Significant changes are currently underway to Australian privacy law which are intended to boost competition in a number of important sectors of the Australian economy and to improve consumer choice and control over their data.
The Treasury Laws Amendment (Consumer Data Right) Bill 2019 was tabled in Parliament earlier this week. If passed, the bill will introduce a new “Consumer Data Right” (CDR) in Australia. The CDR will give both individual and business consumers expanded rights of access to data held about them by businesses. It will also give such consumers access to data about products and enable them to share such data with accredited third party recipients.
The introduction of the CDR was recommended in march 2017 by the Productivity Commission in its report entitled Inquiry Reported to Data Availability and Use and it was endorsed by the Federal Government in its partial response to that report in November 2017. Meanwhile, the then Treasurer commissioned a Review into Open Banking in Australia 2017, which resulted in a recommendation that “Open Banking” (essentially the application of the CDR in the banking sector) be implemented through a broader CDR framework.
Other reports and reviews which have contemplated a CDR, or “data portability”, include the Competition Policy Review 2015, the Financial System Inquiry 2015 and the Independent Review to the Future Security of the National Electricity Market – Blueprint for the future 2017.
The CDR is a mechanism for enabling individual and business consumers to access information about themselves and about their service providers’ products, and to direct their existing service provider to share that information with other service providers.
The objective of the CDR is to enable individuals and businesses to make more informed decisions about the goods and services which they use and to, in turn, increase competition.
It is proposed that initially the CDR will be confined to the banking sector, with telecommunications providers and energy companies to follow.
A third party will generally only be entitled to receive a consumer’s data if it has first been accredited. The process of accreditation requires the third party to have adequate security and privacy safeguards.
The CDR enables consumers to access a broader range of information than is currently provided for by Australian Privacy Principle (APP) 12 in the Privacy Act. While APP 12 allows individuals to access “personal information” about themselves, the CDR applies to data that relates to businesses as well as individuals and provides access to information about a service provider’s products as well.
As the CDR embraces competition and consumer matters, the new scheme will be regulated jointly by the Australian Competition and Consumer Commission (ACCC) and the Office of the Australian Information Commissioner (OAIC).
Once a consumer has authorised the transfer of data under the CDR framework to an accredited recipient, the recipient will be subject to a range of obligations which will be at least comparable to their obligations under the APPs. Additionally, the ACCC will have the power to make rules relating to the CDR framework, which could include rules imposing additional obligations on accredited CDR recipients relating to how they must store and may use and disclose CDR data, for example.
It is significant to note that “small businesses” (being businesses with an annual turnover of less than $3 million) are generally exempt from any obligations under the Privacy Act. However, under the proposed CDR framework, an accredited small business recipient of CDR data will essentially lose its right to rely on that exemption. Under the proposed framework, all “personal information” held by an accredited small business CDR recipient will be covered by either the CDR privacy safeguards or the Privacy Act. The Privacy Act will apply to any “personal information” held by the small business which is not CDR data (and accordingly not subject to the CDR privacy safeguards).
It is also proposed that a data standards body will be established to assist a data standards chair in making data standards. The data standards will determine, for example, the format in which data must be made available within certain sectors to promote interoperability and reduce access costs.
Please contact Gordon Hughes or Andrew Sutherland in our Melbourne office if you have any questions about the Consumer Data Right Bill or other aspects of Australian data security and privacy legislation.