Treasury Laws Amendment (Consumer Data Right) Act 2019 (63 of 2019)

Schedule 1   Consumer data right

Part 1   Main amendments

Competition and Consumer Act 2010

1   After Part IVC

Insert:

Part IVD - Consumer data right

Division 1 - Preliminary

Subdivision A - Object and simplified outline

56AA Object of this Part

The object of this Part is:

(a) to enable consumers in certain sectors of the Australian economy to require information relating to themselves in those sectors to be disclosed safely, efficiently and conveniently:

(i) to themselves for use as they see fit; or

(ii) to accredited persons for use subject to privacy safeguards; and

(b) to enable any person to efficiently and conveniently access information in those sectors that:

(i) is about goods (such as products) or services; and

(ii) does not relate to any identifiable, or reasonably identifiable, consumers; and

(c) as a result of paragraphs (a) and (b), to create more choice and competition, or to otherwise promote the public interest.

56AB Simplified outline

Rules made under this Part may:

(a) enable consumers in certain sectors of the Australian economy to require information relating to themselves in those sectors to be disclosed to themselves or to accredited persons; and

(b) enable any person to be disclosed information in those sectors that is about goods (such as products) or services, and does not relate to any identifiable, or reasonably identifiable, consumers; and

(c) may require these kinds of disclosures, and other things, to be done in accordance with data standards.

A register is to be kept of accredited persons.

Privacy safeguards apply. These mainly apply to accredited persons who, under those rules, are disclosed information relating to identifiable, or reasonably identifiable, consumers.

Subdivision B - Designating sectors subject to the consumer data right

56AC Designated sectors subject to the consumer data right

Designating a sector

(1) A designated sector means a sector of the Australian economy designated under subsection (2).

(2) The Minister may, by legislative instrument, designate a sector of the Australian economy by specifying:

(a) classes of information (the designated information ); and

(b) persons who hold one or more specified classes of the designated information (or on whose behalf such information is held); and

(c) the earliest day (the earliest holding day ) applicable to the sector for beginning to hold the designated information; and

(d) each of the classes of information within the designated information for which a person may charge a fee if:

(i) the person is required under the consumer data rules to disclose information within that class to another person in specified circumstances; or

(ii) another person uses information within that class in specified circumstances as the result of a disclosure required of the first-mentioned person under the consumer data rules; and

(e) if the sector is to have one or more gateways:

(i) the particular persons who are gateways; and

(ii) for each of those persons, the classes of information within the designated information for which the person is a gateway.

Note 1: The persons specified under paragraph (b):

(a) may be specified by class (see subsection 13(3) of the Legislation Act 2003); and

(b) will be holders of the information, rather than the consumers to whom the information relates; and

(c) may not be the only holders of the information who can be required to disclose it under the consumer data rules (see section 56AJ (about the meaning of data holder )).

Note 2: While a class of information specified under paragraph (b), (d) or (e) needs to be of the information specified under paragraph (a), it need not be the same class as a class specified under paragraph (a).

Note 3: Subparagraph (e)(i) allows only particular persons to be specified, not classes of persons.

Note 4: For variation and repeal, see subsection 33(3) of the Acts Interpretation Act 1901.

Geographical limitation on information that can be designated

(3) Despite paragraph (2)(a), treat a class of information specified as described in that paragraph as only including so much of the information in that class as:

(a) has at any time been generated or collected wholly or partly in Australia or the external Territories, and:

(i) has been so generated or collected by (or on behalf of) one or more Australian persons; or

(ii) relates to one or more Australian persons (other than the persons who so generated or collected it); or

(iii) relates to goods or services supplied, or offered for supply, to one or more Australian persons; or

(b) has only ever been generated and collected outside of Australia and the external Territories, and:

(i) has been so generated or collected by (or on behalf of) one or more Australian persons; and

(ii) relates to one or more Australian persons (other than the persons who so generated or collected it), or relates to goods or services supplied, or offered for supply, to one or more Australian persons.

In this subsection, Australian person has the same meaning as in subsection 56AO(5).

Limitation on the earliest holding day

(4) While the earliest holding day may be before the day the instrument under subsection (2) is made, the earliest holding day must not be earlier than the first day of the calendar year that is 2 years before the calendar year in which that instrument is made.

Example: The instrument is made on 1 July 2020. The earliest holding day could be 1 January 2018, but not before.

Note: The earliest holding day helps to work out if a person is a data holder of information specified under paragraph (2)(a), and so whether that information is subject to the consumer data right.

56AD Minister's tasks before designating a sector etc.

(1) Before making an instrument under subsection 56AC(2), the Minister must consider all of the following:

(a) the likely effect of making the instrument on:

(i) the interests of consumers; and

(ii) the efficiency of relevant markets; and

(iii) the privacy or confidentiality of consumers' information; and

(iv) promoting competition; and

(v) promoting data-driven innovation; and

(vi) any intellectual property in the information to be covered by the instrument; and

(vii) the public interest;

(b) the likely regulatory impact of allowing the consumer data rules to impose requirements relating to the information to be covered by the instrument;

(c) the following matters when considering whether to specify a class of information, as described in paragraph 56AC(2)(d), in the instrument:

(i) whether not specifying that class could result in an acquisition of property (within the meaning of paragraph 51(xxxi) of the Constitution);

(ii) whether holders of information within that class currently charge a fee for disclosing such information;

(iii) whether the incentive to generate, collect, hold or maintain information within that class would be reduced if that class were not so specified;

(iv) the marginal cost of the disclosures required under the consumer data rules of information within that class;

(d) whether one or more gateways need to be specified in the instrument in order to facilitate access to the information to be covered by the instrument;

(e) any other matters the Minister considers relevant.

Note: The consumers could be individuals or other persons such as companies (see also subsection 56AI(4)).

(2) Before making an instrument under subsection 56AC(2), the Minister must:

(a) consult each of the following about the matters in paragraphs (1)(a) to (e) of this section:

(i) the Commission;

(ii) any person or body prescribed by the regulations; and

(b) wait at least 60 days after the day the Commission publishes its report arising from that consultation (see section 56AE).

(3) Before making an instrument under subsection 56AC(2), the Minister must consult the Information Commissioner about the likely effect of making the instrument on the privacy or confidentiality of consumers' information.

56AE Commission must analyse, consult and report about an instrument proposing to designate a sector

(1) When the Commission is consulted under subsection 56AD(2), the Commission must:

(a) analyse the matters in paragraphs 56AD(1)(a) to (e) in relation to the instrument; and

(b) consult the public about those matters in relation to the instrument:

(i) for at least 28 days; and

(ii) in one or more ways that includes making information available on the Commission's website and inviting the public to comment; and

(c) consult each of the following about those matters in relation to the instrument:

(i) the Information Commissioner;

(ii) the person or body (if any) that the Commission believes to be the primary regulator of the sector that the instrument would designate;

(iii) any person or body prescribed by the regulations; and

(d) report to the Minister about that analysis and consultation.

(2) The Commission must publish the report on its website.

56AF Information Commissioner must analyse and report about an instrument proposing to designate a sector

(1) When the Information Commissioner is consulted under subsection 56AD(3), the Information Commissioner must:

(a) analyse the likely effect of making the instrument on the privacy or confidentiality of consumers' information; and

(b) report to the Minister about that analysis.

(2) The Information Commissioner must publish the report on the Information Commissioner's website, except for any excluded part of the report.

(3) In deciding whether or not to exclude a part of the report from publication, the Information Commissioner must:

(a) have regard to the need to prevent the matters in subsection 33(2) of the Privacy Act 1988; and

(b) try to achieve an appropriate balance between the need to prevent those matters and the desirability of ensuring that interested persons are sufficiently informed of the Information Commissioner's analysis in the report.

56AG Commission may recommend that a sector be designated etc.

(1) The Commission may, in writing, recommend to the Minister that the Minister make an instrument under subsection 56AC(2):

(a) designating a particular sector of the Australian economy; or

(b) varying or revoking an instrument designating a sector under that subsection.

The Commission must publish the recommendation on its website.

(2) However, before making a recommendation under subsection (1), the Commission must do all of the following:

(a) analyse the matters in paragraphs 56AD(1)(a) to (d) in relation to the proposed instrument;

(b) consult the public about those matters in relation to the proposed instrument:

(i) for at least 28 days; and

(ii) in one or more ways that includes making information available on the Commission's website and inviting the public to comment;

(c) consult each of the persons or bodies covered by paragraph 56AE(1)(c) about those matters in relation to the proposed instrument;

(d) report to the Minister about that analysis and consultation;

(e) publish the report on the Commission's website.

(3) If the Commission publishes under subsection (1) a recommendation that the Minister make a proposed instrument, the Minister must wait at least a further 60 days before making the instrument under subsection 56AC(2).

Note: The Minister must also consult the Information Commissioner about the proposed instrument (see subsection 56AD(3)).

(4) Neither subsection 56AD(2) nor section 56AE applies in relation to a proposed instrument recommended under subsection (1) of this section.

56AH Other matters

A failure to comply with section 56AD, 56AE, 56AF or 56AG does not invalidate an instrument made under subsection 56AC(2).

Subdivision C - Meanings of key terms

56AI Meanings of CDR data, directly or indirectly derived and CDR consumer

(1) CDR data is information that:

(a) is within a class of information specified, as described in paragraph 56AC(2)(a), in an instrument designating a sector under subsection 56AC(2); or

(b) is not covered by paragraph (a) of this subsection, but is wholly or partly derived from information covered by:

(i) paragraph (a) of this subsection; or

(ii) a previous application of this paragraph.

Note 1: Geographical limitations may cause some information within a class specified as described in paragraph 56AC(2)(a) to be disregarded (see subsection 56AC(3)), which means it will not be CDR data.

Note 2: Information covered by paragraph (b) includes information derived from information covered by paragraph (a), information derived from that derived information, and so on.

Note 3: Information covered by paragraph (b), for which there is a CDR consumer, cannot be required to be disclosed under the consumer data rules (see subsection 56BD(1)).

Note 4: Only certain kinds of CDR data for which there are no CDR consumers (also known as product data) can be required to be disclosed under the consumer data rules (see subsection 56BF(1)).

(2) CDR data is directly or indirectly derived from other CDR data if the first-mentioned CDR data is wholly or partly derived from the other CDR data after one or more applications of paragraph (1)(b).

(3) A person is a CDR consumer for CDR data if:

(a) the CDR data relates to the person because:

(i) of the supply of a good or service to the person or to one or more of the person's associates (within the meaning of section 318 of the Income Tax Assessment Act 1936); or

(ii) of circumstances of a kind prescribed by the regulations; and

(b) the CDR data is held by another person who:

(i) is a data holder of the CDR data; or

(ii) is an accredited data recipient of the CDR data; or

(iii) is holding the CDR data on behalf of a person mentioned in subparagraph (i) or (ii); and

(c) the person is identifiable, or reasonably identifiable, from:

(i) the CDR data; or

(ii) other information held by the other person referred to in paragraph (b); and

(d) none of the conditions (if any) prescribed by the regulations apply to the first-mentioned person in relation to the CDR data.

(4) Subsection 4B(1) (about consumers) does not apply to this Part.

56AJ Meaning of data holder

(1) A person is a data holder , of CDR data, if:

(a) the CDR data:

(i) is information within a class of information specified, as described in paragraph 56AC(2)(a), in an instrument designating a sector under subsection 56AC(2) (the designation instrument ); or

(ii) is directly or indirectly derived from information covered by subparagraph (i); and

(b) the CDR data is held by (or on behalf of) the person, and began to be so held on or after the earliest holding day specified in the designation instrument; and

(c) the person is not a designated gateway for the CDR data; and

(d) subsection (2), (3) or (4) applies to the person and the CDR data.

Note 1: Geographical limitations may cause some information within a class specified as described in paragraph 56AC(2)(a) to be disregarded (see subsection 56AC(3)), which means it will not be CDR data.

Note 2: If the person begins holding the CDR data before the earliest holding day, the person:

(a) will not be a data holder of the CDR data; and

(b) will not be required to disclose it under the consumer data rules.

First case - person is also specified in the designation instrument

(2) This subsection applies to a person and CDR data if:

(a) the person, or a class of persons to which the person belongs, is specified, as described in paragraph 56AC(2)(b), in the designation instrument as holding a class of information to which the CDR data belongs; and

(b) neither the CDR data, nor any other CDR data from which it was directly or indirectly derived, was disclosed to the person under the consumer data rules.

Second case - reciprocity arising from the person being disclosed other CDR data under the consumer data rules

(3) This subsection applies to a person and CDR data if:

(a) neither the CDR data, nor any other CDR data from which it was directly or indirectly derived, was disclosed to the person under the consumer data rules; and

(b) the person is an accredited data recipient of other CDR data.

Note 1: Paragraph (b) is referring to other CDR data not covered by paragraph (a).

Note 2: The other CDR data referred to in paragraph (b) could be within a class of information specified in another instrument designating a different sector under subsection 56AC(2).

Third case - conditions in the consumer data rules are met

(4) This subsection applies to a person and CDR data if:

(a) the person is an accredited person; and

(b) the CDR data, or any other CDR data from which it was directly or indirectly derived, was disclosed to the person under the consumer data rules; and

(c) the conditions specified in the consumer data rules are met.

56AK Meaning of accredited data recipient

A person is an accredited data recipient , of CDR data, if:

(a) the person is an accredited person; and

(b) the CDR data is held by (or on behalf of) the person; and

(c) the CDR data, or any other CDR data from which it was directly or indirectly derived, was disclosed to the person under the consumer data rules; and

(d) the person is neither a data holder, nor a designated gateway, for the first-mentioned CDR data.

Note: For paragraph (d), the person will be a data holder of that CDR data if subsection 56AJ(4) applies.

56AL Meanings of CDR participant and designated gateway

(1) A CDR participant , for CDR data, is a data holder, or an accredited data recipient, of the CDR data.

(2) A person is a designated gateway , for CDR data, if:

(a) the person is specified as a gateway, as described in subparagraph 56AC(2)(e)(i), in an instrument designating a sector under subsection 56AC(2); and

(b) the CDR data is information within a class, specified in that instrument, for which the person is a gateway; and

(c) the CDR data is, or is to be, disclosed to the person under the consumer data rules because the person is:

(i) acting as described in a subparagraph of paragraph 56BG(1)(a) or (b); or

(ii) if there are no consumers for the CDR data - acting between a CDR participant for the CDR data and a person requesting a disclosure of the CDR data;

and not because the person is an accredited person or a CDR consumer for the CDR data.

56AM Meanings of chargeable CDR data , chargeable circumstances and fee-free CDR data

(1) CDR data is chargeable CDR data if the CDR data is information within a class specified, as described in paragraph 56AC(2)(d), in an instrument designating a sector under subsection 56AC(2) (the designation instrument ).

