The Treasury Laws Amendment (Consumer Data Right) Act 2019 was passed on 1 August 2019 and the first stage will come into effect in February 2020. The legislation introduces data portability in the form of a new “Consumer Data Right” (CDR) by means of amendments to the Competition and Consumer Act 2010 (CCA). The CDR will give both individual and business consumers expanded rights of access to data held about them by businesses. It will also give such consumers access to data about products and enable them to share such data with accredited third party recipients.
The introduction of the CDR was recommended in March 2017 by the Productivity Commission in its report entitled Data Availability and Use and it was endorsed by the Federal Government in its partial response to that report in November 2017. Meanwhile, the then Treasurer commissioned a Review into Open Banking in Australia 2017, which resulted in a recommendation that “Open Banking” (essentially the application of data portability in the banking sector) be implemented through a broader CDR framework.
Other reports and reviews which have contemplated the introduction of data portability in Australia include the Competition Policy Review 2015, the Financial System Inquiry 2015 and the Independent Review to the Future Security of the National Electricity Market – Blueprint for the future 2017.
Exposure draft legislation, in the form of the Treasury Laws Amendment (Consumer Data Right) Bill 2018, was initially released by the government in August 2018. In September 2018, the government released a second iteration, incorporating feedback received from the initial exposure draft material.
The material released in September 2018 also included a draft Consumer Data Right (Authorised Deposit-Taking Institutions) Designation 2018. As required by section 56AC of the Draft Bill, the Designation Instrument specified that authorised deposit-taking institutions would be covered initially by the Consumer Data Right, whilst further designating the classes of information which would be subject to the CDR.
The Treasury Laws Amendment (Consumer Data Right) Bill 2019 was initially tabled in Parliament on 13 February 2019 and referred to the Senate Economics Legislation Committee for consideration and report, but the Bill lapsed on 11 April 2019 when Parliament was prorogued for the federal election.
The Bill was subsequently re-introduced by the government on 26 July 2019, and was passed on 1 August 2019.
“Data Portability” in Europe
The new CDR is a form of “data portability”, a concept entrenched in European data protection law.
Article 20 of the EU’s General Data Protection Regulation (GDPR) provides that a data subject has the right “to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided” in circumstances where the processing is carried out by automated means.
OVERVIEW of CDR
The CDR is a mechanism for enabling individual and business consumers to access information about themselves and about their service providers’ products, and to direct their existing service provider to share that information with other service providers.
The objective of the CDR is to assist individuals and businesses in making informed decisions about the goods and services which they use and, in turn, to increase competition. Specifically, the object of the amendments, as set out in the new section 56AA of the CCA is:
- (a) to enable consumers in certain sectors of the Australian economy to require information relating to themselves in those sectors to be disclosed safely, efficiently and conveniently:
- to themselves for use as they see fit; or
- to accredited persons for use subject to privacy safeguards; and
- (b) to enable any person to efficiently and conveniently access information in those sectors that:
- is about goods (such as products) or services; and
- does not relate to any identifiable, or reasonably identifiable, consumers; and
- (c) as a result of paragraphs (a) and (b), to create more choice and competition, or to otherwise promote the public interest.
The CDR enables consumers to access a broader range of information than is currently provided for by Australian Privacy Principle (APP) 12 in the Privacy Act. While APP 12 allows individuals to access “personal information” about themselves, the CDR applies to data that relates to businesses as well as individuals and provides access to information about a service provider’s products as well.
In respect of data about products, goods or services, a data holder can only be required to disclose data about the eligibility criteria, terms and conditions, price, availability or performance. Pursuant to section 56BF of the amended Act, disclosure about availability or performance can only be mandated where this data is publicly available.
