Australian Information Commissioner Act 2010 (Cth).
The CDR is intended to give Australian consumers and small businesses (Consumers) greater choice and convenience while promoting business efficacy. This will be done by Consumers having a right to access and authorise the sharing of their data that relates to their use of a product held by businesses with other third party providers. The sharing of this data is intended to assist Consumers to compare and negotiate better product deals offered by providers (s 5 of the Act). The CDR will be implemented across all sectors of the economy; however, it will initially be applied to the banking, energy and telecommunications sectors (s 5 of the Act).
Amendments Post Federal Election
Following public consultation, the Government made minor revisions to the draft 2018 bill prior to re-introducing it to Parliament. Some of the main amendments are as follows:
- Under section 56BS(1) the ACCC is permitted to make emergency rules without public consultation and without the Minister’s consent. This is applicable when the ACCC has a belief, which does not need to be reasonable (as was originally proposed), as to avoid necessary risk of serious harm to the efficiency, integrity or stability of the Australian economy or the interests of consumers. However, the ACCC must provide the Minister with a written explanation for the need of such rules and has the power to vary or appeal the emergency data rule. Further, the ‘emergency’ rule will cease to be in force from 6 months from when it was made if the Minister and the Information Commissioner were not consulted at the time of implementation.
- The 2019 CDR detailed that in making ordinary and emergency CDR rules, the ACCC must have regard to the impact on consumers, markets, privacy and confidentiality, competition, intellectual property and the public interest and the regulatory impact of regulation (s 56BP, 56BS(1) of the Act).
- Further, section 56EO states that accredited data recipients and designated gateways take steps as outlined in the consumer data rules, to protect the CDR data from misuse, interference and loss; and unauthorised access, modification or disclosure. However, if the CDR entity no longer needs any of the CDR data, and therefore becomes redundant data, the CDR may take active steps to destroy or de-identify the redundant data. The 2019 CDR now specifies that redundant data does not relate to any current or anticipated legal proceedings or a dispute resolution process to which the data holder is a party, (s 56EO(2)(c) of the Act).
Compliance and Enforcement
The CDR enforcement and remedy regime is consistent with the Competition and Consumer Act 2010 (Cth). However, sections 56BN and 56BO of the Treasury Laws Amendment (Consumer Data Right) Act 2019 (Cth) amends the Competition and Consumer Act 2010 (Cth) to introduce criminal and civil penalty provisions relating to misleading or deceive. These sections provide civil and criminal penalties for conduct which misleads a person to believe that a person is a CDR consumer or is acting in accordance with a valid request or consent from a CDR consumer.
Further, the new CDR regime incorporates privacy safeguards and section 56ES provides a regime for notification of a CDR data security breach that extends Part IIC of the Privacy Act 1988 (Cth).
After the passing of legislation, the ACCC has the lead role in implementation of the CDR. The ACCC is developing the rules to which the principles, requirements and outcomes for the application of the CDR.
On 28 August 2019, the ACCC announced that it has chosen an Australian Energy Market Operator (AEMO) gateway model as the preferred data accessing models. The AEMO would function as a gateway that would provide CDR data from data holder to data to accredited data recipients.
On 2 September 2019, the ACCC released the foundational rules required to implement the CDR in banking.