Australia: A Detailed Look At Australia's New Consumer Data Right

Last Updated: 21 August 2019
Article by Gordon Hughes

The Treasury Laws Amendment (Consumer Data Right) Act 2019 was passed on 1 August 2019 and the first stage will come into effect in February 2020. The legislation introduces data portability in the form of a new "Consumer Data Right" (CDR) by means of amendments to the Competition and Consumer Act 2010 (CCA). The CDR will give both individual and business consumers expanded rights of access to data held about them by businesses. It will also give such consumers access to data about products and enable them to share such data with accredited third party recipients.

Background

The introduction of the CDR was recommended in March 2017 by the Productivity Commission in its report entitled Data Availability and Use and it was endorsed by the Federal Government in its partial response to that report in November 2017. Meanwhile, the then Treasurer commissioned a Review into Open Banking in Australia 2017, which resulted in a recommendation that "Open Banking" (essentially the application of data portability in the banking sector) be implemented through a broader CDR framework.

Other reports and reviews which have contemplated the introduction of data portability in Australia include the Competition Policy Review 2015, the Financial System Inquiry 2015 and the Independent Review to the Future Security of the National Electricity Market – Blueprint for the future 2017.

Exposure draft legislation, in the form of the Treasury Laws Amendment (Consumer Data Right) Bill 2018, was initially released by the government in August 2018. In September 2018, the government released a second iteration, incorporating feedback received from the initial exposure draft material.

The material released in September 2018 also included a draft Consumer Data Right (Authorised Deposit-Taking Institutions) Designation 2018. As required by section 56AC of the Draft Bill, the Designation Instrument specified that authorised deposit-taking institutions would be covered initially by the Consumer Data Right, whilst further designating the classes of information which would be subject to the CDR.

The Treasury Laws Amendment (Consumer Data Right) Bill 2019 was initially tabled in Parliament on 13 February 2019 and referred to the Senate Economics Legislation Committee for consideration and report, but the Bill lapsed on 11 April 2019 when Parliament was prorogued for the federal election.

The Bill was subsequently re-introduced by the government on 26 July 2019, and was passed on 1 August 2019.

“Data Portability” in Europe

The new CDR is a form of “data portability”, a concept entrenched in European data protection law.

Article 20 of the EU’s General Data Protection Regulation (GDPR) provides that a data subject has the right “to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided” in circumstances where the processing is carried out by automated means.

OVERVIEW of CDR

The CDR is a mechanism for enabling individual and business consumers to access information about themselves and about their service providers' products, and to direct their existing service provider to share that information with other service providers.

The objective of the CDR is to assist individuals and businesses in making informed decisions about the goods and services which they use and, in turn, to increase competition. Specifically, the object of the amendments, as set out in the new section 56AA of the CCA is:

  • (a) to enable consumers in certain sectors of the Australian economy to require information relating to themselves in those sectors to be disclosed safely, efficiently and conveniently:
  • to themselves for use as they see fit; or
  • to accredited persons for use subject to privacy safeguards; and
  • (b) to enable any person to efficiently and conveniently access information in those sectors that:
  • is about goods (such as products) or services; and
  • does not relate to any identifiable, or reasonably identifiable, consumers; and
  • (c) as a result of paragraphs (a) and (b), to create more choice and competition, or to otherwise promote the public interest.

The CDR enables consumers to access a broader range of information than is currently provided for by Australian Privacy Principle (APP) 12 in the Privacy Act. While APP 12 allows individuals to access "personal information" about themselves, the CDR applies to data that relates to businesses as well as individuals and provides access to information about a service provider's products as well.

In respect of data about products, goods or services, a data holder can only be required to disclose data about the eligibility criteria, terms and conditions, price, availability or performance. Pursuant to section 56BF of the amended Act, disclosure about availability or performance can only be mandated where this data is publicly available.

