Today, the Treasury released the much anticipated exposure draft legislation which will implement the Consumer Data Right. The Treasury Laws Amendment (Consumer Data Right) Bill 2018 (the Bill) seeks to amend the Competition and Consumer Act 2010, the Privacy Act 1988 and the Australian Information Commissioner Act 2010.
Submissions on the Bill open today and close on 7 September 2018.
The Treasury also announced that as part of the consultation process it will be conducting roundtables in Melbourne and Sydney on 23 and 28 August, respectively. Currently, the roundtables will be limited to one representative from each attending organisation.
The Bill follows the Government’s announcement in May that it would legislate a Consumer Data Right to allow consumers to harness the power of their data and provide consumers with greater control over their data.
As you are reviewing the Bill, there are a few key areas to note:
- Much of the detail, including with respect to accreditation, consent requirements and security, will be specified on a sector-by-sector basis in “consumer data rules” to be developed by the ACC. Consequently, whilst the Bill provides some framework, there are still many questions to be answered.
Before consumer data rules are made for a sector, public consultation is required (subject to some exceptions). Given the timeframes involved, we expect this consultation to commence soon for Open Banking.
- The definition of “CDR data”, ie the consumer data the subject of the right, is very broadly framed.
As expected, “CDR data” includes information designated as CDR data with respect to the relevant sector. For example, in the banking sector we expect this to include transaction data for a number of products. However, “CDR data” also includes any information derived from that designated data and any information derived from that derived information, and so on. There is a cascading effect which would likely capture a broad range of value-added data sets within an organisation.
We assume that this broad scope is initially framed to allow subsequent narrowing for various sectors through the consumer data rules, however this is not perfectly clear.
- The Bill also seeks to provide some comfort for data holders by stating that if they disclose data in accordance with the relevant requirements, including the consumer data rules, then they are not liable to any civil or criminal action.
- ‘Privacy safeguards’ are specified which, in part, duplicate, almost all of the Australian Privacy Principles under the Privacy Act, albeit it in a more strict manner and to encompass and protect business data, not just data of individuals.
These privacy safeguards include having a CDR data policy and requirements with respect to the collection, use and disclosure of CDR data as well as requirements for integrity, security and correction. Again, however, most of the detail is deferred to the yet to be published consumer data rules.
The proposed approach to privacy requirements appears to go further than the Government previously recommended and there will no doubt be concerns as to how to efficiently implement and manage a multi-tiered privacy compliance regime (ie managing compliance under the Privacy Act with compliance with the new privacy safeguards). This is particularly the case given the broad definition of CDR data.
Of course, there are more issues to consider than those outlined above. If you are interested in responding to the Bill, or would like further information, please contact us.
Written by Simon Burns and Clare Harris.