(2) The chargeable CDR data is disclosed in chargeable circumstances if it is disclosed in circumstances specified:

(a) for that class of information; and

(b) as described in subparagraph 56AC(2)(d)(i);

in the designation instrument.

(3) The chargeable CDR data is used in chargeable circumstances if it is used in circumstances specified:

(a) for that class of information; and

(b) as described in subparagraph 56AC(2)(d)(ii);

in the designation instrument.

(4) CDR data is fee-free CDR data if it is not chargeable CDR data.

Subdivision D - Extension to external Territories and extraterritorial operation

56AN Extension to external Territories

Each of the following provisions (the CDR provisions ) extends to every external Territory:

(a) a provision of this Part;

(b) a provision of the regulations made for the purposes of a provision of this Part;

(c) a provision of the consumer data rules;

(d) another provision of this Act to the extent that it relates to a provision covered by paragraph (a), (b) or (c);

(e) a provision of the Regulatory Powers Act to the extent that it applies in relation to a provision of this Part;

(f) a provision of the Privacy Act 1988 to the extent that it applies as described in section 56ES or 56ET of this Act.

56AO Extraterritorial operation of the CDR provisions

CDR provisions generally apply inside and outside Australia

(1) Subject to subsections (2) and (3), the CDR provisions extend to acts, omissions, matters and things outside Australia.

CDR provisions apply for CDR data held inside Australia

(2) To the extent that the CDR provisions have effect in relation to CDR data held within Australia, the CDR provisions apply in relation to all persons (including foreign persons).

CDR provisions can apply for CDR data held outside Australia

(3) To the extent that the CDR provisions have effect in relation to an act, or omission, relating to CDR data held outside Australia, the CDR provisions only apply if:

(a) the act or omission is by (or on behalf of) an Australian person; or

(b) the act or omission occurs wholly or partly in Australia, or wholly or partly on board an Australian aircraft or an Australian ship; or

(c) the act or omission occurs wholly outside Australia, and an Australian person suffers, or is likely to suffer, financial or other disadvantage as a result of the act or omission.

Interpretation

(4) For the purposes of subsection (3), if a person's act or omission includes sending, omitting to send, causing to be sent or omitting to cause to be sent an electronic communication or other thing:

(a) from a point outside Australia to a point inside Australia; or

(b) from a point inside Australia to a point outside Australia;

that act or omission is taken to have occurred partly in Australia.

(5) In this section:

Australia , when used in a geographical sense, includes all the external Territories.

Australian person means:

(a) a body corporate established by or under a law of the Commonwealth, of a State or of a Territory; or

(b) an Australian citizen, a permanent resident (within the meaning of the Australian Citizenship Act 2007), or any other person ordinarily resident within Australia or an external Territory; or

(c) an entity covered by subsection 56AR(1), (2) or (3) (about Australian government entities).

foreign person means a person other than an Australian person.

point includes a mobile or potentially mobile point, whether on land, underground, in the atmosphere, underwater, at sea or anywhere else.

56AP Geographical application of offences

Division 14 (Standard geographical jurisdiction) of the Criminal Code does not apply in relation to an offence against the CDR provisions.

Note: The extended geographical application that section 56AO gives to the CDR provisions applies to the offences against the CDR provisions.

Subdivision E - Application to government entities

56AQ CDR provisions bind the Crown

(1) The CDR provisions bind the Crown in each of its capacities.

(2) However, the CDR provisions do not make the Crown:

(a) liable to a pecuniary penalty or to be prosecuted for an offence; or

(b) subject to a remedy under section 56EY (about actions for damages for contravening the privacy safeguards); or

(c) subject to a remedy under Part VI (about enforcement) other than section 87B (about enforceable undertakings); or

(d) subject to a remedy under Part 4 (about civil penalties) or 7 (about injunctions) of the Regulatory Powers Act; or

(e) subject to Part XID of this Act (about search and seizure).

56AR Government entities may participate under this Part

Application to Commonwealth government entities

(1) The CDR provisions apply in relation to an entity that:

(a) is part of the Commonwealth; or

(b) is a Commonwealth entity (within the meaning of the Public Governance, Performance and Accountability Act 2013); or

(c) is a body (whether or not incorporated) established by or under a law of the Commonwealth; or

(d) is:

(i) holding or performing the duties of an office established by or under a law of the Commonwealth; or

(ii) holding an appointment made under a law of the Commonwealth; or

(e) is prescribed by the regulations.

Note: For how the CDR provisions so apply, see subsection (4).

Application to State or Territory government entities

(2) The CDR provisions apply only in relation to an entity that:

(a) is part of a State or Territory; or

(b) is a body (whether or not incorporated) established for a public purpose by or under a law of a State or Territory; or

(c) is:

(i) holding or performing the duties of an office established by or under a law of a State or Territory; or

(ii) holding an appointment made under a law of a State or Territory; or

(d) is an entity prescribed by the regulations in relation to a State or Territory;

if a declaration under subsection 56AS(1), that the entity is a participating entity for the State or Territory, is in force.

Note: For how the CDR provisions so apply, see subsection (4).

(3) However, whether or not such a declaration is in force for an entity referred to in subsection (2), the CDR provisions apply in relation to the entity to the extent that:

(a) the CDR provisions relate to a CDR consumer for CDR data; and

(b) the entity is a CDR consumer for CDR data (or would be a CDR consumer for CDR data if the entity were a person).

Note: For how the CDR provisions so apply, see subsection (4).

How the CDR provisions apply to a government entity

(4) For an entity covered by subsection (1), (2) or (3), the CDR provisions apply as described in that subsection in relation to the entity:

(a) as if the entity were a person; and

(b) with the modifications (if any) prescribed by the regulations.

This subsection does not affect how subsection 56AQ(2) applies to the entity.

56AS Participating government entities of a State or Territory - declaration

(1) The Minister may, by notifiable instrument, declare that an entity is a participating entity for a State or Territory.

Note: An entity may be specified by class (see subsection 13(3) of the Legislation Act 2003).

(2) However, the Minister must not do so unless the Minister is satisfied that the State or Territory has agreed to the entity participating under this Part.

(3) If:

(a) a State or Territory has agreed to an entity of the State or Territory participating under this Part; and

(b) the entity is a body corporate;

the entity is taken to have also agreed to participate under this Part.

56AT Participating government entities of a State or Territory - revocation

(1) The Minister may, by notifiable instrument, revoke a declaration made under subsection 56AS(1) that an entity is a participating entity for a State or Territory.

(2) If a State or Territory requests in writing the Minister to revoke a declaration made under subsection 56AS(1) that an entity is a participating entity for the State or Territory, the Minister must, under subsection (1) of this section, revoke the declaration as soon as practicable.

(3) If the Minister revokes a declaration made under subsection 56AS(1) in relation to an entity, then, despite the revocation, subsection 56AR(2) continues to apply to the entity in relation to:

(a) any right, privilege, obligation or liability acquired, accrued or incurred before the revocation; and

(b) any investigation, legal proceeding or remedy in respect of any such right, privilege, obligation or liability;

as if the declaration were still in force.

Division 2 - Consumer data right

Subdivision A - Power to make consumer data rules

56BA Commission may make consumer data rules

(1) The Commission may, by legislative instrument, make rules (the consumer data rules ) for designated sectors in accordance with this Division.

Note: Subdivision C deals with the process for making the consumer data rules.

(2) Without limiting subsection (1), the consumer data rules may set out:

(a) different rules for different designated sectors; or

(b) different rules for different classes of CDR data; or

(c) different rules for different classes of persons specified, as described in paragraph 56AC(2)(b), in an instrument designating a sector under subsection 56AC(2); or

(d) different rules for different classes of persons who are able to be disclosed CDR data under the consumer data rules.

56BB Matters that the consumer data rules may deal with

The consumer data rules may deal with the following matters:

(a) disclosure, collection, use, accuracy, storage, security or deletion of CDR data for which there are one or more CDR consumers (see also sections 56BC and 56BD);

(b) disclosure, collection, use, accuracy, storage, security or deletion of CDR data for which there are no CDR consumers (see also sections 56BE and 56BF);

(c) designated gateways for CDR data (see also section 56BG);

(d) accreditation of data recipients (see also section 56BH);

(e) reporting, record keeping and auditing (see also section 56BI);

(f) matters incidental or related to any of the above matters (see also section 56BJ).

56BC Rules about disclosure, collection, use, accuracy, storage, security or deletion of CDR data for which there are CDR consumers

Required disclosures in response to valid requests

(1) Without limiting paragraph 56BB(a), the consumer data rules may include the following rules:

(a) requirements on a CDR participant for CDR data to disclose all or part of the CDR data, in response to a valid request by a CDR consumer for the CDR data, to:

(i) the CDR consumer for use as the CDR consumer sees fit; or

(ii) an accredited person for use subject to the privacy safeguards;

(b) rules about:

(i) how a CDR consumer for the CDR data may make a valid request of the kind described in paragraph (a); and

(ii) what must be included in a request for it to be valid, what disclosures or other matters a valid request may cover, and when a request ceases to be a valid request;

(c) requirements on a person (other than a CDR consumer for the CDR data) to satisfy in order to be disclosed the CDR data in the way described in paragraph (a).

Note 1: The requirements described in paragraph (a) could, for example, include a requirement that the disclosure be in accordance with the relevant data standards.

Note 2: A fee may be charged for such a disclosure if the CDR data is chargeable CDR data, unless section 56BU provides otherwise.

Authorised disclosures or use in accordance with valid consents

(2) Without limiting paragraph 56BB(a), the consumer data rules may include the following rules:

(a) rules authorising a CDR participant for CDR data to disclose all or part of the CDR data to a person in accordance with a valid consent of a CDR consumer for the CDR data;

(b) rules authorising a person to use CDR data in accordance with a valid consent of a CDR consumer for the CDR data;

(c) rules about:

(i) how a CDR consumer for the CDR data may make a valid consent of the kind described in paragraph (a) or (b); and

(ii) what must be included in a consent for it to be valid, what disclosures, uses or other matters a valid consent may cover, and when a consent ceases to be a valid consent.

Note: Fees may be charged for these disclosures or uses.

Other rules

(3) Without limiting paragraph 56BB(a), the consumer data rules may include the following rules relating to CDR data for which there are one or more CDR consumers:

(a) rules relating to the privacy safeguards;

(b) other rules relating to the disclosure, collection, use, accuracy, storage or security of the CDR data that affect:

(i) an accredited person; or

(ii) a CDR participant, or CDR consumer, for the CDR data;

(c) other rules relating to the deletion of the CDR data that affect:

(i) an accredited person; or

(ii) an accredited data recipient of the CDR data; or

(iii) a CDR consumer for the CDR data.

Note 1: Subsection 56BD(3) limits how such rules can affect a data holder.

Note 2: The rules may deal with similar or additional matters to those in the privacy safeguards. When doing so, the rules will need to be consistent with those safeguards (see subsections 56EC(1) and (2)).

56BD Limitations for rules about CDR data for which there are CDR consumers

Only designated CDR data can be required to be disclosed

(1) The consumer data rules can only require a disclosure of CDR data for which there are one or more CDR consumers if:

(a) the CDR data is within a class of information specified, as described in paragraph 56AC(2)(a), in an instrument designating a sector under subsection 56AC(2); and

(b) the disclosure is to:

(i) one or more of those CDR consumers; or

(ii) an accredited person; or

(iii) a designated gateway for the CDR data.

Note 1: This means CDR data cannot be required to be disclosed if it:

(a) is not within a class specified in such an instrument; and

(b) is directly or indirectly derived from CDR data that is within a class specified in such an instrument.

Note 2: The consumer data rules can include other rules relating to this other derived CDR data.

Note 3: Voluntary disclosures of this other derived CDR data can be authorised under the consumer data rules.

No fee when fee-free CDR data is required to be disclosed

(2) The consumer data rules cannot allow a fee to be charged for:

(a) the disclosure of fee-free CDR data under rules like those described in paragraph 56BC(1)(a) or 56BG(1)(a); or

(b) the use of fee-free CDR data received as the result of such a disclosure.

Note: Fees may be charged for other kinds of disclosures or uses of fee-free CDR data.

Rules affecting data holders that relate to the use, accuracy, storage, security or deletion of CDR data

(3) For a data holder of CDR data for which there are one or more CDR consumers, the consumer data rules:

(a) cannot include rules affecting the data holder that relate to the deletion of the CDR data; and

(b) can only include rules affecting the data holder that relate to the use, accuracy, storage or security of the CDR data if such rules also relate to the disclosure of the CDR data under the consumer data rules.

Effect of limitations

(4) Subsections (1), (2) and (3) apply despite any other provision of this Division.

56BE Rules about disclosure, collection, use, accuracy, storage, security or deletion of product data

Without limiting paragraph 56BB(b), the consumer data rules may include the following rules for CDR data for which there are no CDR consumers:

(a) requirements on a CDR participant for the CDR data to disclose all or part of the CDR data to a person in response to a valid request by the person;

(b) rules about:

(i) how a person may make a valid request of the kind described in paragraph (a); and

(ii) what must be included in a request for it to be valid, what disclosures or other matters a valid request may cover, and when a request ceases to be a valid request;

(c) requirements on a person to satisfy in order to be disclosed the CDR data in the way described in paragraph (a);

(d) other rules affecting:

(i) CDR participants for the CDR data; or

(ii) persons wishing to be disclosed the CDR data;

that relate to the disclosure, collection, use, accuracy, storage, security or deletion of the CDR data.

Note 1: A request for this CDR data could be made, for example, to assist the development of a product or service.

Note 2: The requirements described in paragraph (a) could, for example, include a requirement that the disclosure be in accordance with the relevant data standards.

Note 3: The privacy safeguards do not apply to this CDR data (see subsection 56EB(1)).

56BF Limitations for rules about product data

Only certain kinds of product data can be required to be disclosed

(1) The consumer data rules can only require a disclosure of CDR data for which there are no CDR consumers if:

(a) the CDR data is about the eligibility criteria, terms and conditions, price, availability or performance of:

(i) a product or other kind of good; or

(ii) a service; and

(b) in the case where the CDR data is about availability or performance - the CDR data is publicly available.

Note 1: This means other kinds of CDR data for which there are no CDR consumers cannot be required to be disclosed.

Note 2: The consumer data rules can include other rules relating to other kinds of CDR data for which there are no CDR consumers.

Note 3: Voluntary disclosures of other kinds of CDR data for which there are no CDR consumers can be authorised under the consumer data rules.

No fee when this CDR data is required to be disclosed

(2) The consumer data rules cannot allow a fee to be charged for:

(a) the disclosure of CDR data under rules like those described in paragraph 56BE(a) or 56BG(2)(a); or

(b) the use of CDR data received as the result of such a disclosure.