Key concepts

The CDR system revolves around a number of key concepts:

  • CDR data” is essentially information which has been specified as falling within a class of information which is to be regulated by the new scheme: section 56AI(1);
  • CDR consumer” is the person to whom the CDR data: section 56AI(3). Broadly speaking, consumers are the persons or entities that have the right to request that their information be transferred from the data holder to the accredited data recipient. The CDR consumer is an “identifiable or reasonably identifiable person”, including a business enterprise, to whom the CDR data relates because of the supply of a good or service either to the person or an associate of the person. With respect to individuals, the concept of “identifiable or reasonably identifiable” person is broader than the concept of “personal information" under the Privacy Act as interpreted by the Full Court of the Federal Court of Australia in Privacy Commissioner v Telstra Corporation Limited [2017] FCAFA;
  • data holder” is the entity which holds the original data or which holds data directly or indirectly derived from the original data: section 56AJ. Broadly speaking, data holders are the holders of the original data to which the right to transfer applies. They are subject to rules under the scheme which mandate the granting of access to a consumer upon request;
  • accredited data recipient” is a person formally authorised under the scheme to receive CDR data: section 56AK. In other words, accredited persons are “licensed” to receive the data through the CDR system. Accredited data recipients are accredited persons who have received CDR data and must maintain strict privacy safeguards. Being an accredited data recipient is essential in order to be able to receive data about a consumer. The Consumer Data Rules will provide that a CDR consumer's right to access their data and direct a data holder to transfer the data to another entity under the CDR, exists only where the entity is an accredited person. The process of accreditation requires the third party to have adequate security and privacy safeguards. Accreditation is provided by a Data Recipient Accreditor (section 56CA) and it is an offence for a person to hold themselves out as being accredited if this is not the case (section 56CC). The Data Recipient Accreditor is a Commonwealth entity appointed by the Minister (section 56CG). An Accreditation Registrar will maintain a Register of Accredited Persons (section 56CE);
  • designated gateway” means a person specified as having the authority to receive and disseminate CDR data on behalf of the members of a designated industry group: section 56AL. A gateway is a person whose role it is to facilitate the transfer of data between certain participants in the CDR regime. According to the Explanatory Memorandum, there are limited circumstances in which a gateway would be designated, but one example is said to be the energy sector. One option being considered would be to designate the Australian Energy Market Operator (AEMO) as the gateway. Under this scenario, the ACCC would make rules requiring the data holders in the energy sector to meet an obligation to disclose CDR data by disclosing the data to the AEMO. Similarly the ACCC would make a rule requiring the AEMO to disclose the data to the accredited persons or the consumer in accordance with the request made by the consumer.

Designated sectors – banking to be followed by energy

Under section 56AC, the Minister has the power to designate a sector of the Australian economy as being subject to the CDR. It is proposed that initially the CDR will be confined to the banking sector, with energy companies and telecommunications providers to follow.

Relevant to the proposed future extension to the energy sector, the Australian Competition and Consumer Commission (ACCC) issued a discussion paper in February 2019 as part of the consultation process on how best to apply the CDR to the energy sector: Consumer Data Right in Energy: Consultation Paper – Data Access Models for Data Energy. The ACCC sought comments on three proposed models for consumers to access their data in the energy market, noting that one complication unique to the energy sector is that energy data relating to an individual may be held by a number of organisations and it may not be possible for a single entity to provide sufficient data alone.

"Model 1" proposed by the ACCC for the energy sector contemplated a centralised model under which the Australian Energy Market Operator (AEMO) would be the sole holder of a centralised data set, to be shared by the AEMO with accredited data recipients via Application Programming Interfaces. Model 2 contemplated the AEMO performing a gateway function, acting as a pipeline for the provision of CDR data from data holders which may include retailers and potentially also distributors, to accredited data recipients. Model 3 was described as "the economy-wide CDR model", involving existing data holders (e.g. retailers) being responsible for providing CDR data directly to accredited data recipients and/or consumers (this is in effect the model used for the banking sector).

Impact on the “small business exemption”

“Small businesses" (being businesses with an annual turnover of less than $3 million) are generally exempt from any obligations under the Privacy Act. However, under the new CDR framework, an accredited small business recipient of CDR data will essentially lose its right to rely on that exemption. All "personal information" held by an accredited small business CDR recipient will be covered by either the CDR privacy safeguards or the Privacy Act

Privacy Safeguards

Once a consumer has authorised the transfer of data under the CDR framework to an accredited recipient, the recipient will be subject to a range of obligations which will be at least comparable to their obligations under the APPs.

