Australia has made an important step in disrupting the data ecosystem by finally establishing a Consumer Data Right (CDR) which allows consumers to require the sharing of their data between entities.
On 1 August 2019, the Federal Government passed the Treasury Laws Amendment (Consumer Data Right) Bill 2019 (Second CDR Bill) which will soon amend the Competition and Consumer Act 2010 (Cth) (CCA), the Privacy Act 1988 (Cth) and the Australian Information Commissioner Act 2010 (Cth) (AIC Act).
The Government previously introduced a bill seeking to establish a CDR in February 2019 (First CDR Bill) (see our latest insight in relation to the banking sector specifically). However, its First CDR Bill lapsed when the House of Representatives was dissolved ahead of the federal election earlier this year. The Government has made a number of changes, all relatively minor, to the First CDR Bill before re-introducing it into Parliament.
This Insight briefly explores the main differences between the First CDR Bill (which lapsed) and the Second CDR Bill which will commence operation the day after the bill receives royal assent.
Changes that impact the CCA – Schedule 1 Part 1 of the Second CDR Bill
- When the ACCC makes emergency CDR rules, it must believe the rules are necessary to avoid a risk of serious harm to the efficiency, integrity or stability of the Australian economy or the interests of consumers. The Second CDR Bill clarifies that the belief does not necessarily need to be reasonable (section 56BS(1) CCA).
The ACCC must have regard to the impact on consumers, markets, privacy and confidentiality, competition, intellectual property and the public interest and the regulatory impact of regulation before making emergency CDR rules. The Second CDR Bill clarifies that the ACCC must have regard to the same matters when making ordinary and emergency CDR rules (sections 56BP and 56BS(1) CCA).
There is a new exception to the obligation to destroy or de-identify redundant data. The Second CDR Bill provides that the obligation to destroy or de-identify redundant data will no longer apply where the redundant data relates to current or anticipated legal proceedings or a dispute resolution process to which the data holder is a party (section 56EO CCA).
In the absence of an appointment by the Minister, the Data Standards Chair will no longer be the ACCC but the Minister (section 56FG CCA).
The transitional period for the introduction of the CDR regime to the banking and energy sectors has been extended, as follows:
- The Second CDR Bill provides that the Minister does not need to consult the ACCC or the Information Commissioner on the designation instrument for the banking or energy industries where the instruments are made before 1 July 2020 or three months after the Second CDR Bill receives Royal Assent (whichever occurs later). Previously, the transition period ended on 1 January 2020.
- Similarly, the Second CDR Bill provides that the ACCC does not need to consult on the CDR rules for the banking sector where they are made prior to 1 July 2020 or three months after the Second CDR Bill receives Royal Assent (whichever is later). Previously, the transition period ended on 1 January 2020.
Changes that impact AIC Act – Schedule 1 Part 2 of the Second CDR Bill
- The Second CDR Bill now allows the Information Commissioner to disclose information to the Data Recipient Accreditor or the ACCC (who is the Data Recipient Accreditor at first instance) that is relevant to a data recipient applicant’s accreditation. The purpose of this change is to make the Data Recipient Accreditor aware of prior breaches of the Privacy Act 1988 by an applicant.