Note: A fee could be charged for other disclosures or uses of CDR data for which there are no CDR consumers.

Effect of limitations

(3) Subsections (1) and (2) apply despite any other provision of this Division.

56BG Rules about designated gateways

CDR data for which there are CDR consumers

(1) Without limiting paragraph 56BB(c), if there is a designated gateway for CDR data for which there are one or more CDR consumers, the consumer data rules may include the following rules:

(a) rules like those described in subsection 56BC(1) for the CDR data, but involving the designated gateway:

(i) acting between the CDR consumer and the CDR participant in the making of a valid request; or

(ii) acting between the CDR consumer and the accredited person who is the proposed recipient of the requested disclosure; or

(iii) acting between the CDR participant and the CDR consumer, or accredited person, who is the proposed recipient of the requested disclosure;

(b) rules like those described in subsection 56BC(2) for the CDR data, but involving the designated gateway:

(i) acting between the CDR consumer and a person authorised as described in that subsection; or

(ii) acting between persons authorised as described in that subsection;

(c) other rules affecting the designated gateway that relate to the disclosure, collection, use, accuracy, storage, security or deletion of the CDR data.

Product data

(2) Without limiting paragraph 56BB(c), if there is a designated gateway for CDR data for which there are no CDR consumers, the consumer data rules may include the following rules:

(a) rules like those described in paragraphs 56BE(a) to (c), but involving the designated gateway acting between the CDR participant and the person requesting the disclosure;

(b) other rules affecting the designated gateway that relate to the disclosure, collection, use, accuracy, storage, security or deletion of the CDR data.

Limitation - rules relating to the collection, use, accuracy, storage, security or deletion of CDR data

(3) For a designated gateway for CDR data for which there are one or more CDR consumers, the consumer data rules:

(a) can only include rules affecting the designated gateway requiring or authorising the disclosure of the CDR data if such rules are as described in paragraph (1)(a) or (b); and

(b) can only include rules affecting the designated gateway that relate to the collection, use, accuracy, storage, security or deletion of the CDR data if such rules also relate to a disclosure described in paragraph (a) of this subsection.

Note: Paragraph (a) does not prevent the inclusion of a rule relating to a disclosure described in that paragraph.

(4) Subsection (3) applies despite any other provision of this Division.

Transitional rules

(5) Without limiting paragraph 56BB(c), if there is a designated gateway for CDR data, the consumer data rules may include transitional rules for when a person ceases to be the designated gateway, including about the disclosure, collection, use, accuracy, storage, security or deletion of the CDR data.

Note: These rules could, for example, include a requirement that the CDR data be disclosed in accordance with the relevant data standards to another gateway. Some of these transitional rules could be similar to some of the privacy safeguards.

56BH Rules about accreditation of data recipients

(1) Without limiting paragraph 56BB(d), the consumer data rules may include the following rules:

(a) rules conferring functions or powers on the Data Recipient Accreditor;

(b) the criteria for a person to be accredited under subsection 56CA(1);

(c) rules providing that accreditations may be granted subject to conditions, and that conditions may be imposed on an accreditation after it has been granted;

(d) rules providing that accreditations may be granted at different levels corresponding to different risks, including the risks associated with:

(i) specified classes of CDR data; or

(ii) specified classes of activities; or

(iii) specified classes of applicants for accreditation;

(e) rules for the period, renewal, transfer, variation, suspension, revocation or surrender of accreditations;

(f) notification requirements on persons whose accreditations have been varied, suspended, revoked or surrendered;

(g) transitional rules for when an accreditation is varied, is suspended or ends, including about the disclosure, collection, use, accuracy, storage, security or deletion of CDR data;

(h) rules about a matter referred to in subsection 56CE(4) (about the Register of Accredited Persons).

Note: The rules described in paragraph (g) could, for example, include a requirement that the CDR data be disclosed in accordance with the relevant data standards to an accredited person. Some of these transitional rules could be similar to some of the privacy safeguards.

(2) Without limiting paragraph (1)(b):

(a) the criteria may differ for different classes of persons; and

(b) the criteria may include the payment of a fee.

Any fee must not be such as to amount to taxation.

(3) Without limiting paragraph (1)(e), each of the following may be a ground for varying, suspending or revoking an accreditation:

(a) a failure to comply with a requirement in this Part or in the consumer data rules;

(b) a failure to comply with a requirement in the privacy safeguards.

Note: An example of a variation could be the imposition of a condition, or changing the level of an accreditation.

(4) If the consumer data rules include rules enabling decisions to be made to vary, suspend or revoke accreditations, the rules must permit the making of applications to the Administrative Appeals Tribunal for review of those decisions.

Note: The consumer data rules can also provide for internal review of these decisions, and internal and AAT review of other decisions (see section 56BJ).

56BI Rules about reporting, record keeping and auditing

(1) Without limiting paragraph 56BB(e), the consumer data rules may include the following rules:

(a) a power for a CDR consumer for CDR data to direct a CDR participant for the CDR data to give the consumer, or an accredited person, reports about:

(i) the consumer's valid requests to the CDR participant, under rules like those described in paragraph 56BC(1)(a) or 56BG(1)(a), for the CDR data; and

(ii) any disclosures made in response to such requests;

(b) a power for a CDR consumer for CDR data to direct a CDR participant for the CDR data to give the consumer, or an accredited person, reports about:

(i) the consumer's valid consents to the CDR participant, under rules like those described in paragraph 56BC(2)(a) or (b) or 56BG(1)(b), for the CDR data; and

(ii) any disclosures made in response to such consents;

(c) a power for a person referred to in paragraph 56BG(1)(a) or (b) to direct a designated gateway referred to in that paragraph to give reports about:

(i) valid requests or consents, affecting the designated gateway, under rules like those described in that paragraph; and

(ii) any disclosures made in response to such requests or consents;

(d) requirements for CDR participants for CDR data to give reports to the Commission or the Information Commissioner;

(e) requirements for accredited persons to give reports to the Commission or the Information Commissioner;

(f) requirements for designated gateways for CDR data to give reports to the Commission or the Information Commissioner;

(g) requirements for the keeping of records relating to the operation of the consumer data rules;

(h) requirements for each of the following entities:

(i) the Data Recipient Accreditor;

(ii) the Accreditation Registrar;

(iii) the Data Standards Chair;

to give reports to the Commission or the Information Commissioner about that entity's functions or powers.

Note: Information or documents relating to compliance with the consumer data rules may also be required to be given (see subsections 155(1) and (2)).

(2) Without limiting paragraph 56BB(e), the consumer data rules may include requirements for CDR participants or designated gateways for CDR data, or accredited persons, to give to the Commission or Information Commissioner:

(a) copies of one or more of the records required to be kept as described in paragraph (1)(g); or

(b) information from such records;

either periodically, or on request by the Commission or Information Commissioner, or both.

56BJ Rules about incidental or related matters

Without limiting paragraph 56BB(f), the consumer data rules may include the following rules:

(a) rules that refer to the data standards;

(b) the circumstances in which persons are, or may be, relieved from complying with requirements in the consumer data rules that would otherwise apply to them;

(c) a rule that depends on a person being satisfied of one or more specified matters;

(d) rules for the making of applications for internal review, or of applications to the Administrative Appeals Tribunal for review, of decisions of a person under the consumer data rules;

(e) rules about the manner or form in which persons or bodies:

(i) may exercise powers under the consumer data rules; or

(ii) must comply with requirements imposed by the consumer data rules;

which could include requiring the use of a form approved by the Commission or by the Information Commissioner;

(f) rules about the following matters:

(i) the manner in which CDR participants for CDR data may charge (or cause to be charged) a fee for a matter covered by the consumer data rules;

(ii) the time for paying such a fee;

(iii) giving notice of, or publicising, such a fee or matters about such a fee;

(g) rules requiring CDR participants, or designated gateways, for CDR data to have internal or external dispute resolution processes:

(i) that relate to the operation of the consumer data rules or this Part; and

(ii) that meet specified criteria;

(h) rules relating to an external dispute resolution scheme recognised under Division 4, including about access to such a scheme;

(i) transitional rules for the external resolution of disputes:

(i) described in subsection 56DA(1); and

(ii) not covered by a scheme recognised under that subsection;

(j) rules about any other matters that the provisions of this Part provide may be specified, or otherwise dealt with, in the consumer data rules.

56BK Further limitations on the consumer data rules

(1) The consumer data rules cannot impose on a person a requirement that has a retrospective commencement or application.

Example: The rules cannot require a data holder to disclose CDR data on a day before the rules are registered, or on a day before the registration of a variation to the rules that includes the requirement.

Note: Other limitations on the consumer data rules are in sections 56BD, 56BF and 56BG.

(2) To avoid doubt, the consumer data rules may require a person to do something on a particular day, in relation to CDR data generated or collected on an earlier day, if the person:

(a) is a data holder of the CDR data; or

(b) is an accredited person; or

(c) is a person who has given a valid request under the consumer data rules relating to the CDR data; or

(d) is a designated gateway for the CDR data.

Example: A data holder is given a valid request to disclose CDR data that was generated before the rules are registered. The rules can require that disclosure.

(3) The regulations may provide that the consumer data rules:

(a) have no effect to the extent that the consumer data rules deal with specified matters, or impose specified requirements, in relation to:

(i) specified classes of CDR data; or

(ii) specified classes of persons; or

(b) only have effect to the extent that the consumer data rules deal with specified matters, or impose specified requirements, in relation to:

(i) specified classes of CDR data; or

(ii) specified classes of persons.

The consumer data rules have effect (or no effect) accordingly.

(4) Subsections (1) and (3) apply despite any other provision of this Division.

Subdivision B - Compliance with consumer data rules

56BL Obligation to comply with consumer data rules

The consumer data rules may provide that specified provisions of the rules are civil penalty provisions (within the meaning of the Regulatory Powers Act).

Note: Sections 76 to 77 deal with enforcing the civil penalty provisions.

56BM Infringement notices

Object

(1) The object of this section is for Division 5 of Part XI to apply to a civil penalty provision of the consumer data rules in a corresponding way to the way that Division applies to a provision of Part 2-2 of the Australian Consumer Law.

Note: That Division is about infringement notices issued for alleged contraventions of provisions of the Australian Consumer Law.

Extended application of Division 5 of Part XI etc.

(2) Division 5 of Part XI, and any other provision of this Act that relates to that Division, also apply in relation to a civil penalty provision of the consumer data rules as if the substitutions in the following table were made.

Substitutions to be made

   

Item

For a reference in Division 5 of Part XI to …

… substitute a reference to …

1

section 224 of the Australian Consumer Law

section 76 of this Act.

2

Chapter 4 or Part 5-2 of the Australian Consumer Law

Part VI of this Act.

3

a provision of Part 2-2 of the Australian Consumer Law

a civil penalty provision of the consumer data rules.

(3) To avoid doubt, Division 2 of Part XI does not limit the application of section 56GF (about constitutional basis) to the extended application of Division 5 of Part XI as described in this section.

56BN Misleading or deceptive conduct - offence

(1) A person commits an offence if:

(a) the person engages in conduct; and

(b) the person does so knowing that the conduct:

(i) is misleading or deceptive; or

(ii) is likely to be misleading or deceptive; and

(c) the conduct misleads or deceives, or is likely to mislead or deceive, another person (the second person ) into believing that:

(i) a person is a CDR consumer for CDR data; or

(ii) a person is making a valid request or consent, or has satisfied other criteria, for the disclosure of CDR data under the consumer data rules.

Note: The person mentioned in subparagraph (c)(i) or (ii) could be the first-mentioned person, the second person or a third person.

Defence

(2) Subsection (1) does not apply if the conduct is not misleading or deceptive in a material particular.

Note: A defendant bears an evidential burden in relation to the matter in this subsection (see subsection 13.3(3) of the Criminal Code).

Penalty - body corporate

(3) An offence against subsection (1) committed by a body corporate is punishable on conviction by a fine of not more than the greater of the following:

(a) $10,000,000;

(b) if the court can determine the value of the benefit that the body corporate, and any body corporate related to the body corporate, have obtained directly or indirectly and that is reasonably attributable to the commission of the offence - 3 times the value of that benefit;

(c) if the court cannot determine the value of that benefit - 10% of the annual turnover of the body corporate during the 12-month period ending at the end of the month in which the commission of the offence happened or began.

(4) For the purposes of paragraph (3)(c), annual turnover has the same meaning as in Division 1 of Part IV.

Penalty - other persons

(5) An offence against subsection (1) committed by a person other than a body corporate is punishable on conviction by imprisonment for not more than 5 years, a fine of not more than $500,000, or both.

56BO Misleading or deceptive conduct - civil penalty

(1) A person must not engage in conduct that misleads or deceives, or is likely to mislead or deceive, another person (the second person ) into believing that:

(a) a person is a CDR consumer for CDR data; or

(b) a person is making a valid request or consent, or has satisfied other criteria, for the disclosure of CDR data under the consumer data rules.

Note 1: The person mentioned in paragraph (a) or (b) could be the first-mentioned person, the second person or a third person.

Note 2: For enforcement, see Part VI (including section 76 for an order for payment of a pecuniary penalty).

Defence

(2) Subsection (1) does not apply if the conduct is not misleading or deceptive in a material particular.

(3) A person who wishes to rely on subsection (2) bears the burden of adducing or pointing to evidence that suggests a reasonable possibility that the conduct is not misleading or deceptive in a material particular.

Subdivision C - Process for making consumer data rules etc.

56BP Matters to which Commission must have regard when making the rules

Before making consumer data rules under subsection 56BA(1), the Commission must consider the kinds of matters referred to in paragraphs 56AD(1)(a) and (b).

56BQ Commission to consult before making the rules

(1) Before making consumer data rules under subsection 56BA(1), the Commission must:

(a) consult the public about the making of the rules:

(i) for at least 28 days; and

(ii) in one or more ways that includes making information available on the Commission's website, and inviting the public to comment; and

(b) consult each of the following about the making of the rules:

(i) the Information Commissioner;

(ii) if the rules relate to a particular designated sector - the person or body (if any) that the Commission believes to be the primary regulator of that sector;

(iii) any person or body prescribed by the regulations; and

(c) wait at least 60 days after the day consultation of the public begins under paragraph (a) about the making of the rules.

(2) A failure to comply with subsection (1) does not invalidate the consumer data rules.

56BR Ministerial consent to rules required

The Commission must not make consumer data rules under subsection 56BA(1) unless the Minister has consented, in writing, to the making of the rules.

Note: In an emergency, consent is not required (see section 56BS).

56BS Emergency rules: usual consultation and consent not required

(1) The Commission may make consumer data rules under subsection 56BA(1):

(a) after consulting the Information Commissioner, but without otherwise complying with section 56BQ; and

(b) without the consent of the Minister as required by section 56BR;

if the Commission believes (whether or not that belief is reasonable) that it is necessary to do so in order to avoid a risk of serious harm to:

(c) the efficiency, integrity or stability of any aspect of the Australian economy; or

(d) the interests of consumers.

