26 Mar The Consumer Data Right and pending legal reform

The Consumer Data Right (CDR) gives consumers greater control over their own data, including the ability to securely share data with a trusted third party.

In 2017, the Australian Government announced the introduction of a CDR in Australia and determined that the CDR will first apply to the banking sector, followed by the energy sector, with the telecommunications sector currently proposed to follow. CDR went live in Australia some 9 months ago on 1 July 2020.

The impact of the CDR on the Australian economy is far-reaching and involves no less than 3 regulators – corporate, consumer and privacy. The ACCC as the lead CDR regulator has been given a number of new roles including making the CDR Rules; accrediting potential data recipients; establishing and maintaining a Register of Accredited Persons; and, monitoring compliance and taking enforcement action where necessary.

The ACCC is working with the Office of the Australian Information Commissioner (OAIC) and the Data Standards Body (DSB) in the development and implementation of the CDR. The DSB are responsible for the creation of the technical standards for the sharing of consumer data. The OAIC are the primary complaints handler under the CDR scheme. The OAIC will have a range of investigative and enforcement powers to handle privacy complaints and carry out other regulatory activities with respect to privacy.

The security and integrity of the CDR system is upheld by the privacy safeguards, contained in the Competition and Consumer Act 2010 (Cth) and supplemented by the CDR Rules.

The privacy safeguards set out the privacy rights and obligations for participants in the CDR. The 13 privacy safeguards mirror the 13 Australian Privacy Principles under the Australian Privacy Act 1988 (Cth) (Privacy Act), the difference being a focus on ‘CDR Data’ as opposed to personal information (PI).

Under the Rules, Privacy Safeguard 12 applies to accredited data recipients and designated gateways. It does not apply to data holders. However, data holders must ensure that they are adhering to their obligations under the Privacy Act and the APPs, including APP 11, in relation to the security of PI.

While the CDR Privacy Safeguard Guidelines outline how the OAIC interprets and applies the privacy safeguards when exercising its CDR functions and powers, a critical path to compliance for CDR participants will lie in the identification and classification of data.

Pending Regulatory Reform

2 Bills currently before Parliament add complexity to the CDR-eco-system.

1. 1. Security Legislation Amendment (Critical Infrastructure) Bill 2020

Most important to the CDR eco-system is the proposed Department of Home Affairs’ Security Legislation Amendment (Critical Infrastructure) Bill 2020 (SLACIB) because the impact of this proposed new law is significant.

The Security of Critical Infrastructure Act 2018 (SCIA) currently covers specific entities in the electricity, gas, water and ports sectors. When promulgated, SLACIB will expand the scope of applicability under the SCIA to include 11 critical infrastructure sectors including, financial services and markets, communications, and energy – the first 3 sectors to participate in the CDR.

It is logical therefore to conclude that the entire ACCC CDR eco-system is likely to be classified a ‘system of national significance’ as defined in SLACIB, with the necessary corollary that intelligence interests and national security imperatives will merge (to some extent at least) with the more commercial aspects of the CDR CTI platform.

1. 2. Data and Availability and Transparency Bill

The Australian Government released an exposure draft of the Data and Availability and Transparency Bill (DATB) for public comment on 14 September 2020. DATB, introduced alongside the Data Availability and Transparency (Consequential Amendments) Bill 2020, is intended to unlock data by overcoming existing legislative barriers.

The bill aims to make it easier for the public sector to share data within government and across the private sector for the purposes of delivering government services and supporting research and development. Under the proposed law, agencies are required to seek consent before releasing PI unless it is unreasonable or impractical to do so.

In its submission to the senate review into the DATB which is currently before parliament, the OAIC has urged the government to introduce additional safeguards in proposed public sector data sharing laws.

The OAIC said an ‘upfront assessment’ of each entity wishing to be accredited under the scheme was important, and that such an assessment should be “undertaken consistently in relation to all potential accredited entities”. It pointed to the operation of the CDR’s accreditation process, which required an assessment of entities that wish to receive Consumer Data.

Here to Assist

­­If you are impacted by these far-reaching regulatory reforms and seek assistance, we are here to assist you in relation to law, security, privacy and data protection, and governance.

Helaine Leggat

Managing Partner ICTLC Australia