Division 5 of the new Part IVD of the CCA contains a set of “Privacy Safeguards”. The object of Division 5, as set out in section 56EA, is to set out “privacy safeguards that protect the privacy or confidentiality of CDR consumer’s’ CDR data, whether the CDR consumers are individuals or bodies corporate”. The privacy safeguards apply mainly to accredited data recipients, and a failure to comply can attract a civil penalty or result in suspension or revocation of the person’s accreditation.

The privacy safeguards prevail over inconsistent consumer data rules, and replace the Australian Privacy Principles in relation to the handling of CDR data by an accredited data recipient. Except where specified otherwise, the privacy safeguards do not replace the APPs in relation to the handling of CDR data by data holders or a designated gateway (section 56EC).

The privacy safeguards broadly mirror the APPs, although overall they are more restrictive. Whilst the Privacy Act distinguishes between “personal information” and “sensitive information”, with sensitive information accorded a greater level of protection, the CDR treats all information at least at the level of sensitive information.

In March 2019, the Treasury published a Privacy Impact Assessment for the CDR in accordance with the Privacy (Australian Government Agencies – Governance) APP Code 2017 in which it compared the relative strengths of the privacy safeguards and the APPs. The outcome of this comparison is summarised in the following table:

Privacy Safeguard #

APP equivalent

Treasury PIA assessment

1. Open and Transparent Management of CDR Data (s 56ED)

APP 1

Privacy safeguard and APPs equivalent

2. Anonymity and Pseudonymity (s 56EE)

APP 2

Privacy Safeguard stronger

3. Soliciting CDR Data from CDR Participants (s 56EF)

APP 3

Privacy Safeguard stronger

4. Dealing with Unsolicited CDR Data from CDR Participants (s 56EG)

APP 4

Privacy Safeguard stronger

5. Notifying of the Collection of CDR Data (s 56EH)

APP 5

Privacy Safeguard stronger

6. Use or Disclosure of CDR Data by Accredited Data Recipients or Designated Gateways (s 56EI)

APP 6

Privacy Safeguard stronger

7. Use or Disclosure of CDR Data for Direct Marketing by Accredited Data Recipients or Designated Gateways (s 56EJ)

APP 7

Privacy Safeguard stronger

8. Overseas Disclosure of CDR Data by Accredited Data Recipients (s 56EK)

APP 8

Privacy safeguard and APPs equivalent

9. Adoption or Disclosure of Government Related Identifiers by Accredited Data Recipients (s 56EL)

APP 9

Privacy Safeguard stronger

10. Notifying of the Disclosure of CDR Data (s 56EM)

No equivalent

No equivalent APP

11. Quality of CDR Data (s 56EN)

APP 10

Privacy safeguard and APPs equivalent

12. Security of CDR Data held by Accredited Data Recipients or Designated Gateways (s56 EO)

APP 11

Privacy safeguard and APPs equivalent

APP 12

No direct equivalent, but “the CDR as a whole is the equivalent of APP 12”

13. Correction of CDR Data (s 56EP)

APP 13

Privacy safeguard and APPs equivalent

The privacy safeguard which has no APP equivalent – privacy safeguard 10 – requires a data holder or accredited data recipient to notify the individual that they have responded to a valid request under the consumer data rules to disclose the individual’s CDR data.

Mandatory Data Breach Notification

With respect to mandatory data breach notification, section 56ES has the effect of applying Part IIIC of the Privacy Act in a corresponding way to an accredited data recipient or designated gateway which holds a CDR consumer’s CDR data. In this context, Part IIIC will not be restricted in its application to personal information, but will also embrace CDR data in its broader form.

In other words, an accredited data recipient or designated gateway will be required to give notification to the Australian Information Commissioner of an "eligible data breach” as defined in section 26WE of the Privacy Act, effectively meaning a situation in which a reasonable person would conclude that the unauthorised access to or disclosure of CDR data would be likely to result in serious harm to the data subject.

Regulation of the scheme

As the CDR embraces competition and consumer matters, the new scheme will be regulated jointly by the Australian Competition and Consumer Commission (ACCC) and the Office of the Australian Information Commissioner (OAIC).