Note: The Commission still needs to comply with section 56BP.

(2) However, a failure to comply with paragraph (1)(a) does not invalidate rules made as described in subsection (1).

Note: Such rules may have a limited life (see subsection 56BT(3)).

56BT Emergency rules: consequences if made

(1) If the Commission makes consumer data rules as described in subsection 56BS(1) (the emergency rules ), the Commission must:

(a) on the following day, give the Minister a written explanation of the need for the emergency rules; and

(b) vary or repeal the emergency rules in accordance with any directions given under subsection (2).

(2) The Minister may, by writing, direct the Commission to vary or repeal the emergency rules.

(3) If:

(a) the emergency rules are made without consulting the Information Commissioner, but otherwise in accordance with subsection 56BS(1); and

(b) the Minister does not give a direction under subsection (2) about the emergency rules;

the emergency rules cease to be in force 6 months after the day they are made.

Note: If the emergency rules vary other consumer data rules, this subsection causes only the emergency rules to cease to be in force.

(4) A direction given under subsection (2) is not a legislative instrument.

(5) Despite subsections 33(3) and (3AA) of the Acts Interpretation Act 1901, the requirements of sections 56BP, 56BQ and 56BR of this Act do not apply in relation to a variation or repeal of the emergency rules pursuant to a direction given under subsection (2) of this section.

Note: This subsection alters the requirement in subsections 33(3) and (3AA) of the Acts Interpretation Act 1901 that variations or repeals must be made in a like manner and subject to like conditions.

Subdivision D - Fees for disclosing CDR data

56BU Charging a fee in inappropriate circumstances when required to disclose CDR data

(1) A person contravenes this subsection if:

(a) the person is a CDR participant for CDR data; and

(b) the person is required under the consumer data rules to disclose all or part of the CDR data; and

(c) the person charges (or causes to be charged) a fee for either or both of the following matters:

(i) the disclosure (or a related disclosure by a designated gateway or other CDR participant for the CDR data);

(ii) the use of the CDR data as the result of the disclosure (or of that related disclosure); and

(d) subsection (2) or any of the following subparagraphs applies:

(i) the CDR data is fee-free CDR data;

(ii) to the extent that the fee is charged for the disclosure of chargeable CDR data - the fee purports to cover a disclosure in circumstances that are not chargeable circumstances;

(iii) to the extent that the fee is charged for the use of chargeable CDR data - the fee purports to cover use in circumstances that are not chargeable circumstances.

Note: For enforcement, see Part VI (including section 76 for an order for payment of a pecuniary penalty).

(2) This subsection applies if:

(a) any fee (the reasonable fee ):

(i) that has been determined under subsection 56BV(1) for the person; or

(ii) that can be worked out from a method determined under subsection 56BV(1) for the person;

covers either or both of the matters in paragraph (1)(c) of this section; and

(b) the portion of the fee charged as described in that paragraph for those matters exceeds the corresponding portion of the reasonable fee.

56BV Commission may intervene if fee for disclosing or using chargeable CDR data is unreasonable etc.

(1) The Commission may determine the following for a specified CDR participant for specified chargeable CDR data:

(a) the amount of a fee, or a method for working out the amount of a fee, that the CDR participant may charge (or cause to be charged) for either or both of the following matters (the chargeable matters ):

(i) the disclosure of the chargeable CDR data in chargeable circumstances because of a requirement under the consumer data rules to do so;

(ii) the use of the chargeable CDR data in chargeable circumstances as the result of such a disclosure;

(b) the specified persons who are liable to pay that fee;

if the Commission is satisfied that the fee that the CDR participant would otherwise charge (or cause to be charged) is unreasonable having regard to the criteria in subsection (3).

(2) When determining an amount or method under subsection (1), the Commission must seek to ensure that the resulting fee:

(a) reflects the reasonable costs (including capital costs) necessary for the CDR participant to comply with this Part and the consumer data rules in relation to the chargeable matters; and

(b) is reasonable having regard to the criteria in subsection (3).

(3) The criteria for the purposes of subsection (1) and paragraph (2)(b) are:

(a) the matters in subparagraphs 56AD(1)(a)(i), (ii), (iv) to (vi) and (c)(ii) and (iv); and

(b) whether a lower fee could result in an acquisition of property (within the meaning of paragraph 51(xxxi) of the Constitution); and

(c) whether a lower fee would reduce the incentive to generate, collect, hold or maintain CDR data of that kind; and

(d) any other matters the Commission considers relevant.

(4) A determination under subsection (1) specifying a class of CDR participants must be made by legislative instrument.

(5) A determination under subsection (1) specifying a particular CDR participant:

(a) must be made by written notice given to the CDR participant; and

(b) is not a legislative instrument.

(6) A fee determined under subsection (1) must not be such as to amount to taxation.

56BW Review by the Tribunal of determinations specifying particular CDR participants

(1) If the Commission makes a determination under subsection 56BV(1) in the way described in subsection 56BV(5):

(a) the CDR participant specified in the determination; or

(b) a person whose interests are affected by the determination;

may apply in writing to the Tribunal for a review of the determination.

(2) An application under this section for a review of a determination must be made within 21 days after the day the Commission made the determination.

(3) If the Tribunal receives an application under this section for a review of a determination, the Tribunal must review the determination.

56BX Functions and powers of Tribunal

(1) On a review of a determination made under subsection 56BV(1), the Tribunal:

(a) may make a decision affirming, setting aside or varying the determination; and

(b) for the purposes of the review, may perform all the functions and exercise all the powers of the Commission.

(2) A decision by the Tribunal affirming, setting aside or varying such a determination is taken for the purposes of this Act (other than sections 56BW to 56BY)) to be a determination of the Commission.

(3) For the purposes of a review by the Tribunal, the member of the Tribunal presiding at the review may require the Commission to give such information, make such reports and provide such other assistance to the Tribunal as the member specifies.

(4) For the purposes of a review, the Tribunal may have regard to any information given, documents produced or evidence given to the Commission in connection with the making of the determination to which the review relates.

Note: Division 2 of Part IX applies to proceedings before the Tribunal.

56BY Provisions that do not apply in relation to a Tribunal review

Division 1 of Part IX does not apply in relation to a review by the Tribunal of a determination made under subsection 56BV(1).

Division 3 - Accreditation etc.

Subdivision A - Accreditation process

56CA Granting accreditations

(1) The Data Recipient Accreditor may, in writing, accredit a person if the Data Recipient Accreditor is satisfied that the person meets the criteria for accreditation specified in the consumer data rules.

(2) To avoid doubt, a person may be accredited even if the person:

(a) is not a body corporate established by or under a law of the Commonwealth, of a State or of a Territory; and

(b) is neither an Australian citizen, nor a permanent resident (within the meaning of the Australian Citizenship Act 2007).

(3) An accreditation is granted on the basis that no compensation is payable if the accreditation is varied, transferred, suspended, revoked or surrendered in any way.

56CB Review of decisions refusing to accredit

Applications may be made to the Administrative Appeals Tribunal for review of decisions of the Data Recipient Accreditor under subsection 56CA(1) refusing to accredit persons.

Note: For AAT review of decisions to vary, suspend or revoke accreditations, see subsection 56BH(4).

56CC Prohibition on holding out - offence

(1) A person commits an offence if the person holds out that the person:

(a) is an accredited person; or

(b) is an accredited person holding an accreditation that has been granted at a particular level (see paragraph 56BH(1)(d)); or

(c) is an accredited data recipient of CDR data;

if that is not the case.

Penalty - body corporate

(2) An offence against subsection (1) committed by a body corporate is punishable on conviction by a fine of not more than the greater of the following:

(a) $10,000,000;

(b) if the court can determine the value of the benefit that the body corporate, and any body corporate related to the body corporate, have obtained directly or indirectly and that is reasonably attributable to the commission of the offence - 3 times the value of that benefit;

(c) if the court cannot determine the value of that benefit - 10% of the annual turnover of the body corporate during the 12-month period ending at the end of the month in which the commission of the offence happened or began.

(3) For the purposes of paragraph (2)(c), annual turnover has the same meaning as in Division 1 of Part IV.

Penalty - other persons

(4) An offence against subsection (1) committed by a person other than a body corporate is punishable on conviction by imprisonment for not more than 5 years, a fine of not more than $500,000, or both.

56CD Prohibition on holding out - civil penalty

A person must not hold out that the person:

(a) is an accredited person; or

(b) is an accredited person holding an accreditation that has been granted at a particular level (see paragraph 56BH(1)(d)); or

(c) is an accredited data recipient of CDR data;

if that is not the case.

Note: For enforcement, see Part VI (including section 76 for an order for payment of a pecuniary penalty).

Subdivision B - Register of Accredited Persons

56CE Register of Accredited Persons

(1) The Accreditation Registrar must establish and maintain a register for the purposes of this Part, to be known as the Register of Accredited Persons.

(2) The Accreditation Registrar must maintain the register by electronic means.

(3) The register is not a legislative instrument.

(4) The consumer data rules may make provision for or in relation to the following:

(a) the inclusion in the register of entries for accredited persons;

(b) the correction of entries in the register;

(c) the publication or availability of all or part of the register, or of specified information in the register;

(d) any other matter relating to the content, administration or operation of the register.

56CF Evidentiary value of the register

(1) The register is admissible in any proceedings as prima facie evidence of the matters in it.

(2) The Accreditation Registrar may issue a document containing the details of a matter taken from the register.

(3) The document issued under subsection (2) is admissible in any proceedings as prima facie evidence of the matter.

Subdivision C - Data Recipient Accreditor

56CG Appointment of the Data Recipient Accreditor

(1) The Minister may, by written instrument, appoint as the Data Recipient Accreditor a person who:

(a) is the accountable authority of a Commonwealth entity (within the meaning of the Public Governance, Performance and Accountability Act 2013); or

(b) is a Commonwealth entity (within the meaning of that Act).

Note 1: For variation, see subsection 33(3) of the Acts Interpretation Act 1901.

Note 2: The Commission will be the Data Recipient Accreditor in the absence of an appointment under this subsection (see the definition of Data Recipient Accreditor in subsection 4(1)).

(2) The Minister may, at any time by written instrument, terminate an appointment made under subsection (1).

56CH Functions, powers and annual report

(1) The functions of the Data Recipient Accreditor are:

(a) to accredit persons under subsection 56CA(1); and

(b) such other functions as are conferred by the consumer data rules.

(2) The Data Recipient Accreditor has the power to do all other things necessary or convenient to be done for or in connection with the performance of the Data Recipient Accreditor's functions.

(3) To avoid doubt, for a person who is the Data Recipient Accreditor, both:

(a) the person's functions and powers in their capacity other than as the Data Recipient Accreditor (their primary capacity ); and

(b) if the person is not a body corporate - the functions that may be performed, and the powers that may be exercised, by anyone appointed under a Commonwealth law to act as the person in that primary capacity;

are taken to include the functions and powers of the Data Recipient Accreditor while the person is the Data Recipient Accreditor.

(4) If:

(a) a person is the Data Recipient Accreditor at any time during a period; and

(b) an annual report for the period is prepared under section 46 of the Public Governance, Performance and Accountability Act 2013:

(i) by the person in the person's primary capacity; or

(ii) about the person in the person's primary capacity;

the annual report must include information about the performance of the Data Recipient Accreditor's functions, and the exercise of the Data Recipient Accreditor's powers, at that time.

56CI Directions by Minister

(1) The Minister may, by legislative instrument, give written directions to the Data Recipient Accreditor about the performance of its functions and the exercise of its powers.

Note: Section 42 (disallowance) and Part 4 of Chapter 3 (sunsetting) of the Legislation Act 2003 do not apply to the directions (see regulations made for the purposes of paragraphs 44(2)(b) and 54(2)(b) of that Act).

(2) A direction under subsection (1) must be of a general nature only.

(3) The Data Recipient Accreditor must comply with a direction under subsection (1).

56CJ Delegation

(1) The Data Recipient Accreditor may delegate any or all of the Data Recipient Accreditor's functions or powers to:

(a) an SES employee, or an acting SES employee, in the Department, in the Commission or in the Commonwealth entity appointed under paragraph 56CG(1)(b) (if any); or

(b) an APS employee who is holding or performing the duties of a specified office or position that:

(i) is in the Department, in the Commission or in the Commonwealth entity appointed under paragraph 56CG(1)(b) (if any); and

(ii) is an office or position that the Data Recipient Accreditor is satisfied is sufficiently senior for the APS employee to perform the function or exercise the power.

(2) In doing anything under a delegation under this section, the delegate must comply with any directions of the Data Recipient Accreditor.

Subdivision D - Accreditation Registrar

56CK Appointment of the Accreditation Registrar

(1) The Minister may, by written instrument, appoint as the Accreditation Registrar a person who:

(a) is the accountable authority of a Commonwealth entity (within the meaning of the Public Governance, Performance and Accountability Act 2013); or

(b) is a Commonwealth entity (within the meaning of that Act).

Note 1: For variation, see subsection 33(3) of the Acts Interpretation Act 1901.

Note 2: The Commission will be the Accreditation Registrar in the absence of an appointment under this subsection (see the definition of Accreditation Registrar in subsection 4(1)).

(2) The Minister may, at any time by written instrument, terminate an appointment made under subsection (1).

56CL Functions, powers and annual report

(1) The functions of the Accreditation Registrar are:

(a) those described in Subdivision B; and

(b) such other functions as are conferred by the consumer data rules.

(2) The Accreditation Registrar has the power to do all other things necessary or convenient to be done for or in connection with the performance of the Accreditation Registrar's functions.

(3) To avoid doubt, for a person who is the Accreditation Registrar, both:

(a) the person's functions and powers in their capacity other than as the Accreditation Registrar (their primary capacity ); and

(b) if the person is not a body corporate - the functions that may be performed, and the powers that may be exercised, by anyone appointed under a Commonwealth law to act as the person in that primary capacity;

are taken to include the functions and powers of the Accreditation Registrar while the person is the Accreditation Registrar.

(4) If:

(a) a person is the Accreditation Registrar at any time during a period; and

(b) an annual report for the period is prepared under section 46 of the Public Governance, Performance and Accountability Act 2013:

(i) by the person in the person's primary capacity; or

(ii) about the person in the person's primary capacity;

the annual report must include information about the performance of the Accreditation Registrar's functions, and the exercise of the Accreditation Registrar's powers, at that time.

56CM Directions by Minister

(1) The Minister may, by legislative instrument, give written directions to the Accreditation Registrar about the performance of its functions and the exercise of its powers.

