House of Representatives

Explanatory Memorandum

(Circulated by authority of the Minister for Housing and Assistant Treasurer, the Hon Michael Sukkar MP)

Chapter 2 - Amendments of the consumer data right

Outline of chapter

2.1 Schedule 2 to the Bill amends the CC Act by reallocating the responsibility for conducting sectoral assessments and making consumer data right rules. Other miscellaneous amendments are also made to the CC Act to assist the clarity and efficiency of the CDR regime.

2.2 All references in this Chapter to legislation are to the CC Act unless otherwise stated.

Context of amendments

2.3 The CDR regime in Part IVD enables individuals and businesses to efficiently and conveniently access information held by businesses about them as consumers and to authorise secure access to this data by specified third parties. Businesses are also required to provide public access to information on specified products they offer.

2.4 Under Part IVD, the Minister may make a legislative instrument that designates a sector of the Australian economy to be subject to the CDR regime. Banking and energy are the first two sectors to be designated.

2.5 Before making a sectoral designation, the Minister must complete a number of tasks, including consulting the ACCC. As part of this consultation, the ACCC must conduct an analysis of specified matters, consult the public and publish a report.

2.6 Part IVD also provides for the ACCC to make CDR rules which set out the means by which the CDR regime is applied across designated CDR sectors.

Summary of new law

2.7 Schedule 2 to the Bill amends the CC Act by reallocating the responsibility for conducting the sectoral assessments that inform the Minister's decision whether to designate a sector of the economy as being subject to the CDR, and making of consumer data rules that govern how the CDR operates in designated sectors. Other miscellaneous amendments are also made to the CC Act to assist the clarity and efficiency of the CDR regime.

Comparison of key features of new law and current law

Reallocation of functions

Sectoral assessment

2.8 The Minister has a number of tasks before designating a sector. Schedule 2 to the Bill replaces the requirement for the Minister to consult with the ACCC, with a requirement that the Minister must be satisfied that the Secretary of the Department has arranged for a sectoral assessment. [Schedule 2, item 30, section 56AD]

2.9 For the Minister to be satisfied that the Secretary of the Department has arranged for a sectoral assessment, the Secretary must arrange for analysis of the factors that the Minister must consider prior to making a designation, and consult with the public about those factors. In practice, this analysis and consultation may be undertaken by a range of Commonwealth entities. For example, this analysis and consultation could be conducted by the Department, or the ACCC. This requirement could be satisfied by a review conducted by a Commonwealth agency that includes the considerations necessary for a CDR sectoral assessment, for example, a Productivity Commission review with sufficient terms of reference. [Schedule 2, item 31, sections 56AE and 56AEA]

2.10 The public consultation must take place for at least 28 days and include making information on the proposed designation available on the Department's website.

2.11 The consultation arranged by the Secretary of the Department must include consultation with the ACCC, Information Commissioner, the primary regulator of the sector the instrument would designate (if there is one) and any persons prescribed by the regulations. When the ACCC is consulted it must analyse the factors the Minister must consider prior to making a designation.

2.12 Once the consultation has concluded, the Secretary of the Department must report to the Minister about the analysis and consultation, and publish the report on the Department's website.

2.13 After the report on the analysis and consultation has been published on the Department's website, the Minister must wait at least 60 days before making a designation instrument. [Schedule 2, item 30, section 56AD]

2.14 Due to the operation of the Acts Interpretation Act 1901, the same process must be followed when an existing instrument is varied or revoked.

2.15 The current procedure for the ACCC to formally recommend the Minister designate a sector has been removed (but as a matter of ordinary practice, the ACCC will continue to be able to discuss a designation if it believes the need arises). References to the repealed provision have also been removed. The Secretary of the Department may now arrange for a sectoral assessment to be conducted other than at the direction of the Minister, and the Minister may choose whether to act on the information provided. [Schedule 2, items 31, 32 and 33, sections 56AE, 56AG and 56AH ]

2.16 The amendments make the provisions sufficiently flexible to allow the conducting of sectoral assessments to remain with the ACCC, but provide greater flexibility as to who may do so. Responsibility for ensuring a sufficient sectoral assessment occurs before any sectoral designation now lies with the Secretary of the Department.