The CDR system revolves around a number of key concepts:
- “CDR data” is essentially information which has been specified as falling within a class of information which is to be regulated by the new scheme: section 56AI(1);
- “CDR consumer” is the person to whom the CDR data: section 56AI(3). Broadly speaking, consumers are the persons or entities that have the right to request that their information be transferred from the data holder to the accredited data recipient. The CDR consumer is an “identifiable or reasonably identifiable person”, including a business enterprise, to whom the CDR data relates because of the supply of a good or service either to the person or an associate of the person. With respect to individuals, the concept of “identifiable or reasonably identifiable” person is broader than the concept of “personal information” under the Privacy Act as interpreted by the Full Court of the Federal Court of Australia in Privacy Commissioner v Telstra Corporation Limited  FCAFA;
- “data holder” is the entity which holds the original data or which holds data directly or indirectly derived from the original data: section 56AJ. Broadly speaking, data holders are the holders of the original data to which the right to transfer applies. They are subject to rules under the scheme which mandate the granting of access to a consumer upon request;
- “accredited data recipient” is a person formally authorised under the scheme to receive CDR data: section 56AK. In other words, accredited persons are “licensed” to receive the data through the CDR system. Accredited data recipients are accredited persons who have received CDR data and must maintain strict privacy safeguards. Being an accredited data recipient is essential in order to be able to receive data about a consumer. The Consumer Data Rules will provide that a CDR consumer’s right to access their data and direct a data holder to transfer the data to another entity under the CDR, exists only where the entity is an accredited person. The process of accreditation requires the third party to have adequate security and privacy safeguards. Accreditation is provided by a Data Recipient Accreditor (section 56CA) and it is an offence for a person to hold themselves out as being accredited if this is not the case (section 56CC). The Data Recipient Accreditor is a Commonwealth entity appointed by the Minister (section 56CG). An Accreditation Registrar will maintain a Register of Accredited Persons (section 56CE);
- “designated gateway” means a person specified as having the authority to receive and disseminate CDR data on behalf of the members of a designated industry group: section 56AL. A gateway is a person whose role it is to facilitate the transfer of data between certain participants in the CDR regime. According to the Explanatory Memorandum, there are limited circumstances in which a gateway would be designated, but one example is said to be the energy sector. One option being considered would be to designate the Australian Energy Market Operator (AEMO) as the gateway. Under this scenario, the ACCC would make rules requiring the data holders in the energy sector to meet an obligation to disclose CDR data by disclosing the data to the AEMO. Similarly the ACCC would make a rule requiring the AEMO to disclose the data to the accredited persons or the consumer in accordance with the request made by the consumer.
Designated sectors – banking to be followed by energy
Under section 56AC, the Minister has the power to designate a sector of the Australian economy as being subject to the CDR. It is proposed that initially the CDR will be confined to the banking sector, with energy companies and telecommunications providers to follow.
Relevant to the proposed future extension to the energy sector, the Australian Competition and Consumer Commission (ACCC) issued a discussion paper in February 2019 as part of the consultation process on how best to apply the CDR to the energy sector: Consumer Data Right in Energy: Consultation Paper – Data Access Models for Data Energy. The ACCC sought comments on three proposed models for consumers to access their data in the energy market, noting that one complication unique to the energy sector is that energy data relating to an individual may be held by a number of organisations and it may not be possible for a single entity to provide sufficient data alone.
“Model 1” proposed by the ACCC for the energy sector contemplated a centralised model under which the Australian Energy Market Operator (AEMO) would be the sole holder of a centralised data set, to be shared by the AEMO with accredited data recipients via Application Programming Interfaces. Model 2 contemplated the AEMO performing a gateway function, acting as a pipeline for the provision of CDR data from data holders which may include retailers and potentially also distributors, to accredited data recipients. Model 3 was described as “the economy-wide CDR model”, involving existing data holders (e.g. retailers) being responsible for providing CDR data directly to accredited data recipients and/or consumers (this is in effect the model used for the banking sector).
Impact on the “small business exemption”
“Small businesses” (being businesses with an annual turnover of less than $3 million) are generally exempt from any obligations under the Privacy Act. However, under the new CDR framework, an accredited small business recipient of CDR data will essentially lose its right to rely on that exemption. All “personal information” held by an accredited small business CDR recipient will be covered by either the CDR privacy safeguards or the Privacy Act
Once a consumer has authorised the transfer of data under the CDR framework to an accredited recipient, the recipient will be subject to a range of obligations which will be at least comparable to their obligations under the APPs.
Division 5 of the new Part IVD of the CCA contains a set of “Privacy Safeguards”. The object of Division 5, as set out in section 56EA, is to set out “privacy safeguards that protect the privacy or confidentiality of CDR consumer’s’ CDR data, whether the CDR consumers are individuals or bodies corporate”. The privacy safeguards apply mainly to accredited data recipients, and a failure to comply can attract a civil penalty or result in suspension or revocation of the person’s accreditation.
The privacy safeguards prevail over inconsistent consumer data rules, and replace the Australian Privacy Principles in relation to the handling of CDR data by an accredited data recipient. Except where specified otherwise, the privacy safeguards do not replace the APPs in relation to the handling of CDR data by data holders or a designated gateway (section 56EC).
The privacy safeguards broadly mirror the APPs, although overall they are more restrictive. Whilst the Privacy Act distinguishes between “personal information” and “sensitive information”, with sensitive information accorded a greater level of protection, the CDR treats all information at least at the level of sensitive information.
In March 2019, the Treasury published a Privacy Impact Assessment for the CDR in accordance with the Privacy (Australian Government Agencies – Governance) APP Code 2017 in which it compared the relative strengths of the privacy safeguards and the APPs. The outcome of this comparison is summarised in the following table:
Mandatory Data Breach NotificationThe privacy safeguard which has no APP equivalent – privacy safeguard 10 – requires a data holder or accredited data recipient to notify the individual that they have responded to a valid request under the consumer data rules to disclose the individual’s CDR data.
