Treasury presents updated privacy analysis for CDR

On 1 March 2019, the Australian Treasury released an updated version of its Privacy Impact Assessment (PIA) for the CDR. The latest version incorporates public feedback received from consultation on the first PIA from 21 December 2018 - 18 January 2019 as well as reflecting comments from an independent consultant's review of the first PIA.

The revised PIA assesses the CDR regime using a first principles approach to risk assessment which acknowledges that the CDR incorporates its own privacy safeguards which are stronger than Australian Privacy Principles (APPs) in many respects. The regime provides further privacy protections in that data transferred under the CDR must be provided in accordance with data rules (Rules) developed and enforced by the ACCC as well as mandated consumer data standards (Standards) on information security. The PIA makes a number of key recommendations as to how these protections might best be implemented, including the following:

  • The Rules and data Standards be designed so as to weigh privacy protections and competition and innovation benefits equally.
  • The Rules create a consent framework that ensures that consumer consent is genuine.
  • The ACCC consider making rules requiring accredited data recipients implement processes to prevent inappropriate access to CDR data by data recipient employees.

The Treasury has stressed that the PIA process is very much iterative with further PIA's to be conducted as the CDR is expanded and developed. For consumers, business and industry stakeholders, it will be interesting to see what final form the CDR privacy framework takes and watch how this develops as the CDR is implemented across future sectors beyond banking.

For further details and a copy of the updated PIA see here.

ACCC consults on CDR access model for energy

On 25 February 2019, the Australian Competition and Consumer Commission (ACCC) announced that it is seeking feedback on data access models for the implementation of the Consumer Data Right (CDR) in the energy sector.

As per our report in August 2018 and previous editions of Legal Bytes, Australia's Parliament has enacted law that establishes a legislative framework for the implementation of a 'consumer data right' (CDR). The CDR, which initially will only apply to data in the banking sector, is the right of consumers to safely, efficiently and conveniently access data relating to them held by businesses and the ability to authorise secure access of this data by accredited third parties.

The Finkel Review, the ACCC’s Retail Electricity Pricing Inquiry, the Australian Energy Market Commission’s Retail Competition Review and the Productivity Commission’s report on data availability have all suggested facilitating greater consumer access to energy data. A common thread among the reports is the concentration of market share in the retail electricity market. It is believed that the CDR's introduction may enhance competition in the market, and ultimately encourage customer uptake of innovations leveraging existing smart meter technology.

The ACCC is working towards implementing the CDR in the energy sector in the first half of 2020 and invites submissions on its consultation paper up until 5:00 pm AEST, on 22 March 2019. Submission can be made either via the ACCC’s Consultation Hub or by email to [email protected]