CDR rule making

2.17 Schedule 2 to the Bill reallocates the responsibility for making consumer data rules from the ACCC to the Minister. [Schedule 2, items 34 and 35, section 56BA]

2.18 Before making the consumer data rules, the Minister is required to consider the same matters that the Minister must consider before designating a sector (but not the matters the Minister considers when determining that data is chargeable), and be satisfied that the Secretary of the Department has arranged for consultation and reporting under section 56BQ. [Schedule 2, item 36, section 56BP]

2.19 For the Minister to be satisfied that the Secretary of the Department has arranged for consultation and reporting on the consumer data rules and analysis of the relevant matters, the Secretary must arrange for public consultation to take place for at least 28 days and make information on the proposed consumer data rules available on the Department's website. [Schedule 2, item 36, section 56BQ]

2.20 The consultation arranged by the Secretary of the Department must also include consultation with the ACCC, Information Commissioner, the primary regulator of the particular designated sector (if there is one) and any persons prescribed by the regulations. When the ACCC and Information Commissioner are consulted, they must analyse the factors the Minister must consider prior to making the consumer data rules. [Schedule 2, item 36, sections 56BQ and 56BR]

2.21 The Secretary of the Department may arrange for consultation and the preparation of a report to be conducted by an agency other than Treasury. This could include arranging for this to be conducted by the ACCC (thereby largely preserving the status quo). However, the new provisions provide greater flexibility as to who may be arranged to carry out these tasks, while assigning responsibility for ensuring these matters occur to the Secretary.

2.22 Once the consultation has concluded, the Secretary of the Department must report to the Minister about the analysis and the consultation. [Schedule 2, item 36, section 56BQ]

2.23 The Minister is unable to make the consumer data rules for at least 60 days from when the rules were released for public consultation. [Schedule 2, item 36, section 56BP]

2.24 Rules made under section 56BA are not invalid if there has been a failure to comply with the Minister's tasks under section 56BP, the Secretary's tasks under section 56BQ or the ACCC's or Information Commissioner's tasks under section 56BR. However, as the rules are a legislative instrument under the Legislation Act 2003, they are subject to the scrutiny of Parliament and are disallowable. [Schedule 2, item 36, section 56BTA]

Emergency rules

2.25 The Minister may make emergency rules where the Minister is of the view that making the rules is necessary to avoid a risk of serious harm to the efficiency, integrity and stability of any aspect of the Australian economy or interests of consumers. For example, given the nature of the CDR regime, a significant data breach could be considered to cause serious harm to the interests of consumers. [Schedule 2, item 36, section 56BS]

2.26 Before making emergency rules, the Minister must consider the same kinds of matters the Minister considers when making rules in ordinary circumstances. The Minister must also consult the Information Commissioner before making the emergency rules but need not conduct other consultation beyond this.

2.27 A failure to consult the Information Commissioner does not invalidate the emergency rules. However, if the Minister does not consult the Information Commissioner before making the emergency rules, the rules will cease to be in force 6 months after the day they were made. [Schedule 2, item 36, sections 56BS and 56BT]

Delegation by the Secretary

2.28 The Secretary of the Department may, in writing, delegate all or any of the Secretary's functions or powers to an SES employee, or an acting SES employee, in the Department. [Schedule 2, item 42, section 56GAA]

2.29 In performing a delegated function or exercising a delegated power, the delegate must comply with any written directions of the Secretary.

Disclosure of information to the Secretary

2.30 Schedule 2 to the Bill amends the CC Act so that the ACCC can disclose information to the Secretary of the Department, or an employee of the Department or consultant assisting the Secretary in performing the Secretary's functions, or exercising the Secretary's powers, relating to Part IVD. The information may only be used for the purposes of the CDR and the functions and powers given to the Secretary as part of the CDR regime. [Schedule 2, items 43 and 44, section 157AA]

External dispute resolution schemes

2.31 Consistently with the reallocation of other functions, the ACCC's current functions around recognition of external dispute resolution schemes relating to the CDR regime, may now be undertaken by the Minister. [Schedule 2, items 37 to 40, section 56DA]

CDR functions of Information Commissioner

2.32 The Information Commissioner will now be able to consult with and advise the Secretary of the Department about any matter relevant to the operation of the CDR regime, in addition to the Commissioner's ability to so consult and advise the Minister, ACCC and Data Standards Chair. [Schedule 2, item 41, section 56GA]

Miscellaneous amendments

2.33 Schedule 2 to the Bill makes a number of amendments to the CC Act to assist the clarity and efficiency of the CDR regime.