The scheme is structured in a way that the ACCC will lead on issues concerning the designation of new sectors of the economy to be subject to the CDR and the establishment of the consumer data rules, whilst the OAIC will lead on matters relating to the protection of individual and small business consumer participants' privacy and confidentiality, and compliance with the CDR Privacy Safeguards.

Specifically, the Australian Information Commissioner Act 2010 is amended to ensure that the OAIC’s privacy functions extend to the CDR regime, while section 155 of the CCA is amended to extend the ACCC’s information gathering powers so as to apply to contraventions of the CDR regime and the consumer data rules.

Consumer Data Rules

The ACCC now has the power to make "consumer data rules" relating to the CDR framework (section 56BA), including matters such as disclosure, collection, use, accuracy, storage, security or deletion of CDR data (section 56BC) and extending to rules imposing additional obligations on accredited CDR recipients relating to how they must store and may use and disclose CDR data, for example.

A person who fails to comply with the consumer data rules may be subject to a civil penalty.

Whilst the consumer data rule making power provides substantial scope for the ACCC to shape the operation of the CDR scheme, the Explanatory Memorandum emphasises the existence of “checks and balances”. The rules are disallowable instruments, and can only be made with the Minister's consent. Other limitations highlighted in the Explanatory Memorandum are that the rules cannot:

  • require a CDR participant to disclose CDR data before 1 July 2019 or impose a retrospective commencement or application [Schedule 1, item 1, subsection 56BK(1)];
  • require the disclosure of information about a consumer unless that information is specified in the designation instrument and the disclosure is to a CDR consumer, accredited person or designated gateway [Schedule 1, item 1, subsection 56BD(1)];
  • require the disclosure of information about a product or a good or service unless the data is about eligibility criteria, terms and conditions, price, or publicly available information about the availability or performance of the product [Schedule 1, item 1, subsection 56BF(1)];
  • allow a fee to be charged for data for which a fee cannot be charged [Schedule 1, item 1, subsections 56BD(2) and 56BF(2)];
  • impose deletion obligations on a data holder for CDR data about a consumer [Schedule 1, item 1, paragraph 56BD(3)(a)];
  • require the data holder to do anything in relation to the use, accuracy, storage or security of the CDR data unless those rules also relate to the disclosure of the CDR data under the consumer data rules [Schedule 1, item 1, paragraph 56BD(3)(b)]; or
  • require or authorise a designated gateway to do anything in relation to the collection, use, storage, or disclosure of the CDR data unless those rules also relate to the gateway facilitating the transfer of CDR data between data holders, accredited data recipients or the consumer [Schedule 1, item 1, subsection 56BG(3)].

Data Standards

Data standards are determined by a Data Standards Chair, with the standards embracing the format and description of CDR data, the manner of disclosure of CDR data, the manner of collection, use, accuracy, storage, security and deletion of CDR data and the process for de-identification of CDR data (section 56FA).

The data standards are not a legislative instrument. They are intended to be largely in the nature of specifications as to how information technology solutions must be implemented in order to ensure reliable interoperability in relation to the sharing of data. They will only describe how the CDR must be implemented in accordance with the consumer data rules. The consumer data rules will set out the substantive rights and obligations of participants.

Information Commissioner’s Guidelines

The Information Commissioner has the specific role of developing guidelines, promoting compliance and undertaking educational programs relating to the scheme (section 56ER).

In particular, the Information Commissioner is empowered to make guidelines outlining the sorts of acts or practices that could result in breach of the privacy safeguards: section 56EQ(1).

The guidelines must be made in consultation with the ACCC, and to the extent of any inconsistencies with the consumer data rules, the consumer data rules will take precedence: section 56EQ(2) and (4). The guidelines are not legally enforceable and, as such, are not legislative instruments.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Similar Articles
Relevancy Powered by MondaqAI
 
Some comments from our readers…
“The articles are extremely timely and highly applicable”
“I often find critical information not available elsewhere”
“As in-house counsel, Mondaq’s service is of great value”

Related Topics
 
Similar Articles
Relevancy Powered by MondaqAI
Related Articles
 
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions