporated by reference into the law it should be freely and readily available to all those who may be interested in the law. The Scrutiny Committee commented that it is not apparent from the EM, whether the incorporated material will be made freely and readily available to all persons as outlined above and requests the Treasurer’s advice on this matter.[43]

Immunity from civil and criminal liability—Reversal of the evidential burden of proof

1.44Subsection 56GC(1) of the bill provides civil and criminal immunity for different CDR entities performing particular actions if performed in good faith, in compliance with the CDR provisions and any law prescribed by the regulations.

1.45The Scrutiny Committee considers that if a bill seeks to provide immunity from civil or criminal liability, particularly where such immunity could affect individual rights, this should be soundly justified. In this instance, the EM has not provided an explanation for the inclusion of the immunity.[44]

1.46Concerns regarding the reversal of the evidential proof were also raised, with the Scrutiny Committee noting that provisions that reverse the burden of proof and require the defendant to disprove one or more elements of an offence, interferes with the common law right to be presume innocent until proven guilty. The EM outlines that this is appropriate as the individual will know whether they received evidence of a valid consent or request and otherwise met their CDR obligations and, as this material will be within a person’s knowledge, it should place no additional burden on the person.[45] The committee noted that it is not clear that the information would be within the knowledge of the defendant, or that it would be difficult or costly for the prosecution to establish the matters.

1.47As such the committee requests the Treasurer’s advice as to:

why it is necessary and appropriate to confer immunity from civil and criminal proceedings on a potentially broad range of persons, so that affected persons have their right to bring an action to enforce their legal rights limited to situations where a lack of good faith is shown;

where there is not a sufficient justification, consideration be given to amending the bill so that a more limited immunity is conferred; and

why it is proposed to use offence-specific defences (which reverse the evidential burden of proof) in this instance. The committee's consideration of the appropriateness of a provision which reverses the burden of proof is assisted if it explicitly addresses relevant principles as set out in the Guide to Framing Commonwealth Offences.[46]

Broad discretionary power

1.48Concerns were also raised by the Scrutiny Committee around the bill’s inclusion of a broad discretionary power for the ACCC to exempt persons from the operation of primary and delegated legislation and in relation for the regulations to exempt persons or classes of persons from the operation of primary and delegated legislation and to modify how that legislation would operate.

1.49In particular, the committee noted the lack of detail on the face of the primary legislation in relation to the circumstances in which an exemption may be granted and general guidance in relation to the conditions which may apply to an exemption. As such, the committee requests the Treasurer’s advice as to:

why it is considered necessary and appropriate to provide a broad power to grant exemptions from the operation of the consumer data right scheme, including within delegated legislation; and

whether the bill can be amended to include appropriate safeguards on the exercise of the discretionary power to provide those exemptions.[47]

Human rights implications

1.50As discussed in the EM, the Statement of Compatibility with Human Rights argues that the bill is compatible with human rights and freedoms recognised in the international instruments listed in section 3 of the Human Rights (Parliamentary Scrutiny) Act 2011, and thus does not raise any human rights concerns.[48]

Regulatory impact statements

1.51The EM notes that the following four reports were certified as being informed by a process and analysis equivalent to a Regulation Impact Statement relating to the amendments in the bill:

(1)Issues Paper of the Inquiry into Future Directions for the Consumer Data Right.

(2)Final Report of the Inquiry into Future Directions for the Consumer Data Right.

(3)Supplementary analysis.

(4)Decision map.

1.52The Issues Paper of the Inquiry into Future Directions for the Consumer Data Right, the supplementary analysis and the decision map can be found in Attachment 1 of the EM.[49]

Conduct of the inquiry

1.53The committee advertised the inquiry on its website and wrote to relevant stakeholders and interested parties inviting written submissions by 6March2023.

1.54The committee received 17 submissions as well as additional information and answers to questions on notice, which are listed at Appendix 1.

1.55The committee held one public hearing for the inquiry on 18 April 2023. The names of witnesses who appeared at the hearing can be found at Appendix 2.

Acknowledgements

1.56The committee thanks all individuals and organisations who assisted with the inquiry, especially those who made written submissions and participated in the public hearing.

Footnotes

[1]House of Representatives Votes and Proceedings, No. 29, 30 November 2022, p. 401.

[2]Journals of the Senate, No. 32, 9 February 2023, p. 962.

[3]Journals of the Senate, No. 33, 6 March 2023, p. 1000; The Hon Stephen Jones MP, House of Representatives Hansard, 30 November 2022, p. 3929.

[4]Parliament of Australia, Treasury Laws Amendment (Consumer Data Right) Bill 2019, https://www.aph.gov.au/Parliamentary_Business/Bills_Legislation/Bills_Search_Results/Result?bId=r6370 (accessed 20 March 2023).

[5]Explanatory Memorandum (EM), p. 4. Productivity Commission, Data Availability and Use—Productivity Commission Inquiry Report, No. 82, 31 March 2017, https://www.pc.gov.au/inquiries/completed/data-access/report/data-access.pdf (accessed 8 March 2023); Department of the Treasury (Treasury), Review into Open Banking in Australia—Final Report, December 2017, https://treasury.gov.au/sites/default/files/2019-03/Review-into-Open-Banking-_For-web-1.pdf (accessed 8 March 2023).

[6]Treasury, Consumer Data Right, https://treasury.gov.au/policy-topics/economy/consumer-data-right (accessed 7 March 2023).

[7]Treasury, Consumer Data Right rules—expansion of the telecommunications sector and other operational enhancements, October 2022, https://treasury.gov.au/consultation/c2022-315575 (accessed 14 March 2023).

[8]Treasury, Inquiry into Future Directions for the Consumer Data Right, October 2020, p. x, https://treasury.gov.au/sites/default/files/2021-02/cdrinquiry-final.pdf (accessed 8 March 2023).