Note: Section 42 (disallowance) and Part 4 of Chapter 3 (sunsetting) of the Legislation Act 2003 do not apply to the directions (see regulations made for the purposes of paragraphs 44(2)(b) and 54(2)(b) of that Act).

(2) A direction under subsection (1) must be of a general nature only.

(3) The Accreditation Registrar must comply with a direction under subsection (1).

56CN Delegation

(1) The Accreditation Registrar may delegate any or all of the Accreditation Registrar's functions or powers to:

(a) an SES employee, or an acting SES employee, in the Department, in the Commission or in the Commonwealth entity appointed under paragraph 56CK(1)(b) (if any); or

(b) an APS employee who is holding or performing the duties of a specified office or position that:

(i) is in the Department, in the Commission or in the Commonwealth entity appointed under paragraph 56CK(1)(b) (if any); and

(ii) is an office or position that the Accreditation Registrar is satisfied is sufficiently senior for the APS employee to perform the function or exercise the power.

Note: For the Registrar's functions and powers, see section 56CE.

(2) In doing anything under a delegation under this section, the delegate must comply with any directions of the Accreditation Registrar.

Division 4 - External dispute resolution

56DA Commission may recognise external dispute resolution schemes

Recognising an external dispute resolution scheme

(1) The Commission may, by notifiable instrument, recognise an external dispute resolution scheme for the resolution of disputes:

(a) relating to the operation of the consumer data rules, or this Part, in relation to one or more designated sectors; and

(b) involving one or more of the following:

(i) CDR participants for CDR data;

(ii) CDR consumers for CDR data;

(iii) designated gateways for CDR data;

(iv) other persons relating to any of those designated sectors.

Note 1: The consumer data rules may require internal dispute resolution schemes, see paragraph 56BJ(g).

Note 2: For variation and repeal, see subsection 33(3) of the Acts Interpretation Act 1901.

(2) The Commission may, in the instrument under subsection (1):

(a) specify a period for which the recognition of the external dispute resolution scheme is in force; and

(b) make the recognition of the external dispute resolution scheme subject to specified conditions, including conditions relating to the conduct of an independent review of the operation of the scheme.

Before recognising an external dispute resolution scheme

(3) Before recognising an external dispute resolution scheme under subsection (1), the Commission must consider:

(a) the accessibility of the scheme; and

(b) the independence of the scheme; and

(c) the fairness of the scheme; and

(d) the accountability of the scheme; and

(e) the efficiency of the scheme; and

(f) the effectiveness of the scheme; and

(g) any other matters the Commission considers relevant.

(4) Before recognising an external dispute resolution scheme under subsection (1), the Commission must consult the Information Commissioner about the scheme.

(5) A failure to comply with subsection (4) does not invalidate an instrument made under subsection (1).

Division 5 - Privacy safeguards

Subdivision A - Preliminary

56EA Simplified outline

This Division sets out privacy safeguards that protect the privacy or confidentiality of CDR consumers' CDR data, whether the CDR consumers are individuals or bodies corporate.

The privacy safeguards apply mainly to accredited data recipients, but also to data holders and designated gateways, in relation to their handling of the CDR data.

A person's failure to comply with any of these safeguards may lead to consequences, including liability to a civil penalty (see Subdivision G) or the suspension or revocation of the person's accreditation (see subsection 56BH(3)).

56EB Kinds of CDR data to which the privacy safeguards apply

(1) The privacy safeguards only apply to CDR data for which there are one or more CDR consumers.

Note: One requirement for CDR data to have a CDR consumer is that there needs to be at least one person who is identifiable, or reasonably identifiable, from the CDR data or from related information (see paragraph 56AI(3)(c)).

(2) The privacy safeguards apply to CDR data whether the CDR data is true or not.

56EC Relationship with other laws

Relationship with the consumer data rules

(1) If there is an inconsistency between the privacy safeguards and the consumer data rules, those safeguards prevail over those rules to the extent of the inconsistency.

(2) However, the consumer data rules are taken to be consistent with the privacy safeguards to the extent that they are capable of operating concurrently.

Note: This means that the privacy safeguards do not cover the field that they deal with.

Relationship with the Privacy Act 1988

(3) This Division does not limit Part IIIA (about credit reporting) of the Privacy Act 1988. However, the regulations may declare that in specified circumstances that Part applies in relation to CDR data as if specified provisions of that Part were omitted, modified or varied as specified in the declaration.

(4) Despite the Privacy Act 1988:

(a) the Australian Privacy Principles do not apply to an accredited data recipient of CDR data in relation to the CDR data; and

(b) if subsection 56EN(1) applies to a disclosure of CDR data by a data holder of the CDR data - Australian Privacy Principle 10 does not apply to the data holder in relation to that disclosure of the CDR data; and

(c) if subsection 56EP(1) applies to CDR data and a data holder of the CDR data - Australian Privacy Principle 13 does not apply to the data holder in relation to the CDR data; and

(d) Australian Privacy Principles 6, 7 and 11 do not apply to a designated gateway for CDR data in relation to the CDR data.

Note 1: For the accredited data recipient, the privacy safeguards will apply instead.

Note 2: Section 56EN (or privacy safeguard 11) is about the quality of CDR data. Section 56EP (or privacy safeguard 13) is about correcting CDR data.

(5) Apart from paragraphs (4)(b) to (d), this Division does not affect how the Australian Privacy Principles apply to:

(a) a data holder of CDR data in relation to the CDR data; or

(b) a designated gateway for CDR data in relation to the CDR data.

Note 1: Privacy safeguard 1 will apply to a data holder or designated gateway in parallel to Australian Privacy Principle 1.

Note 2: The consumer data rules (which are made under Division 2) will affect how the Australian Privacy Principles apply. Requirements and authorisations under those rules will be requirements or authorisations under an Australian law for the purposes of the Australian Privacy Principles.

Subdivision B - Consideration of CDR data privacy

56ED Privacy safeguard 1 - open and transparent management of CDR data

Object

(1) The object of this section is to ensure that each person (a CDR entity ) who is:

(a) a data holder of CDR data; or

(b) an accredited data recipient of CDR data; or

(c) a designated gateway for CDR data;

manages the CDR data in an open and transparent way.

Compliance with this Part etc.

(2) The CDR entity must take such steps as are reasonable in the circumstances to implement practices, procedures and systems that:

(a) will ensure that the CDR entity complies with this Part and the consumer data rules; and

(b) will enable the CDR entity to deal with inquiries or complaints from a CDR consumer for the CDR data about the CDR entity's compliance with this Part or the consumer data rules.

Policy about the management of CDR data

(3) The CDR entity must have and maintain a clearly expressed and up-to-date policy that:

(a) is about the CDR entity's management of CDR data; and

(b) is in a form approved in accordance with the consumer data rules; and

(c) contains the information required by subsections (4), (5) and (6) (as applicable).

Note: This subsection is a civil penalty provision (see section 56EU).

(4) If the CDR entity is a data holder of any CDR data, the CDR entity's policy must contain the following information:

(a) how a CDR consumer for the CDR data may access the CDR data and seek the correction of the CDR data;

(b) how a CDR consumer for the CDR data may complain about a failure of the CDR entity to comply with this Part or the consumer data rules, and how the CDR entity will deal with such a complaint.

(5) If the CDR entity is an accredited data recipient of any CDR data, the CDR entity's policy must contain the following information:

(a) the classes of CDR data held by (or on behalf of) the CDR entity as an accredited data recipient, and how such CDR data is held;

(b) the purposes for which the CDR entity may collect, hold, use or disclose such CDR data with the consent of a CDR consumer for the CDR data;

(c) how a CDR consumer for such CDR data may access the CDR data and seek the correction of the CDR data;

(d) how a CDR consumer for such CDR data may complain about a failure of the CDR entity to comply with this Part or the consumer data rules, and how the CDR entity will deal with such a complaint;

(e) whether the CDR entity is likely to disclose such CDR data to accredited persons who are based overseas;

(f) if the CDR entity is likely to disclose such CDR data to accredited persons who are based overseas - the countries in which such persons are likely to be based if it is practicable to specify those countries in the policy;

(g) the circumstances in which the CDR entity may disclose such CDR data to a person who is not an accredited person;

(h) the events about which the CDR entity will notify the CDR consumers of such CDR data;

(i) the circumstances in which the CDR entity must delete or de-identify such CDR data in accordance with a request given by a CDR consumer for the CDR data under the consumer data rules.

(6) If the CDR entity is a designated gateway for any CDR data, the CDR entity's policy must contain the following information:

(a) an explanation of how the CDR entity, as a designated gateway, will act between persons to facilitate:

(i) the disclosure of CDR data; or

(ii) the accuracy of CDR data; or

(iii) other matters;

under the consumer data rules;

(b) how a CDR consumer for such CDR data may complain about a failure of the CDR entity to comply with this Part or the consumer data rules, and how the CDR entity will deal with such a complaint.

Availability of policy etc.

(7) The CDR entity must make the CDR entity's policy available:

(a) free of charge; and

(b) in accordance with the consumer data rules.

Note: One way the consumer data rules could require the policy to be made available is to require the policy to be made available in accordance with a data standard.

(8) If a copy of the CDR entity's policy is requested by a CDR consumer for the CDR data, the CDR entity must give the CDR consumer a copy in accordance with the consumer data rules.

56EE Privacy safeguard 2 - anonymity and pseudonymity

(1) An accredited data recipient of CDR data must give each CDR consumer for the CDR data the option of using a pseudonym, or not identifying themselves, when dealing with the accredited data recipient in relation to the CDR data.

Note: The CDR participant from whom the accredited data recipient acquired the CDR data may be subject to a similar obligation under Australian Privacy Principle 2.

(2) That option may be given to a CDR consumer for the CDR data through a designated gateway for the CDR data.

(3) Subsection (1) does not apply in the circumstances specified in the consumer data rules.

Subdivision C - Collecting CDR data

56EF Privacy safeguard 3 - soliciting CDR data from CDR participants

(1) An accredited person must not seek to collect CDR data under the consumer data rules from a CDR participant for the CDR data unless:

(a) a CDR consumer for the CDR data has requested this by giving a valid request under the consumer data rules; and

(b) the person complies with all other requirements in the consumer data rules for the collection of the CDR data from the CDR participant.

Note: This subsection is a civil penalty provision (see section 56EU).

(2) Subsection (1) applies whether the collection is directly from the CDR participant or indirectly from the CDR participant through a designated gateway for the CDR data.

Note: The valid request referred to in paragraph (1)(a) could be given through a designated gateway (see section 56BG).

56EG Privacy safeguard 4 - dealing with unsolicited CDR data from CDR participants

(1) If a person:

(a) while the person is an accredited person, collects CDR data from a CDR participant for the CDR data:

(i) purportedly under the consumer data rules; but

(ii) not as the result of seeking to collect that CDR data under the consumer data rules; and

(b) is not required to retain that CDR data by or under an Australian law or a court/tribunal order;

the person must destroy that CDR data as soon as practicable.

Note: This subsection is a civil penalty provision (see section 56EU).

(2) Subsection (1) applies whether the collection is directly from the CDR participant or indirectly from the CDR participant through a designated gateway for the CDR data.

56EH Privacy safeguard 5 - notifying of the collection of CDR data

If a person collects CDR data in accordance with section 56EF, the person must:

(a) take the steps specified in the consumer data rules to notify CDR consumers for the CDR data of the collection; and

(b) ensure that this notification:

(i) is given to those of the CDR consumers (if there are more than one) that the consumer data rules require to be notified; and

(ii) covers the matters specified in those rules; and

(iii) is given at or before the time specified in those rules.

Note: This section is a civil penalty provision (see section 56EU).

Subdivision D - Dealing with CDR data

56EI Privacy safeguard 6 - use or disclosure of CDR data by accredited data recipients or designated gateways

(1) An accredited data recipient of CDR data must not use or disclose it unless:

(a) in the case of a disclosure - the disclosure is required under the consumer data rules in response to a valid request from a CDR consumer for the CDR data; or

(b) the use or disclosure is otherwise required, or authorised, under the consumer data rules; or

(c) the use or disclosure is required or authorised by or under:

(i) another Australian law; or

(ii) a court/tribunal order;

and the accredited data recipient makes a written note of the use or disclosure.

Note 1: This subsection is a civil penalty provision (see section 56EU).

Note 2: The valid request referred to in paragraph (a) could be given through a designated gateway (see section 56BG).

Note 3: The Australian Privacy Principles will not apply for subparagraph (c)(i) (see paragraph 56EC(4)(a)).

(2) A designated gateway for CDR data must not use or disclose it unless:

(a) in the case of a disclosure - the disclosure is required under the consumer data rules; or

(b) the use or disclosure is authorised under the consumer data rules; or

(c) the use or disclosure is required or authorised by or under:

(i) another Australian law; or

(ii) a court/tribunal order;

and the designated gateway makes a written note of the use or disclosure in accordance with the consumer data rules.

Note 1: This subsection is a civil penalty provision (see section 56EU).

Note 2: Australian Privacy Principle 6 will not apply for subparagraph (c)(i) (see paragraph 56EC(4)(d)).

(3) Neither subsection (1) nor (2) applies to the use or disclosure of CDR data for the purposes of direct marketing.

Note: Section 56EJ deals with the use or disclosure of CDR data for the purposes of direct marketing.

56EJ Privacy safeguard 7 - use or disclosure of CDR data for direct marketing by accredited data recipients or designated gateways

(1) An accredited data recipient of CDR data must not use or disclose it for direct marketing unless:

(a) in the case of a disclosure - the disclosure is required under the consumer data rules in response to a valid request from a CDR consumer for the CDR data; or

(b) the use or disclosure is authorised under the consumer data rules in accordance with a valid consent of a CDR consumer for the CDR data.

Note 1: This subsection is a civil penalty provision (see section 56EU).

Note 2: The valid request referred to in paragraph (a), or the valid consent referred to in paragraph (b), could be given through a designated gateway (see section 56BG).

(2) A designated gateway for CDR data must not use or disclose it for direct marketing unless:

(a) in the case of a disclosure - the disclosure is required under the consumer data rules; or

(b) the use or disclosure is authorised under the consumer data rules.

Note: This subsection is a civil penalty provision (see section 56EU).

56EK Privacy safeguard 8 - overseas disclosure of CDR data by accredited data recipients

(1) If:

(a) an accredited data recipient of CDR data proposes to disclose the CDR data; and

(b) the recipient (the new recipient ) of the proposed disclosure:

(i) is not in Australia or an external Territory; and

(ii) is not a CDR consumer for the CDR data;

the accredited data recipient must not make the disclosure unless:

(c) the new recipient is an accredited person; or

(d) the accredited data recipient takes reasonable steps to ensure that any act or omission by (or on behalf of) the new recipient will not, after taking into account subsection (3), contravene:

(i) subsection 56ED(3); or

(ii) another privacy safeguard penalty provision in relation to the CDR data; or

(e) the accredited data recipient reasonably believes:

(i) that the new recipient is subject to a law, or binding scheme, that provides substantially similar protection for the CDR data as the privacy safeguards provide in relation to accredited data recipients; and

(ii) that a CDR consumer for the CDR data will be able to enforce those protections provided by that law or binding scheme; or

(f) the conditions specified in the consumer data rules are met.

