The Parliament of Australia passed, on 1 August 2019, the Treasury Laws Amendment (Consumer Data Right) Bill 2019 (‘the Bill’), which amends the Competition and Consumer Act 2010, the Australian Information Commissioner Act 2010, and the Privacy Act 1988 (‘the Privacy Act’), to introduce a data portability right for consumers in the form of a consumer data right (‘CDR’). In particular, the Bill, which currently applies to the banking sector and will soon apply to the energy and telecommunication sectors, allows individuals and businesses to access specified data related to them and held by businesses, as well as authorises secure access to this data by accredited third parties.
The Bill’s explanatory memorandum (‘EM’) notes that the CDR gives consumers more control, by allowing them to access information about themselves and their use of goods and services, which enables consumers to fairly harvest the value of their data. In addition, the Bill requires businesses to provide public access to data on product terms and conditions, transactions and usage, as well as empowers consumers to direct businesses to share their data in a CDR compliant format with other accredited service providers.
Moreover, whilst the Privacy Act gives consumers a right to access data about themselves, the CDR has a wider scope as it also provides access to data for individual consumers, business consumers, and on data relating to products. Furthermore, the CDR contains enhanced privacy safeguards to protect CDR data relating to an identifiable CDR consumer, including information not covered by the Privacy Act, as well as establishes a mandatory requirement for accredited data recipients and designated gateways to notify data breaches to the Office of the Australian Information Commissioner (‘OAIC’). In addition, the Bill empowers the Australian Competition and Consumer Commission to grant accreditation to organisations and to jointly regulate this regime with the OAIC. The Bill also establishes a Data Standards Chair, which is charged with the duty to create standards consistent with consumer data rules.
The EM highlights the impact the CDR will have on businesses, predicting that compliance costs for accredited organisations in the banking sector will increase by AUD 86.6 million (approx. €52.6 million) per year and by AUD 9.9 million (approx. €6 million) per year for the energy sector. The EM states that the Government of Australia has committed to applying the CDR to the telecommunications sector and eventually across the whole economy, and the impact for other sectors will be considered on a case-by-case basis.
TOOBA KAZMI Privacy Analyst