With respect to mandatory data breach notification, section 56ES has the effect of applying Part IIIC of the Privacy Act in a corresponding way to an accredited data recipient or designated gateway which holds a CDR consumer’s CDR data. In this context, Part IIIC will not be restricted in its application to personal information, but will also embrace CDR data in its broader form.
In other words, an accredited data recipient or designated gateway will be required to give notification to the Australian Information Commissioner of an “eligible data breach” as defined in section 26WE of the Privacy Act, effectively meaning a situation in which a reasonable person would conclude that the unauthorised access to or disclosure of CDR data would be likely to result in serious harm to the data subject.Regulation of the schemeAs the CDR embraces competition and consumer matters, the new scheme will be regulated jointly by the Australian Competition and Consumer Commission (ACCC) and the Office of the Australian Information Commissioner (OAIC).
The scheme is structured in a way that the ACCC will lead on issues concerning the designation of new sectors of the economy to be subject to the CDR and the establishment of the consumer data rules, whilst the OAIC will lead on matters relating to the protection of individual and small business consumer participants’ privacy and confidentiality, and compliance with the CDR Privacy Safeguards.
Specifically, the Australian Information Commissioner Act 2010 is amended to ensure that the OAIC’s privacy functions extend to the CDR regime, while section 155 of the CCA is amended to extend the ACCC’s information gathering powers so as to apply to contraventions of the CDR regime and the consumer data rules.
Consumer Data Rules
The ACCC now has the power to make “consumer data rules” relating to the CDR framework (section 56BA), including matters such as disclosure, collection, use, accuracy, storage, security or deletion of CDR data (section 56BC) and extending to rules imposing additional obligations on accredited CDR recipients relating to how they must store and may use and disclose CDR data, for example.
A person who fails to comply with the consumer data rules may be subject to a civil penalty.
Whilst the consumer data rule making power provides substantial scope for the ACCC to shape the operation of the CDR scheme, the Explanatory Memorandum emphasises the existence of “checks and balances”. The rules are disallowable instruments, and can only be made with the Minister’s consent. Other limitations highlighted in the Explanatory Memorandum are that the rules cannot:
- require a CDR participant to disclose CDR data before 1 July 2019 or impose a retrospective commencement or application [Schedule 1, item 1, subsection 56BK(1)];
- require the disclosure of information about a consumer unless that information is specified in the designation instrument and the disclosure is to a CDR consumer, accredited person or designated gateway [Schedule 1, item 1, subsection 56BD(1)];
- require the disclosure of information about a product or a good or service unless the data is about eligibility criteria, terms and conditions, price, or publicly available information about the availability or performance of the product [Schedule 1, item 1, subsection 56BF(1)];
- allow a fee to be charged for data for which a fee cannot be charged [Schedule 1, item 1, subsections 56BD(2) and 56BF(2)];
- impose deletion obligations on a data holder for CDR data about a consumer [Schedule 1, item 1, paragraph 56BD(3)(a)];
- require the data holder to do anything in relation to the use, accuracy, storage or security of the CDR data unless those rules also relate to the disclosure of the CDR data under the consumer data rules [Schedule 1, item 1, paragraph 56BD(3)(b)]; or
- require or authorise a designated gateway to do anything in relation to the collection, use, storage, or disclosure of the CDR data unless those rules also relate to the gateway facilitating the transfer of CDR data between data holders, accredited data recipients or the consumer [Schedule 1, item 1, subsection 56BG(3)].
Data standards are determined by a Data Standards Chair, with the standards embracing the format and description of CDR data, the manner of disclosure of CDR data, the manner of collection, use, accuracy, storage, security and deletion of CDR data and the process for de-identification of CDR data (section 56FA).
The data standards are not a legislative instrument. They are intended to be largely in the nature of specifications as to how information technology solutions must be implemented in order to ensure reliable interoperability in relation to the sharing of data. They will only describe how the CDR must be implemented in accordance with the consumer data rules. The consumer data rules will set out the substantive rights and obligations of participants.
Information Commissioner’s Guidelines
The Information Commissioner has the specific role of developing guidelines, promoting compliance and undertaking educational programs relating to the scheme (section 56ER).
In particular, the Information Commissioner is empowered to make guidelines outlining the sorts of acts or practices that could result in breach of the privacy safeguards: section 56EQ(1).
The guidelines must be made in consultation with the ACCC, and to the extent of any inconsistencies with the consumer data rules, the consumer data rules will take precedence: section 56EQ(2) and (4). The guidelines are not legally enforceable and, as such, are not legislative instruments.