Note 1: This subsection is a civil penalty provision (see section 56EU).

Note 2: This subsection applies in addition to the disclosure restrictions in sections 56EI, 56EJ and 56EL.

Note 3: A similar disclosure by a data holder of the CDR data that is required under the consumer data rules will be covered by Australian Privacy Principle 8 if the CDR data is personal information about an individual.

(2) If:

(a) the accredited data recipient of the CDR data makes the disclosure to the new recipient; and

(b) none of paragraphs (1)(c), (e) and (f) apply in relation to the disclosure to the new recipient; and

(c) an act or omission by (or on behalf of) the new recipient, after taking into account subsection (3), contravenes:

(i) subsection 56ED(3); or

(ii) another privacy safeguard penalty provision in relation to the CDR data;

then the act or omission is taken to also be an act or omission by the accredited data recipient.

(3) For the purposes of paragraphs (1)(d) and (2)(c), assume that the privacy safeguards apply to the new recipient as if the new recipient were an accredited data recipient for the CDR data.

56EL Privacy safeguard 9 - adoption or disclosure of government related identifiers by accredited data recipients

(1) If:

(a) a person is an accredited data recipient of CDR data; and

(b) the CDR data includes a government related identifier (within the meaning of the Privacy Act 1988) of a CDR consumer for the CDR data who is an individual;

the person must not adopt the government related identifier as the person's own identifier of the CDR consumer, or otherwise use the government related identifier, unless:

(c) the adoption or use is required or authorised by or under:

(i) an Australian law other than the consumer data rules; or

(ii) a court/tribunal order; or

(d) subclause 9.3 of Australian Privacy Principle 9 applies in relation to the adoption or use.

Note: This subsection is a civil penalty provision (see section 56EU).

(2) If:

(a) a person who is an accredited data recipient of CDR data proposes to disclose the CDR data; and

(b) the CDR data includes a government related identifier (within the meaning of the Privacy Act 1988) of a CDR consumer for the CDR data who is an individual;

the person must not include the government related identifier in the disclosure unless:

(c) this is required or authorised by or under:

(i) an Australian law other than the consumer data rules; or

(ii) a court/tribunal order; or

(d) subclause 9.3 of Australian Privacy Principle 9 applies in relation to the disclosure.

Note 1: This subsection is a civil penalty provision (see section 56EU).

Note 2: This subsection applies in addition to the disclosure restrictions in sections 56EI, 56EJ and 56EK.

(3) For the purposes of paragraph (1)(d) or (2)(d), disregard paragraph 56EC(4)(a) (about the APPs not applying).

56EM Privacy safeguard 10 - notifying of the disclosure of CDR data

(1) If a data holder of CDR data is required or authorised under the consumer data rules to disclose the CDR data to a person, the data holder must:

(a) take the steps specified in the consumer data rules to notify CDR consumers for the CDR data of the disclosure; and

(b) ensure that this notification:

(i) is given to those of the CDR consumers (if there are more than one) that the consumer data rules require to be notified; and

(ii) covers the matters specified in those rules; and

(iii) is given at or before the time specified in those rules.

Note: This subsection is a civil penalty provision (see section 56EU).

(2) If an accredited data recipient of CDR data discloses the CDR data, the accredited data recipient must:

(a) take the steps specified in the consumer data rules to notify CDR consumers for the CDR data of the disclosure; and

(b) ensure that this notification:

(i) is given to those of the CDR consumers (if there are more than one) that the consumer data rules require to be notified; and

(ii) covers the matters specified in those rules; and

(iii) is given at or before the time specified in those rules.

Note: This subsection is a civil penalty provision (see section 56EU).

(3) To avoid doubt, subsection (1) or (2) applies even if the disclosure of the CDR data is to a designated gateway for the CDR data as required or authorised under the consumer data rules.

Note: The designated gateway may be subject to a similar notification requirement under the consumer data rules (see paragraph 56BG(1)(c)).

Subdivision E - Integrity of CDR data

56EN Privacy safeguard 11 - quality of CDR data

Disclosures by data holders

(1) If a data holder of CDR data is required or authorised under the consumer data rules to disclose the CDR data, the data holder must take reasonable steps to ensure that the CDR data is, having regard to the purpose for which it is held, accurate, up to date and complete.

Note: This subsection is a civil penalty provision (see section 56EU).

Disclosures by accredited data recipients

(2) If an accredited data recipient of CDR data is disclosing the CDR data when:

(a) required under the consumer data rules to do so in response to a valid request from a CDR consumer for the CDR data; or

(b) otherwise required, or authorised, under the consumer data rules to do so;

the accredited data recipient must take reasonable steps to ensure that the CDR data is, having regard to the purpose for which it is held, accurate, up to date and complete.

Note 1: This subsection is a civil penalty provision (see section 56EU).

Note 2: The valid request referred to in paragraph (a) could be given through a designated gateway (see section 56BG).

(3) If a CDR participant for CDR data:

(a) makes a disclosure referred to in subsection (1) or (2) for a CDR consumer; and

(b) later becomes aware that some or all of the CDR data was incorrect when it was disclosed because, having regard to the purpose for which it was held, it was inaccurate, out of date or incomplete;

the CDR participant must advise the CDR consumer accordingly in accordance with the consumer data rules.

Note: This subsection is a civil penalty provision (see section 56EU).

Disclosing corrected CDR data

(4) If:

(a) a CDR consumer for CDR data is advised under subsection (3) by a CDR participant for the CDR data that some or all of the CDR data was incorrect when the CDR participant had earlier disclosed it; and

(b) the CDR consumer requests the CDR participant to fix this by disclosing the corrected CDR data;

the CDR participant must comply with the request by disclosing the corrected CDR data to the recipient of that earlier disclosure.

Note: This subsection is a civil penalty provision (see section 56EU).

Purpose for which the CDR data was held

(5) When working out the purpose for which the CDR data is or was held, disregard the purpose of holding the CDR data so that it can be disclosed as required under the consumer data rules.

Note: This subsection is relevant for subsections (1) and (2) and paragraph (3)(b).

56EO Privacy safeguard 12 - security of CDR data, and destruction or de-identification of redundant CDR data

(1) Each person (a CDR entity ) who is:

(a) an accredited data recipient of CDR data; or

(b) a designated gateway for CDR data;

must take the steps specified in the consumer data rules to protect the CDR data from:

(c) misuse, interference and loss; and

(d) unauthorised access, modification or disclosure.

Note: This subsection is a civil penalty provision (see section 56EU).

(2) If:

(a) the CDR entity no longer needs any of that CDR data for either of the following purposes (the redundant data ):

(i) a purpose permitted under the consumer data rules;

(ii) a purpose for which the person is able to use or disclose it in accordance with this Division; and

(b) the CDR entity is not required to retain the redundant data by or under an Australian law or a court/tribunal order; and

(c) the redundant data does not relate to any current or anticipated:

(i) legal proceedings; or

(ii) dispute resolution proceedings;

to which the CDR entity is a party;

the CDR entity must take the steps specified in the consumer data rules to destroy the redundant data or to ensure that the redundant data is de-identified.

Note 1: This subsection is a civil penalty provision (see section 56EU).

Note 2: Australian Privacy Principle 11 will not apply for paragraph (b) (see paragraph 56EC(4)(a) or (d)).

Subdivision F - Correction of CDR data

56EP Privacy safeguard 13 - correction of CDR data

Obligation on data holders

(1) If:

(a) a CDR consumer for CDR data gives a request to a data holder of the CDR data (including a request given through a designated gateway for the CDR data); and

(b) the request is for the data holder to correct the CDR data; and

(c) the data holder was earlier required or authorised under the consumer data rules to disclose the CDR data;

the data holder must respond to the request to correct the CDR data by taking such steps as are specified in the consumer data rules to deal with each of the matters in subsection (3).

Note: This subsection is a civil penalty provision (see section 56EU).

Obligation on accredited data recipients

(2) If:

(a) a CDR consumer for CDR data gives a request to an accredited data recipient of the CDR data (including a request given through a designated gateway for the CDR data); and

(b) the request is for the accredited data recipient to correct the CDR data;

the accredited data recipient must respond to the request by taking such steps as are specified in the consumer data rules to deal with each of the matters in subsection (3).

Note: This subsection is a civil penalty provision (see section 56EU).

Relevant matters when responding to correction requests

(3) The matters are as follows:

(a) either:

(i) to correct the CDR data; or

(ii) to include a statement with the CDR data, to ensure that, having regard to the purpose for which the CDR data is held, the CDR data is accurate, up to date, complete and not misleading;

(b) to give notice of any correction or statement, or notice of why a correction or statement is unnecessary or inappropriate.

(4) When working out the purpose for which the CDR data is held (see subparagraph (3)(a)(ii)), disregard the purpose of holding the CDR data so that it can be disclosed as required under the consumer data rules.

Subdivision G - Compliance with the privacy safeguards

56EQ Information Commissioner to promote compliance etc.

(1) The Information Commissioner has the following functions:

(a) making guidelines for the avoidance of acts or practices that may breach the privacy safeguards;

(b) promoting an understanding and acceptance of the privacy safeguards;

(c) undertaking educational programs for the purposes of promoting the protection of CDR data.

Note: The Information Commissioner also has functions that relate to this Part more broadly (see section 56GA).

Extra matters about guidelines under paragraph (1)(a)

(2) Before making guidelines under paragraph (1)(a), the Information Commissioner must consult the Minister and the Commission about the proposed guidelines.

(3) The Information Commissioner may publish guidelines made under paragraph (1)(a) in such manner as the Information Commissioner considers appropriate.

(4) If there is an inconsistency between the guidelines made under paragraph (1)(a) and the consumer data rules, those rules prevail over the guidelines to the extent of the inconsistency.

(5) Guidelines made under paragraph (1)(a) are not a legislative instrument.

Extra matters about educational programs under paragraph (1)(c)

(6) The educational programs referred to in paragraph (1)(c) may be undertaken by:

(a) the Information Commissioner; or

(b) a person or authority acting on behalf of the Information Commissioner.

56ER Information Commissioner may conduct an assessment relating to the management and handling of CDR data

(1) The Information Commissioner may assess whether a CDR participant, or designated gateway, for CDR data is maintaining and handling the CDR data in accordance with:

(a) the privacy safeguards; or

(b) the consumer data rules to the extent that those rules relate to:

(i) the privacy safeguards; or

(ii) the privacy or confidentiality of the CDR data.

(2) The Information Commissioner may conduct the assessment in such manner as the Information Commissioner considers fit.

(3) The Information Commissioner may report to the Minister, the Commission or the Data Standards Chair about the assessment.

56ES Notification of CDR data security breaches

Object

(1) The object of this section is for Part IIIC of the Privacy Act 1988 to apply to an accredited data recipient, or designated gateway, that holds a CDR consumer's CDR data in a corresponding way to the way that Part applies to an entity that holds an individual's personal information.

Note: That Part is about notification of eligible data breaches.

Extended application of Part IIIC of the Privacy Act 1988

(2) Part IIIC of the Privacy Act 1988, and any other provision of that Act that relates to that Part, also apply in relation to:

(a) an accredited data recipient of CDR data; or

(b) a designated gateway for CDR data;

as if the substitutions in the following table, and the modifications in subsection (3), were made.

Substitutions to be made

   

Item

For a reference in Part IIIC to …

… substitute a reference to …

1

any of the following:

(a) personal information;

(b) information

CDR data.

2

any of the following:

(a) entity;

(b) APP entity;

(c) APP entity, credit reporting body, credit provider or file number recipient, as the case may be

each of the following:

(a) accredited data recipient;

(b) designated gateway.

3

any of the following:

(a) individual to whom information relates;

(b) individual

CDR consumer for CDR data.

Note: When CDR data and the other terms in the last column of the table appear in this notional version of Part IIIC, they have the same meanings as in this Act.

(3) For the purposes of subsection (2), assume that:

(a) sections 26WB to 26WD of the Privacy Act 1988 were not enacted; and

(b) subsection 26WE(1) of that Act were replaced with the following:

"Scope

(1) This section applies if:

(a) CDR data of one or more CDR consumers is held by (or on behalf of) either of the following entities (the CDR entity ):

(i) an accredited data recipient of the CDR data;

(ii) a designated gateway for the CDR data; and

(b) section 56EO (about privacy safeguard 12) of the Competition and Consumer Act 2010 applies to the CDR entity in relation to the CDR data.".

56ET Investigating breaches of the privacy safeguards etc.

Breaches to which this section applies

(1) This section applies to a breach (a privacy safeguard breach ) of any of the following:

(a) one or more of the privacy safeguards;

(b) the consumer data rules to the extent that those rules relate:

(i) to one or more of the privacy safeguards; or

(ii) to the privacy or confidentiality of CDR data;

(c) section 26WH, 26WK or 26WL or subsection 26WR(10) of the Privacy Act 1988,as they apply because of section 56ES of this Act;

in relation to the CDR data of:

(d) a CDR consumer who is an individual; or

(e) a small business (within the meaning of the Privacy Act 1988) carried on by a CDR consumer for the CDR data.

(2) This section also applies to a breach of section 56ED (privacy safeguard 1).

Object

(3) The object of this section is for Part V of the Privacy Act 1988 to apply to an act or practice:

(a) of a CDR participant or designated gateway; and

(b) that may be:

(i) a privacy safeguard breach relating to CDR data covered by subsection (1); or

(ii) a breach of section 56ED (privacy safeguard 1);

in a corresponding way to the way that Part applies to an act of practice of an organisation, person or entity that may be an interference with the privacy of an individual or a breach of Australian Privacy Principle 1.

Note: That Part is about investigations of interferences with privacy etc.

Extended application of Part V of the Privacy Act 1988

(4) Part V of the Privacy Act 1988, and any other provision of that Act that relates to that Part, also apply in relation to:

(a) a CDR participant for CDR data; or

(b) a designated gateway for CDR data;

as if the substitutions in the following table, and the modifications in subsection (5), were made.

Substitutions to be made

   

Item

For a reference in Part V to …

… substitute a reference to …

1

interference with the privacy of an individual

a privacy safeguard breach relating to the CDR data of:

(a) a CDR consumer who is an individual; or

(b) a small business (within the meaning of the Privacy Act 1988) carried on by a CDR consumer for the CDR data.

2

Australian Privacy Principle 1

section 56ED (privacy safeguard 1) of this Act.