Earliest holding day for CDR data

2.34 The scope of information that may be subject to the CDR regime has been clarified to ensure that information that is of continuing use and relevance and that is critical to the effective operation of the CDR is captured.

2.35 The designation instrument specifies the 'earliest holding day' applicable to the sector for 'holding' the designated information, rather than 'beginning to hold' the information. If a person holds CDR data on or after the earliest holding day then the person will be a data holder for that data if it is of continuing use and relevance (such as an account number that is still current), and is not about the provision before that earliest holding day of a product or service by (or on behalf of) the person (for example, a transaction on an account). [Schedule 2, items 1 to 3, sections 56AC and 56AJ]

Fee-free data

2.36 Schedule 2 to the Bill clarifies that if data is not listed as chargeable data, and the consumer data rules require the data to be disclosed, then a data holder cannot charge a fee for the data. Where a data holder discloses data voluntarily but pursuant to the consumer data rules, the data holder is permitted to charge a fee for that data. Where a data holder discloses a package of data that includes both fee-free CDR data and CDR data that is provided voluntarily, the data holder is permitted to charge a fee for the data that it discloses voluntarily. [Schedule 2, item 4, section 56AM]

Agents acting on behalf of CDR entities

2.37 It is intended practice for CDR entities to be able to engage other persons to act on their behalf for data handling activities, subject to appropriate controls imposed by the consumer data rules. Subdivision F of Division 1 of Part IVD clarifies that for the purposes of Part IVD and the consumer data rules, conduct done by or to an agent, officer or employee of a CDR entity who is acting within the scope of their actual or apparent authority or employment, is taken to also be done by or to the CDR entity. The agent etc. of the CDR entity may be an accredited person, but it is not necessary for them to be accredited. The consumer data rules may impose requirements on outsourced service provider arrangements that accredited data recipients may enter into to ensure that consumer data is kept safe and secure. To clarify that CDR entities are responsible for the actions of their outsourced service providers, section 56AU provides that a CDR entity, whether a body corporate or not, is ultimately responsible for the actions done by their agents, and that acts done to the agents of CDR entities are taken to be acts done to the entity. [Schedule 2, item 6, section 56AU]

2.38 The scope for the consumer data rules to require a disclosure of CDR data for which there are one or more CDR consumers has been expanded beyond disclosure to one or more of those CDR consumers, an accredited person or a designated gateway (section 56BD(1)(b)). In line with ensuring the use of agents by CDR entities is clearly dealt with, the situation where disclosure to persons acting on behalf of accredited persons and designated gateways is included within the scope of permitted disclosure. Also included is disclosure by a designated gateway to a data holder of the data, in recognition of the fact that in some circumstances CDR data will need to flow in both directions between data holders and designated gateways (for example, when authenticating the identity of a consumer that has made a request for CDR data). [Schedule 2, item 7, section 56BD]

2.39 To enable obligations to be imposed directly upon agents, section 56BJ is amended to provide that consumer data rules can be made requiring agents to do or not do specified things when acting on behalf of CDR entities. This rule making power is intended to complement rules directed at ensuring agents comply with relevant information security, privacy and other obligations imposed on their principal, or impose other appropriate protections on their handling of CDR data if required. [Schedule 2, item 8, section 56BJ]

Privacy Safeguards

2.40 Provisions dealing with when the Privacy Safeguards begin to apply to entities that deal with CDR data, and how they apply, have been amended to ensure they clearly reflect the legislative intent and best practice operation of the safeguards. Accredited persons who plan to receive CDR data should take the necessary steps to ensure they will be able to comply with the Privacy Safeguards when they first begin to receive data. For the purposes of taking these steps and as long as accredited persons hold CDR data, the Privacy Safeguards apply, instead of the Australian Privacy Principles.

2.41 An accredited person should be compliant with Privacy Safeguard 1 (about requirements for a CDR entity's data management policies) as soon as they receive CDR data. Consequently, Privacy Safeguard 1 is intended to apply to all accredited persons rather than only to accredited data recipients, to ensure that all compliance measures have been completed before the entity actually begins to receive any CDR data. Similarly, on the basis that consumers should be able to instruct that their identity be kept unknown from the time they first consent to collection of their data, Privacy Safeguard 2 (about anonymity/pseudonymity of CDR consumers' identity) is intended to apply to all accredited persons rather than only to accredited data recipients. The amendments to sections 56EC, 56ED and 56EE will ensure accredited persons have the necessary policies, practices and systems in place for the proper management of CDR data, including not identifying consumers when requested, in anticipation of receiving CDR data and that there will not be any period of time that an accredited person holds CDR data but is not fully compliant with the Privacy Safeguards. Section 56EA has also been amended to clarify that the Privacy Safeguards apply to accredited persons, rather than accredited data recipients only. [Schedule 2, items 9 to 17, sections 56EA, 56EC, 56ED and 56EE]