[9]EM, p. 2.

[10]Treasury, Inquiry into Future Directions for the Consumer Data Right, 2020, https://treasury.gov.au/review/future-directions-consumer-data-right (accessed 7 March 2023); EM, p. 2. The inquiry considered 73 formal submissions in response to the issues paper and met with over 300 stakeholders.

[11]Treasury, Inquiry into Future Directions for the Consumer Data Right—Final Report, 23 December 2020, https://treasury.gov.au/publication/inquiry-future-directions-consumer-data-right-final-report (accessed 7 March 2023). See recommendations in Chapter 4 of the Final Report on the Action initiation framework.

[12]Treasury, Inquiry into Future Directions for the Consumer Data Right, October 2020, pp. x–xi and Chapter 5.

[13]Treasury, Inquiry into Future Directions for the Consumer Data Right, October 2020, p. x, https://treasury.gov.au/sites/default/files/2021-02/cdrinquiry-final.pdf (accessed 8 March 2023).

[14]Department of the Treasury (Treasury), Government Response to the Inquiry into Future Directions for the Consumer Data Right, December 2021, p. 2, https://treasury.gov.au/sites/default/files/2021-12/p2021-225462.pdf (accessed 20 March 2023).

[15]Treasury, Statutory Review of the Consumer Data Right, 2022, https://treasury.gov.au/review/statutory-review-consumer-data-right (accessed 9 March 2023).

[16]Treasury, Statutory Review of the Consumer Data Right Report, 2022, 29 September 2022, p. 67, https://treasury.gov.au/sites/default/files/2022-09/p2022-314513-report.pdf (accessed 9March2023).

[17]Explanatory Memorandum (EM), p. 1.

[18]EM, p. 3. For example, these actions could include making a payment, opening or closing an account, switching providers, and updating personal details (such as an address) across providers.

[19]The Hon Stephen Jones MP, House of Representatives Hansard, 30 November 2022, pp. 3929–3931.

[20]EM, p. 3.

[21]Office of the Australian Information Commissioner (OAIC), Consumer Data Right data,https://www.oaic.gov.au/consumer-data-right/consumer-data-right-legislation,-regulation-and-definitions/consumer-data-right-data#key-information-flow-diagram (accessed 20 March 2023).

[22]EM, p. 3.

[23]The objective being that consumers could ‘push a button’ and be able to grant a third party the power to apply for, accept, pay for, and manage new products and services on behalf of the consumer.

[24]EM, p. 4.

[25]EM, pp. 6 and 15.

[26]EM, pp. 7–8.

[27]EM, p. 7. For example, banks and energy providers.

[28]EM, p. 12.

[29]The Minister would have comprehensive rule-making powers for action initiation, including on accreditation of action initiators, how actions are initiated, how requests are processed and factors relevant to assessing discrimination.

[30]EM, p. 23.

[31]EM, pp. 10 and 19–20. Treasury, Inquiry into Future Directions for the Consumer Data Right, October2020, p. xxviii, https://treasury.gov.au/sites/default/files/2021-02/cdrinquiry-final.pdf (accessed 8 March 2023). These obligations implement Recommendation 7.6—Action initiation and accredited person'.

[32]EM, p. 6. Under the proposed scheme, action service providers would be permitted to charge fees for processing requests received through the CDR if the Minister makes rules permitting it. They would be able charge fees for performing the action, subject to a non-discrimination principle.

[33]EM, p. 6; The Hon Stephen Jones MP, House of Representatives Hansard, 30 November 2022, pp. 3929.

[34]EM, p. 31. See also, Treasury, Exposure draft legislation to enable action initiation in the Consumer Data Right, September 2022, Appendix: Privacy safeguards, https://treasury.gov.au/sites/default/files/2022-09/c2022-317468-proposed-changes-summary.pdf (accessed 20 March 2023).

[35]Treasury, Exposure draft legislation to enable action initiation in the Consumer Data Right, September2022, Appendix: Privacy safeguards, https://treasury.gov.au/sites/default/files/2022-09/c2022-317468-proposed-changes-summary.pdf (accessed 20 March 2023).

[36]Treasury, Consumer Data Right—Exposure draft legislation to enable action initiation, October2022, https://treasury.gov.au/consultation/c2022-317468 (accessed 9 March 2023).

[37]EM, pp. 38 and 45.

[38]EM, p. 46.

[39]EM, p. 1.

[40]Scrutiny of Bills Committee, Scrutiny Digest 1/23, 8 February 2023, p. 55. Schedule 1, item 78, proposed subparagraphs 56NB(1)(c)(iii) and (iv). The committee draws Senators’ attention to these provisions pursuant to Senate standing order 24(1)(a)(i).

[41]Scrutiny of Bills Committee, Scrutiny Digest 1/23, 8 February 2023, p. 56.

[42]Scrutiny of Bills Committee, Scrutiny Digest 1/23, 8 February 2023, p. 56.

[43]Scrutiny of Bills Committee, Scrutiny Digest 1/23, 8 February 2023, p. 57.

[44]Scrutiny of Bills Committee, Scrutiny Digest 1/23, 8 February 2023, p. 58.

[45]Scrutiny of Bills Committee, Scrutiny Digest 1/23, 8 February 2023, p. 58.

[46]Scrutiny of Bills Committee, Scrutiny Digest 1/23, 8 February 2023, p. 58.

[47]Scrutiny of Bills Committee, Scrutiny Digest 1/23, 8 February 2023, p. 60.

[48]EM, p. 47.

[49]EM, ‘Attachment 1: Regulatory Impact Analysis: Inquiry into Future Directions for the Consumer Data Right’, p. 55.