3

individual

a person who:

(a) is a CDR consumer for the CDR data to which the privacy safeguard breach (or possible privacy safeguard breach) relates; and

(b) is an individual, or is carrying on a small business (within the meaning of the Privacy Act 1988) to which the CDR data relates.

4

recognised external dispute resolution scheme

an external dispute resolution scheme for which an instrument is in force under subsection 56DA(1) of this Act.

5

occupied by an agency, an organisation, a file number recipient, a credit reporting body or a credit provider

occupied by (or on behalf of):

(a) a CDR participant for CDR data; or

(b) a designated gateway for CDR data.

Note 1: When CDR data and the other terms in the last column of the table appear in this notional version of Part V, they have the same meanings as in this Act.

Note 2: Table item 5 relates to subsection 68(1) of that Act.

(5) For the purposes of subsection (4), assume that:

(a) subsection 5B(4) of the Privacy Act 1988 were not enacted; and

(b) section 36 of that Act also stated that:

(i) in the case of a complaint about an act or practice of a CDR participant - the CDR participant is the respondent; or

(ii) in the case of a complaint about an act or practice of a designated gateway - the designated gateway is the respondent; and

(c) subsections 36(6) to (8), section 37, subsections 40(1B), 43(1A), (8), (8A) and (9) and 48(2), section 50A, sub-subparagraph 52(1)(b)(i)(A) and sections 53A and 53B of that Act were not enacted; and

(d) the paragraphs in each of subsections 55B(1) and (3) of that Act were replaced by:

(i) a paragraph that states that an act or practice of a specified CDR participant for CDR data has breached a privacy safeguard; and

(ii) a paragraph that states that an act or practice of a specified designated gateway for CDR data has breached a privacy safeguard; and

(e) Division 4 of Part V, and subsection 63(2A), of that Act were not enacted.

56EU Civil penalty provisions

The provisions of this Division that are civil penalty provisions

(1) For the purposes of subparagraph 79(2)(a)(ii) of the Regulatory Powers Act, each of the following provisions of this Division (the privacy safeguard penalty provisions ) is a civil penalty provision:

(a) subsection 56ED(3);

(b) subsection 56EF(1);

(c) subsection 56EG(1);

(d) section 56EH;

(e) subsection 56EI(1) or (2);

(f) subsection 56EJ(1) or (2);

(g) subsection 56EK(1);

(h) subsection 56EL(1) or (2);

(i) subsection 56EM(1) or (2);

(j) subsection 56EN(1), (2), (3) or (4);

(k) subsection 56EO(1) or (2);

(l) subsection 56EP(1) or (2).

Enforceable civil penalty provisions

(2) Each privacy safeguard penalty provision is enforceable under Part 4 of the Regulatory Powers Act.

Note: Part 4 of the Regulatory Powers Act allows a civil penalty provision to be enforced by obtaining an order for a person to pay a pecuniary penalty for the contravention of the provision.

Authorised applicant

(3) For the purposes of Part 4 of the Regulatory Powers Act, the Information Commissioner is an authorised applicant in relation to each privacy safeguard penalty provision.

Relevant court

(4) For the purposes of Part 4 of the Regulatory Powers Act, each of the following courts is a relevant court in relation to each privacy safeguard penalty provision:

(a) the Federal Court;

(b) the Federal Circuit Court;

(c) a court of a State or Territory that has jurisdiction in relation to the matter.

Act or omission also contravening a civil penalty provision of the consumer data rules

(5) If an act or omission constitutes:

(a) a contravention of one or more of the privacy safeguard penalty provisions; and

(b) a contravention of one or more civil penalty provisions of the consumer data rules;

proceedings may be instituted against a person in relation to the contravention of any one or more of those provisions.

Note 1: The proceedings for a contravention referred to in paragraph (a) would be instituted under Part 4 of the Regulatory Powers Act.

Note 2: The proceedings for a contravention referred to in paragraph (b) would be instituted under Part VI of this Act.

(6) However, the person is not liable to more than one pecuniary penalty under:

(a) Part 4 of the Regulatory Powers Act for a contravention referred to in paragraph (5)(a) of this section; and

(b) Part VI of this Act for a contravention referred to in paragraph (5)(b) of this section;

in relation to the same act or omission.

Note: This means the person cannot be liable for a pecuniary penalty for a contravention of the privacy safeguards, and for a pecuniary penalty for a contravention of the consumer data rules, in relation to the same act or omission.

56EV Civil penalty provisions - maximum amount of penalty

(1) Despite subsection 82(5) of the Regulatory Powers Act, the pecuniary penalty payable:

(a) by a person; and

(b) under a civil penalty order under Part 4 of that Act (as that Part applies because of section 56EU of this Act);

must not be more than the maximum penalty amount worked out under this section for a contravention by the person.

Maximum amount of civil penalty for a body corporate

(2) For the purposes of subsection (1), the maximum penalty amount for a contravention by a body corporate of a privacy safeguard penalty provision is the greater of the following:

(a) $10,000,000;

(b) if the relevant court (see subsection 56EU(4)) can determine the value of the benefit that the body corporate, and any body corporate related to the body corporate, have obtained directly or indirectly and that is reasonably attributable to the contravention - 3 times the value of that benefit;

(c) if that court cannot determine the value of that benefit - 10% of the annual turnover of the body corporate during the 12-month period ending at the end of the month in which the contravention happened or began.

(3) For the purposes of paragraph (2)(c), annual turnover has the same meaning as in Division 1 of Part IV.

Maximum amount of civil penalty for other persons

(4) For the purposes of subsection (1), the maximum penalty amount for a contravention by a person other than a body corporate of a privacy safeguard penalty provision is $500,000.

56EW Enforceable undertakings

Enforceable provisions

(1) Each provision of the privacy safeguards is enforceable under Part 6 of the Regulatory Powers Act.

Note: Part 6 of the Regulatory Powers Act creates a framework for accepting and enforcing undertakings relating to compliance with provisions.

Authorised person

(2) For the purposes of Part 6 of the Regulatory Powers Act, the Information Commissioner is an authorised person in relation to each provision referred to in subsection (1).

Relevant court

(3) For the purposes of Part 6 of the Regulatory Powers Act, each of the following courts is a relevant court in relation to each provision referred to in subsection (1):

(a) the Federal Court;

(b) the Federal Circuit Court;

(c) a court of a State or Territory that has jurisdiction in relation to the matter.

56EX Injunctions

Enforceable provisions

(1) Each provision of the privacy safeguards is enforceable under Part 7 of the Regulatory Powers Act.

Note: Part 7 of the Regulatory Powers Act creates a framework for using injunctions to enforce provisions.

Authorised person

(2) For the purposes of Part 7 of the Regulatory Powers Act, the Information Commissioner is an authorised person in relation to each provision referred to in subsection (1).

Relevant court

(3) For the purposes of Part 7 of the Regulatory Powers Act, each of the following courts is a relevant court in relation to each provision referred to in subsection (1):

(a) the Federal Court;

(b) the Federal Circuit Court;

(c) a court of a State or Territory that has jurisdiction in relation to the matter.

56EY Actions for damages

Right to bring an action for damages

(1) A person who suffers loss or damage (within the meaning of subsection 25(1) of the Privacy Act 1988) by an act or omission:

(a) of another person; and

(b) that was in contravention of:

(i) a provision of the privacy safeguards; or

(ii) the consumer data rules to the extent that those rules relate to the privacy safeguards or to the privacy or confidentiality of CDR data;

may recover the amount of the loss or damage by action against that other person or against any person involved in the contravention.

Note: Subsections 84(2) and (4) (about attributing conduct engaged in on behalf of a person) apply for the purposes of this section.

(2) An action under subsection (1) may be commenced at any time within 6 years after the day on which the contravention happened or began.

Findings in related proceedings to be prima facie evidence

(3) If a finding of any fact is made by a court in relation to a person, or an admission of any fact is made by a person, in proceedings:

(a) under the Regulatory Powers Act (as that Act applies because of this Subdivision) in which the person is found to have contravened a provision of the privacy safeguards; or

(b) under Part VI of this Act in which the person is found to:

(i) have contravened; or

(ii) have been involved in a contravention;

of the consumer data rules to the extent that those rules relate to the privacy safeguards or to the privacy or confidentiality of CDR data;

the finding or admission is prima facie evidence of that fact in any proceeding under subsection (1) against the person.

(4) The finding or admission may be proved by production of:

(a) in any case - a document under the seal of the court from which the finding or admission appears; or

(b) in the case of an admission - a document from which the admission appears that is filed in the court.

Jurisdiction etc.

(5) The following are conferred with jurisdiction to hear and determine actions under subsection (1):

(a) the Federal Circuit Court;

(b) subject to the Constitution, the several courts of the Territories.

This subsection does not enable an inferior court of a Territory to grant a remedy of a kind that the court is unable to grant under the law of that Territory.

Note: State courts and the Federal Court also have jurisdiction for these actions (see subsection 39(2) and paragraph 39B(1A)(c) of the Judiciary Act 1903).

(6) Section 86AA (about limits on jurisdiction) applies to proceedings under subsection (1) of this section in a corresponding way to the way that section applies to proceedings under section 82.

(7) Section 86A (about transfer of matters) applies in relation to a proceeding under subsection (1) of this section as if paragraph 86A(1)(b) also referred to a matter for determination arising under:

(a) a provision of the privacy safeguards; or

(b) the consumer data rules to the extent that those rules relate to the privacy safeguards or to the privacy or confidentiality of CDR data.

Involved in a contravention

(8) Subsection 75B(1) applies to a reference that:

(a) is in this section; and

(b) is to a person involved in a contravention covered by paragraph (1)(b) of this section;

in a corresponding way to the way that subsection 75B(1) applies to a reference in Part VI to a person involved in a contravention of section 56CD.

56EZ Delegation to the Commission etc.

(1) This section applies in relation to the following functions or powers (the safeguard enforcement functions or powers ):

(a) the Information Commissioner's functions or powers under section 56ER;

(b) the Information Commissioner's functions or powers under Part IIIC or V of the Privacy Act 1988, as those Parts apply because of sections 56ES and 56ET of this Act;

(c) the Information Commissioner's functions or powers under Part 4, 6 or 7 of the Regulatory Powers Act, that are conferred because of this Subdivision.

(2) The Information Commissioner may delegate, in writing, any of the safeguard enforcement functions or powers to:

(a) the Commission; or

(b) a member of the Commission; or

(c) a member of the staff of the Commission referred to in section 27 of this Act.

(3) However, the Information Commissioner must not delegate a safeguard enforcement function or power under subsection (2) unless:

(a) the Commission has agreed to the delegation in writing; and

(b) in the case of a delegation to a staff member referred to in paragraph (2)(c) - the Commission is satisfied that the staff member:

(i) is an SES employee or acting SES employee; or

(ii) is holding or performing the duties of a sufficiently senior office or position for the function or power.

Division 6 - Data standards etc.

Subdivision A - Data standards

56FA Making data standards

(1) The Data Standards Chair may, by writing, make one or more data standards about each of the following matters:

(a) the format and description of CDR data;

(b) the disclosure of CDR data;

(c) the collection, use, accuracy, storage, security and deletion of CDR data;

(d) de-identifying CDR data, including so that it no longer relates to:

(i) an identifiable person; or

(ii) a person who is reasonably identifiable;

(e) other matters prescribed by the regulations.

Note: For variation and repeal, see subsection 33(3) of the Acts Interpretation Act 1901.

Complying with consumer data rules when making standards etc.

(2) The Data Standards Chair must comply with the consumer data rules when:

(a) making a data standard; or

(b) varying or revoking a data standard;

including complying with any related requirements specified in those rules about approval, consultation and the formation of committees, advisory panels and consultative groups.

Note: The rules could, for example, require a proposed data standard to be approved by the Commission before it is made.

(3) Without limiting subsection (2), the Data Standards Chair must:

(a) make, under subsection (1), a data standard about a particular matter mentioned in subsection (1) if the consumer data rules so requires; and

(b) specify in that data standard that it is binding if the consumer data rules so requires.

A data standard is a binding data standard if it is made under subsection (1) in accordance with paragraph (b) of this subsection.

Data standards are not legislative instruments

(4) A data standard made under subsection (1) is not a legislative instrument.

56FB What data standards can set out etc.

(1) Without limiting subsection 56FA(1), a single data standard may set out:

(a) different provisions for different designated sectors; or

(b) different provisions for different classes of CDR data; or

(c) different provisions for different classes of persons specified, as described in paragraph 56AC(2)(b), in an instrument designating a sector under subsection 56AC(2); or

(d) different provisions for different classes of accredited persons.

(2) Without limiting subsection 56FA(1), a separate data standard could deal with:

(a) each of the different designated sectors referred to in paragraph (1)(a) of this section; or

(b) each of the different classes referred to in paragraph (1)(b), (c) or (d) of this section.

56FC Data standards must be published

The Data Standards Chair must publish on the internet a copy of each data standard made under subsection 56FA(1).

Note: Once published, the data standards will be available for free.

56FD Legal effect of data standards

(1) A contract is taken to be in force between:

(a) a data holder of CDR data to which a binding data standard applies; and

(b) each accredited person;

under which each of those persons:

(c) agrees to observe the standard to the extent that the standard applies to the person; and

(d) agrees to engage in conduct that the person is required by the standard to engage in.

Note: This means the data holder will be taken to have a separate contract with each accredited person.

(2) If there is a designated gateway for CDR data to which a binding data standard applies, a contract is taken to be in force between:

(a) a data holder of the CDR data; and

(b) the designated gateway for the CDR data; and

(c) each accredited person;

under which each of those persons:

(d) agrees to observe the standard to the extent that the standard applies to the person; and

(e) agrees to engage in conduct that the person is required by the standard to engage in.

Note: This means the data holder will be taken to have a separate 3-party contract with the designated gateway and each accredited person.

(3) However, if there is an inconsistency between a data standard, and the consumer data rules, those rules prevail over the standard to the extent of the inconsistency.

56FE Enforcement of binding data standards

(1) If a person who is under an obligation to comply with a binding data standard fails to meet that obligation, an application to the Court may be made by:

(a) the Commission; or

(b) a person aggrieved by the failure.

(2) After giving an opportunity to be heard to the applicant and the person against whom the order is sought, the Court may make an order giving directions to:

(a) the person against whom the order is sought; or

(b) if that person is a body corporate - the directors of the body corporate;

about compliance with, or enforcement of, the binding data standard.

(3) Without limiting subsection (1), an obligation to comply with a binding data standard includes an obligation arising under a contract referred to in section 56FD.

Subdivision B - Data Standards Chair

56FF Data Standards Chair

There is to be a Data Standards Chair.

56FG Appointment of the Data Standards Chair

(1) The Data Standards Chair is to be appointed, on a full-time basis or a part-time basis, by the Minister by written instrument.

