Consumer Data Right Bill: Senate Committee Reports and ACCC Releases Draft Rules

Friday 5 April 2019 @ 1.37 p.m. | Corporate & Regulatory | Trade & Commerce

On 29 March 2019 the Australian Competition and Consumer Commission (ACCC) announced in a Media Release that it was seeking feedback from consumers, businesses and community organisations on the draft rules for the Consumer Data Right (CDR).  The Rules will facilitate the operation of the CDR, allowing consumers to easily obtain access to their banking data and have it transferred between service providers. The draft CDR rules follow from the introduction in February 2019 into the House of Representatives of the Treasury Laws Amendment (Consumer Data Right) Bill 2019 (Cth) ("the CDR Bill") which proposes to amend the Competition and Consumer Act 2010 (Cth), the Privacy Act 1988 (Cth), and the Australian Information Commissioner Act 2010 (Cth) to introduce a CDR and "open banking".

Background and Past Developments

In 2018, following the announcement of the CDR reform by the Australian Government, the ACCC published a Rules Framework (September 2018) and a Rules Outline (December 2018). As well the Treasury Laws Amendment (Consumer Data Right) Bill 2019 (CDR Bill) was introduced into the House of Representatives (13 February 2019). The CDR Bill was then referred to the Senate Economics Legislation Committee ("the Committee") on 13 Febraury 2018, and the Committee has recently released their report.

About the CDR Bill

According to the Treasurer's second reading speech, the CDR Bill creates " a new framework" which enable consumers to more effectively use data relating to them for their own purposes. At first the CDR will apply to the banking sector, but the intention is that the CDR will also eventually apply to the telecommunications and energy sectors, creating opportunities in those key areas of the economy for consumers to ensure that they are getting the best deal for their circumstances. Additional sectors of the economy may have the CDR applied to them in time, following "sectoral assessments by the ACCC in conjunction with the Information Commissioner ".

What the CDR framework is intended to do is to give consumers control over their consumer data, enabling them to direct the data holder to provide their data, in a CDR "compliant format", to accredited data recipients including other banks, telecommunications providers, energy companies or companies providing comparison services. Also, according to the CDR Bill's Explanatory Memorandum, the CDR is envisaged as allowing consumers to access their own data without directing that the data be provided to a third party. Further, the CDR system may see the emergence of new data driven service providers.

The new draft CDR rules arise as part of the power given by the CDR Bill to the ACCC to make rules, in consultation with the Information Commissioner to determine how the CDR will functions in each sector.

In general terms, the CDR Bill requires that entities must be accredited before they are able to receive consumer data so as to ensure that the accredited persons have satisfactory security and privacy safeguards. However, for some sectors, the Minister may designate a "gateway" to facilitate the transfer of information from a data holder to an accredited person or the consumer themselves.

Consumer data will be the subject of strong privacy safeguards, according to the CDR Bill's Explanatory Memorandum. Safeguards are comparable to the protections for individuals contained in APPs and provide consistent protections for consumer data of both individuals and business enterprises. They also contain more restrictive requirements on participants than those applying under the Privacy Act 1988 (Cth).

Data must be provided in a format which complies with the CDR data standards and the standards may apply differently across sectors. The CDR Bill's Explanatory Memorandum indicates that it is important that the manner and form of the data coming into the CDR system be consistent within and between designated sectors, as far as is practicable so as to promote interoperability, reduce costs of accessing data and lower barriers to entry by data driven service providers – in these ways promoting competition and innovation.

The CDR Bill provides for a dispute resolution processes to resolve disagreements with participants in the system for all individual and small business consumers in a designated sector to which the CDR applies, Further, the CDR Bill provides the Information Commissioner with the function of enforcing the "Privacy Safeguards" and providing remedies to individuals and small business, while the ACCC is to be responsible for enforcing the balance of the regime and for taking strategic enforcement actions.

About the Draft Rules

The draft rules have been released by the ACCC for public consultation and interested parties are invited to make submissions in response to the draft rules by 10 May 2019. According to ACCC Commissioner Sarah Court:

“The draft rules for the Consumer Data Right allow companies working in the banking sector to begin planning and move towards the start of the consumer data right in banking, with some greater detail and guidance as to how it will work,” 

Further, they are intended to give interested parties a chance to view and understand the CDR changes:

“We also know there are a number of privacy advocates, consumer organisations and others who will be very interested to see these draft rules, and we welcome views.”

Senate Economics and Legislation Committee Report 

The recently tabled Senate Economics and Legislation Committee Report on the CDR Bill (21 March 2019) made only one recommendation, that being that the CDR Bill ". . . should be passed by Parliament unamended". This was the recommendation of the report despite "widespread concerns about the new powers, centred on privacy, consumer protection, sectoral coverage and the rushed process by the government."

Dissenting comments on the report by the Committee’s two Labor senators indicated a range of concerns also outlined by stakeholders, that would see them move amendments to the CDR Bill should the government attempt to pass the CDR Bill during the budget sittings - the last sittings before the May 2019 election. The concerns of the Committee's dissenters were countered by the statement that:

“In one sense, the CDR is actually an enhanced privacy regime. The committee notes the concerns about the privacy arrangements in the Bill. However, it also notes the views of the Australian Privacy Commissioner and the Interim Chair of the Data Standards Body that the Bill at the very least is an expansion of current protections, . . .The committee notes there are a number of consumer issues which require vigilance. However, most of these exist in the present arrangements. The rules making facility under the Bill offers the possibility of addressing problems as they arise.”


TimeBase is an independent, privately owned Australian legal publisher specialising in the online delivery of accurate, comprehensive and innovative legislation research tools including LawOne and unique Point-in-Time Products. Nothing on this website should be construed as legal advice and does not substitute for the advice of competent legal counsel.


Related Articles: