The new Consumer Data Right (CDR) will take effect in February 2020, first in the banking sector then later in the telecommunications and energy sectors.
The Government’s objective is to promote competition, choice and innovation. For example, it should become easier for a consumer to change banks because they will be able to tell their current bank to provide their data to other banks or comparison services.
The Office of the Australian Information Commissioner (OAIC) has now released its draft Privacy Safeguard Guidelines (Guidelines) for the CDR.
The OAIC will regulate the privacy aspects of the CDR and provide the primary complaints handling process for the scheme.
The Guidelines aim to provide assistance to entities who will be participating in the CDR to understand their privacy obligations, which will be given effect by Part IVD of the Competition and Consumer Act 2010 (Cth) (Privacy Safeguards). There are 13 Privacy Safeguards in total. The Privacy Safeguards are legally binding, however, the Guidelines are not.
The OAIC anticipates that for small businesses that are currently not subject to the Privacy Act 1988 (Cth) (Privacy Act), compliance with the Privacy Safeguards may be a new experience, if they become participants in the CDR framework. Therefore it is seeking submissions from small businesses in particular, to identify knowledge gaps and provide further guidance where necessary.
The Privacy Safeguards will apply differently depending on the roles of the participants in the CDR framework. The table below identifies the Privacy Safeguards that apply to specific roles.
Role | Privacy Safeguards that apply |
Accredited person | Privacy Safeguards 1, 3, 4, and 5 |
Accredited data recipient | Privacy Safeguards 1 to 13 inclusive |
Data holder | Privacy Safeguards 1, 10, 11, and 13 |
Designated gateway | Privacy Safeguards 1, 6, 7, and 12 |
In the CDR:
A business may fall within the definitions of an accredited person, an accredited data recipient or a data holder for different consumers or depending on the role the business is fulfilling at any given time. For example, from an open banking context, a bank can:
As such, it is important for businesses to understand how each of the Privacy Safeguards apply to them in the different roles and functions they may perform in the course of their operations, and how they can integrate the requirements for the Privacy Safeguards into their broader privacy compliance regime.
The draft Guidelines seek to clarify the interaction between the Privacy Safeguards and the Privacy Act and Australian Privacy Principles (APPs). The OAIC addresses this in the draft Guidelines by setting out summaries of how each of the Privacy Safeguards applies to each type of CDR entity. In some instances, depending on the status of the CDR entity (e.g. an accredited person or an accredited data recipient), the relevant APP will apply in parallel with the specific Privacy Safeguard. In other instances, the Privacy Safeguard will apply instead of the corresponding APP or vice versa.
An accredited person may only collect and use CDR data with the consent of the consumer. There are stricter consent requirements under the Privacy Safeguards in respect of CDR data than under the Privacy Act. Under the Privacy Act, for instance, consent must be express or implied. However, the Privacy Safeguards require accredited persons to procure ‘voluntary, express, informed, specific as to purpose, time limited, and easily withdrawn’ consent from consumers for the collection and use of their CDR data.
To comply with this higher standard, the draft Guidelines require accredited persons to provide consumers with a ‘consumer dashboard’, which must contain certain details relating to each consent to collect and use their CDR data. Depending on the practical and commercial implications of implementing the ‘consumer dashboard’ requirement, businesses may consider either:
The OAIC is seeking submissions in relation to the draft Guidelines until 20 November 2019. Please see how to make submissions here.
[1] Competition and Consumer Act 2010 (Cth), section 56CA.
[2] Competition and Consumer Act 2010 (Cth), section 56AK.
[3] Competition and Consumer Act 2010 (Cth), section 56AJ.
[4] Competition and Consumer Act 2010 (Cth), section 56FA.
Authored by:
David Smith, Partner
Hazel McDwyer, Partner
Raisa Blanco, Associate