(2) The Data Standards Chair holds office for the period specified in the instrument of appointment. The period must not exceed 3 years.

Note 1: The Minister will be the Data Standards Chair in the absence of an appointment under this section (see the definition of Data Standards Chair in subsection 4(1)).

Note 2: The Data Standards Chair may be reappointed (see section 33AA of the Acts Interpretation Act 1901).

56FH Functions and powers of the Data Standards Chair

(1) The functions of the Data Standards Chair are:

(a) to make standards under Subdivision A; and

(b) to review those standards regularly; and

(c) such other functions as are prescribed by the regulations.

(2) The Data Standards Chair has the following powers:

(a) the power to establish committees, advisory panels and consultative groups;

(b) the power to do all other things necessary or convenient to be done for or in connection with the performance of the Chair's functions.

56FI Directions by Minister

(1) The Minister may, by legislative instrument, give written directions to the Data Standards Chair about the performance of the Chair's functions and the exercise of the Chair's powers.

Note: Section 42 (disallowance) and Part 4 of Chapter 3 (sunsetting) of the Legislation Act 2003 do not apply to the directions (see regulations made for the purposes of paragraphs 44(2)(b) and 54(2)(b) of that Act).

(2) A direction under subsection (1) must be of a general nature only.

(3) The Data Standards Chair must comply with a direction under subsection (1).

Subdivision C - Data Standards Body

56FJ Appointment of the Data Standards Body

(1) The Minister may, by written instrument, appoint as the Data Standards Body:

(a) the Department; or

(b) another Commonwealth entity (within the meaning of the Public Governance, Performance and Accountability Act 2013).

Note: For variation, see subsection 33(3) of the Acts Interpretation Act 1901.

(2) The Minister may, at any time by written instrument, terminate an appointment made under subsection (1).

56FK Function and powers of the Data Standards Body

(1) The function of the Data Standards Body is to assist the Data Standards Chair.

(2) The Data Standards Body has the power to do all other things necessary or convenient to be done for or in connection with the performance of the Data Standards Body's function.

(3) The Data Standards Body must comply with the consumer data rules when assisting the Data Standards Chair, including complying with any requirements specified in those rules about:

(a) the Body's composition; or

(b) the Body's governance or processes.

(4) To avoid doubt, for a body that is the Data Standards Body, the body's functions and powers in its capacity other than as the Data Standards Body are taken to include the function and powers of the Data Standards Body while it is the Data Standards Body.

Subdivision D - Administrative provisions

56FL Acting appointments

The Minister may, by written instrument, appoint a person to act as the Data Standards Chair:

(a) during a vacancy in the office of Data Standards Chair (whether or not an appointment has previously been made to the office); or

(b) during any period, or during all periods, when the Data Standards Chair:

(i) is absent from duty or from Australia; or

(ii) is, for any reason, unable to perform the duties of the office.

Note: For rules that apply to acting appointments, see sections 33AB and 33A of the Acts Interpretation Act 1901.

56FM Terms and conditions

(1) The Data Standards Chair holds office on the terms and conditions (if any) in relation to matters not covered by this Division that are determined by the Minister.

(2) Subsection (1) does not apply while the Data Standards Chair is the Minister.

56FN Remuneration

(1) The Data Standards Chair is to be paid the remuneration that is determined by the Remuneration Tribunal. If no determination of that remuneration by the Tribunal is in operation, the Data Standards Chair is to be paid the remuneration that is prescribed by the regulations.

(2) The Data Standards Chair is to be paid the allowances that are prescribed by the regulations.

(3) This section has effect subject to the Remuneration Tribunal Act 1973.

(4) Subsections (1) and (2) do not apply while the Data Standards Chair is the Minister.

56FO Leave

(1) If the Data Standards Chair is appointed on a full-time basis, the Data Standards Chair has the recreation leave entitlements that are determined by the Remuneration Tribunal.

(2) If the Data Standards Chair is appointed on a full-time basis, the Minister may grant the Data Standards Chair leave of absence, other than recreation leave, on the terms and conditions as to remuneration or otherwise that the Minister determines.

(3) If the Data Standards Chair is appointed on a part-time basis, the Secretary of the Department may grant leave of absence to the Data Standards Chair on the terms and conditions that the Secretary determines.

56FP Application of the finance law etc.

(1) For the purposes of the finance law (within the meaning of the Public Governance, Performance and Accountability Act 2013), the Data Standards Chair is taken to be an official of the Department.

Note: A consequence of this subsection is that the Secretary of the Department will be the accountable authority (within the meaning of that Act) applicable to the Data Standards Chair.

(2) The Secretary of the Department, when preparing the Department's annual report under section 46 of the Public Governance, Performance and Accountability Act 2013 for a period, must include information in that report about:

(a) the performance of the Data Standards Chair's functions; and

(b) the exercise of the Data Standards Chair's powers;

during the period.

(3) If at any time the Data Standards Chair is the Minister then:

(a) subsections (1) and (2) do not apply; and

(b) the Department's annual report under section 46 of that Act for the period that includes that time must include information about the performance of the Data Standards Chair's functions, and the exercise of the Data Standards Chair's powers, at that time.

56FQ Resignation

(1) The Data Standards Chair may resign the Data Standards Chair's appointment by giving the Minister a written resignation.

(2) The resignation takes effect on the day it is received by the Minister or, if a later day is specified in the resignation, on that later day.

56FR Termination of appointment

(1) The Minister may terminate the appointment of the Data Standards Chair:

(a) for misbehaviour; or

(b) if the Data Standards Chair is unable to perform the duties of the Data Standards Chair's office because of physical or mental incapacity.

(2) The Minister may terminate the appointment of the Data Standards Chair if:

(a) the Data Standards Chair:

(i) becomes bankrupt; or

(ii) applies to take the benefit of any law for the relief of bankrupt or insolvent debtors; or

(iii) compounds with the Data Standards Chair's creditors; or

(iv) makes an assignment of the Data Standards Chair's remuneration for the benefit of the Data Standards Chair's creditors; or

(b) if the Data Standards Chair is appointed on a full-time basis - the Data Standards Chair is absent, except on leave of absence, for 14 consecutive days or for 28 days in any 12-month period; or

(c) the Data Standards Chair fails, without reasonable excuse, to comply with section 29 of the Public Governance, Performance and Accountability Act 2013 (which deals with the duty to disclose interests) or rules made for the purposes of that section.

56FS Delegation

(1) The Data Standards Chair may delegate, in writing, any or all of the Chair's functions or powers to:

(a) an SES employee, or an acting SES employee, in the Data Standards Body, in the Department or in the Commission; or

(b) an APS employee who is holding or performing the duties of a specified office or position that:

(i) is in the Data Standards Body, in the Department or in the Commission; and

(ii) is an office or position that the Chair is satisfied is sufficiently senior for the APS employee to perform the function or exercise the power; or

(c) if there are no APS employees (including SES employees) in the Data Standards Body - a person:

(i) who holds an office or position in the Data Standards Body that the Chair considers is sufficiently senior for the person to perform the function; and

(ii) who the Chair considers has appropriate qualifications or expertise to perform the function.

(2) Subsection (1) does not apply to the function referred to in paragraph 56FH(1)(a) (about making standards).

Note: This subsection does not prevent a person who is acting as the Data Standards Chair from making a standard.

(3) In performing a delegated function or exercising a delegated power, the delegate under subsection (1) must comply with any directions of the Data Standards Chair.

Division 7 - Other matters

56GA CDR functions of the Information Commissioner

(1) The Information Commissioner has the following functions:

(a) the functions conferred on the Information Commissioner by another provision of this Part, or by an instrument made under this Part;

(b) to consult with or advise the Minister, Commission or Data Standards Chair about any matter relevant to the operation of this Part (or the operation of instruments made under this Part).

Note: The Commission may also delegate to the Information Commissioner any of the Commission's functions relating to this Part (see subsection 26(3)).

(2) The functions referred to in subsection (1) may be performed by the Information Commissioner on request or on the Information Commissioner's own initiative.

56GB Referring to instruments as in force from time to time

(1) This section applies to the following instruments:

(a) designations under section 56AC (about designated sectors);

(b) regulations made for the purposes of a provision of this Part;

(c) the consumer data rules;

(d) data standards.

(2) An instrument to which this section applies may make provision in relation to a matter by applying, adopting or incorporating (with or without modification) any matter contained in any other instrument or writing:

(a) as in force or existing at a particular time; or

(b) as in force or existing from time to time.

(3) Subsection (2) has effect despite subsection 14(2) of the Legislation Act 2003.

56GC Complying with requirements to provide CDR data: protection from liability

(1) If:

(a) a CDR participant, or designated gateway, for CDR data (the CDR entity ):

(i) provides the CDR data to another person; or

(ii) otherwise allows another person access to the CDR data; and

(b) the CDR entity does so, in good faith, in compliance with:

(i) this Part; and

(ii) regulations made for the purposes of this Part; and

(iii) the consumer data rules;

the CDR entity is not liable to an action or other proceeding, whether civil or criminal, for or in relation to the matter in paragraph (a).

Note: A defendant bears an evidential burden in relation to the matter in subsection (1) for a criminal action or criminal proceeding (see subsection 13.3(3) of the Criminal Code).

(2) A person who wishes to rely on subsection (1) in relation to a civil action or civil proceeding bears an evidential burden in relation to that matter.

(3) In this section:

evidential burden , in relation to a matter, means the burden of adducing or pointing to evidence that suggests a reasonable possibility that the matter exists or does not exist.

56GD Exemptions by the Commission

(1) The provisions covered by this section are:

(a) the following provisions:

(i) the provisions of this Part;

(ii) the provisions of regulations made for the purposes of the provisions of this Part;

(iii) the provisions of the consumer data rules; and

(b) definitions in this Act, or in the regulations or consumer data rules, as they apply to references in provisions referred to in paragraph (a).

(2) The Commission may, by written notice given to a person, exempt the person, in relation to particular CDR data or one or more classes of CDR data, from all or specified provisions covered by this section.

(3) An exemption under subsection (2):

(a) may or may not be limited to a specified period; and

(b) may apply unconditionally or subject to specified conditions.

(4) The Commission must publish on its website the details of each exemption under subsection (2).

(5) Applications may be made to the Administrative Appeals Tribunal for review of a decision of the Commission exempting, or refusing to exempt, a person under subsection (2).

56GE Exemptions and modifications by regulations

(1) The provisions covered by this section are:

(a) the following provisions:

(i) the provisions of this Part;

(ii) the provisions of regulations made for the purposes of the provisions of this Part;

(iii) the provisions of the consumer data rules; and

(b) definitions in this Act, or in the regulations or consumer data rules, as they apply to references in provisions referred to in paragraph (a).

(2) The regulations may:

(a) exempt a particular person, in relation to particular CDR data or one or more classes of CDR data, from all or specified provisions covered by this section; or

(b) exempt a class of persons, in relation to particular CDR data or one or more classes of CDR data, from all or specified provisions covered by this section; or

(c) declare that provisions covered by this section apply in relation to:

(i) a particular person in relation to particular CDR data or one or more classes of CDR data; or

(ii) a class of persons in relation to particular CDR data or one or more classes of CDR data;

as if specified provisions were omitted, modified or varied as specified in the declaration.

(3) An exemption under paragraph (2)(a) or (b), or a declaration under paragraph (2)(c):

(a) may or may not be limited to a specified period; and

(b) may apply unconditionally or subject to specified conditions.

56GF Constitutional basis

Main constitutional basis

(1) The CDR provisions have the effect they would have if their operation were expressly confined to CDR entities that are corporations.

Note: For the meaning of corporation , see subsection 4(1).

Other constitutional bases

(2) Independently of subsection (1), the CDR provisions also have effect as provided by subsections (3), (4), (5) and (6).

(3) The CDR provisions also have the effect they would have if their operation were expressly confined to CDR entities acting in the course of, or in relation to, the carrying on of:

(a) a postal, telegraphic, telephonic or other like service (within the meaning of paragraph 51(v) of the Constitution); or

(b) the business of banking, other than State banking (within the meaning of paragraph 51(xiii) of the Constitution) not extending beyond the limits of the State concerned; or

(c) the business of insurance, other than State insurance (within the meaning of paragraph 51(xiv) of the Constitution) not extending beyond the limits of the State concerned.

(4) The CDR provisions also have the effect they would have if their operation were expressly confined to CDR entities:

(a) making a supply or communication; or

(b) conducting an activity or otherwise doing something;

using a postal, telegraphic, telephonic or other like service (within the meaning of paragraph 51(v) of the Constitution).

(5) The CDR provisions also have the effect they would have if their operation were expressly confined to CDR entities acting in the course of, or in relation to, any of the following:

(a) trade or commerce between Australia and places outside Australia;

(b) trade or commerce among the States;

(c) trade or commerce within a Territory, between a State or Territory or between 2 Territories.

(6) The CDR provisions also have the effect they would have if their operation were expressly confined to:

(a) protecting CDR entities against interference, or attacks, of the kind described in paragraph 1 of Article 17 of the ICCPR; or

(b) protecting against interference, or attacks, of the kind described in paragraph 1 of Article 17 of the ICCPR by CDR entities.

Related matters

(7) Section 6 (about the application of this Act to persons who are not corporations) does not apply in relation to the CDR provisions.

(8) In this section:

CDR entity means any of the following:

(a) a data holder of CDR data;

(b) an accredited person;

(c) a designated gateway for CDR data.

ICCPR means the International Covenant on Civil and Political Rights, done at New York on 16 December 1966, as amended and in force for Australia from time to time.

Note: The text of the International Covenant is set out in Australian Treaty Series 1980 No. 23 ([1980] ATS 23). In 2019, the text of a Covenant in the Australian Treaty Series was accessible through the Australian Treaties Library on the AustLII website (www.austlii.edu.au).

56GG Compensation for acquisition of property

(1) This section applies if the operation of the CDR provisions would result in an acquisition of property (within the meaning of paragraph 51(xxxi) of the Constitution) from a person otherwise than on just terms (within the meaning of that paragraph).

(2) The person who acquires the property is liable to pay a reasonable amount of compensation to the first-mentioned person.

(3) If the 2 persons do not agree on the amount of the compensation, the person to whom compensation is payable may institute proceedings in:

(a) the Federal Court; or

(b) the Supreme Court of a State or Territory;

for the recovery from the other person of such reasonable amount of compensation as the Court determines.

56GH Review of the operation of this Part

(1) The Minister must cause an independent review to be conducted of the operation of this Part.

(2) The persons who conduct the review must complete it, and give the Minister a written report of the review, before 1 July 2022.

(3) The Minister must cause copies of the report to be tabled in each House of the Parliament within 15 sitting days of that House after the report is given to the Minister.