2.42 Since Privacy Safeguard 5 (about notification of collection of CDR data) can only apply once CDR data has been collected in accordance with Privacy Safeguard 3, Privacy Safeguard 5 is amended to clarify that it applies to accredited data recipients. [Schedule 2, item 18, section 56EH]

2.43 Data holders are obliged under Privacy Safeguard 11, to ensure CDR data they disclose under the consumer data rules is accurate, up to date and complete (section 56EN(1)) and CDR participants must advise CDR consumers, in accordance with the rules, when they become aware of data being disclosed that was inaccurate, incomplete or not up to date (section 56EN(3)). The participant may then be requested by the consumer to fix the incorrect data and disclose corrected data (section 56EN(4)). Section 56EN is amended so that the consumer's request for correction and the subsequent disclosure of corrected data must be in accordance with the consumer data rules. The rules will cover the requirements for these steps, such as that a valid consent to receive the corrected data is in place, as well as circumstances in which the CDR participant is not required to comply with a request, such as when an accredited data recipient no longer provides relevant CDR services. The amendments to section 56EN will ensure that obligations to keep disclosed CDR data accurate continue, while allowing more tailored procedures on when and how the obligations are met to be provided through the rules. This will allow a greater level of specificity to be achieved on these procedural aspects in the rules than would be possible to provide in the principal legislation. [Schedule 2, items 19 to 21, section 56EN]

2.44 The Information Commissioner may assess whether a CDR participant or designated gateway is complying with the Privacy Safeguards in relation to their handling of CDR data (section 56ER). Section 56ER is amended to provide that it applies to accredited persons, to ensure that this function can be performed in relation to accredited persons who are subject to Privacy Safeguard 1. In addition, Part V of the Privacy Act 1988 is extended to enable the Information Commissioner to handle complaints and undertake investigations regarding an accredited person's compliance with relevant Privacy Safeguards (section 56ET). [Schedule 2, items 22 to 29, sections 56ER and 56ET]

Commonwealth entity data holders and gateways

2.45 Commonwealth entities may be specified as data holders and/or gateways in a designation instrument. In order to be authorised to undertake work to fulfil their obligations as data holders and/or gateways under the CDR regime, such entities are deemed to have the functions necessary to do this. [Schedule 2, item 5, section 56AR]

Concurrent operation of State and Territory laws

2.46 The effective application of the CDR to some sectors, such as the energy sector, under the CC Act will require its concurrent operation with State and Territory-based legislative arrangements.

The Constitution provides that when a law of a State is inconsistent with a law of the Commonwealth, the Commonwealth law prevails and the State law, to the extent of the inconsistency, is inoperative. This applies to both direct and indirect inconsistencies. The test for resolving inconsistencies with Territory laws is similar. 'Indirect' inconsistency arises where a Commonwealth law intends to 'cover the field', or to regulate the particular subject matter to the exclusion of a State or Territory law.

2.47 Schedule 2 to the Bill provides that the CDR provisions are intended to operate concurrently with State and Territory legislation where there is no direct inconsistency. The intention is to prevent a 'cover the field' type of inconsistency arising. In general, this means that a State or Territory law will be able to operate concurrently with the CDR provisions to the extent that it does not alter, impair or detract from the operation of those provisions. [Schedule 2, item 42, section 56GAB]

Application and transitional provisions

2.48 Any consultations by the ACCC regarding sectoral assessments that began before Schedule 2 to the Bill commences will continue to be able to be relied on to support the Minister's designation of a sector under the amended section 56AD. [Schedule 2, item 45(1)]

2.49 Further, consumer data rules in force prior to these amendments commencing will continue to apply after that commencement as if they were rules made by the Minister under the amended section 56BA. [Schedule 2, item 45(2)]

2.50 Any public consultations under section 56BQ(1)(a) that began before these amendments commence will continue as if the Secretary of the Department had arranged for them to begin under the amended section 56BQ(b). [Schedule 2, item 45(3)]