A tangled web - the regulatory framework and its power players

By Valeska Bloch
Consumer law Cybersecurity & Privacy Data Risk & Compliance

The draft legislation the Federal Government released on 15 August proposes to establish a regulatory framework for the implementation of a new Consumer Data Right (CDR). If passed, the proposed reforms will afford significant discretion to the Treasurer, radically expand the scope of the ACCC's current remit, and establish a range of new players responsible for the accreditation of data recipients and development of technical data standards. The OAIC will also play a role in relation to the protection of consumers' privacy. This article explores the complex regulatory framework that will bring this new regime into effect, and the cast of characters making it all happen.

Key takeaways

  • The draft legislation, which involves the insertion of a new part in the Competition and Consumer Act 2010 (Cth) (the CCA), creates a framework for the implementation of a CDR that will largely be administered by the ACCC – along with a complex web of other agencies (both old and new).
  • Roles and responsibilities for administering the regime will cascade down from the Treasurer (who will designate sectors to which the CDR applies) and the ACCC (which will develop consumer data rules), to a new Data Standards Body (which will create transfer and security standards) and a Data Recipient Accreditor (which will accredit recipients of CDR data).
  • Most of the detail for entities' participation in the regime as data holders and accredited recipients will be a matter for the ACCC to determine as part of the consumer data rules, which will govern the disclosure, use, accuracy, storage, security and deletion of CDR data, the accreditation of recipients, and reporting and record keeping requirements.
  • As well as advising the Treasurer and the ACCC on various privacy-related matters, the OAIC will handle complaints in relation to privacy and data breaches, enforce breaches of the new Privacy Safeguards and administer the extended notifiable data breach regime.
  • Under the proposed framework, the Treasurer and the ACCC will be granted a substantial expansion in their existing powers and discretion. In particular, the draft legislation appears to give more power and responsibility to the ACCC (at the expense of OAIC) than was contemplated in the Open Banking Report.

Roles and responsibilities for administering the CDR

When it comes to administering the CDR, it appears that the Government is keen to share the load. Responsibilities for implementing the regime will be divvied up between a bevy of existing and newly established regulators, including:

  • the Treasurer, who will designate industry sectors. Under the proposed reforms, the Treasurer will be granted the power to operationalise the CDR by designating sectors of the economy (including the types of data sets and data holders within a sector) that will be subject to the regime.
    Designation will occur via a legislative instrument – but before making that instrument, the Treasurer will be required to consider the likely effects of the designation on consumers, relevant markets, privacy, competition, and data-driven innovation, and regulatory impacts. The Treasurer will also need to consult with the ACCC and the OAIC, and must commission a report from each of them. The ACCC (but not the Treasurer or the OAIC) must consult with the public before finalising its report. Finally, the ACCC's and OAIC's reports must be published – but not necessarily before the Treasurer receives the reports and makes a declaration. This means that the opportunity for public consultation before a ministerial designation is effectively limited to the ACCC's public consultation process.
  • the ACCC, which will develop consumer data rules. Once a sector has been designated by the Treasurer, the ACCC will consult with the OAIC, other relevant regulators and the public, and create a set of consumer data rules applicable to each sector. The rules will govern the disclosure, use, accuracy, storage, security and deletion of CDR data, the accreditation of data recipients, reporting and record-keeping requirements, and any related matters.
    The Treasurer will need to consent to the consumer data rules before they can be made. However, there is an exception to this requirement in 'emergency' scenarios, where the ACCC can do away with the consultation and consent requirements in order to implement consumer data rules for a period of six months only (though these rules would be subject to subsequent amendment by the Treasurer). The Government has advised that the various consultation periods for the development of consumer data rules will not apply to the designation of, or consumer data rules relating to, the banking sector (given that the Treasury's Review into Open Banking Report effectively discharged these consultation requirements).
  • a Data Recipient Accreditor, which will be responsible for the accreditation of data recipients. A new Data Recipient Accreditor (which will initially be the ACCC) will accredit recipients of CDR data and will be able to revoke accreditation where a recipient fails to meet the accreditation criteria that are established as part of the consumer data rules for each sector. An Accreditation Registrar will also be appointed to maintain the central Register of all accredited data recipients within a particular sector.
  • a Data Standards Body, which will develop technical standards for data transfer. The Data Standards Body will develop transfer, data and security standards that provide more detail as to the format and process by which data needs to be provided to consumers and accredited entities under the CDR regime. The draft legislation allows for these standards to be either sector-specific or general (although, given the nuances associated with data transfers and security, we would expect these to be sector-specific).
    Andrew Stevens (former Managing Director of IBM Australia and current Chairman of the Advanced Manufacturing Growth Centre) has been appointed as Interim Data Standards Chair, and Data61 (part of CSIRO and Australia's leading digital research network) has been tasked with overseeing the Data Standards Body. A variety of banking and financial industry advisers have been appointed as members of an advisory committee to assist in the development of data standards for the banking sector.
  • the OAIC, which will continue to handle all things 'privacy'. The OAIC will handle both individual and business consumer complaints relating to privacy and data breaches, can enforce breaches of the new Privacy Safeguards and will administer the extended mandatory notifiable data breach regime under the CCA. The OAIC will also advise both the Treasurer and the ACCC on various privacy-related matters, and will be responsible for promoting compliance with the Privacy Safeguards (including undertaking assessments of companies' compliance with those safeguards). The OAIC may elect to delegate a variety of its functions to the ACCC so far as they relate to CDR data.
    Given the overlap between CDR data and personal information, we would expect that some level of cooperation between the ACCC and the OAIC will be required – although it appears that the Treasury has done its best to ensure that the vast bulk of the regime will fall within its portfolio.

At the Treasury's roundtables in Sydney, we were told the ACCC and OAIC have been working on a Memorandum of Understanding (MOU) (which will be published shortly) that reflects the breakdown of their roles in administering the CDR regime. At a high level, the OAIC will look after individual remedies and complaints handling, while the ACCC will adopt the role of systemic enforcement. The Treasury has indicated an intent for each regulator to 'play to their strengths', with the OAIC enforcing the safeguards and the ACCC enforcing the rules. However, there will be substantial cross-delegation powers that the MOU will aim to address.

Implementation of the CDR via existing laws

CCA amendments

Despite its complex regulatory structure and multi-agency model, the draft legislation actually proposes to make very few amendments to existing statutory provisions. The key change will be to insert a new Part IVD in the CCA to govern CDR data, which will enable the Treasurer to designate sectors of the economy to which the CDR will apply, permit the ACCC to develop the consumer data rules, and allow for the appointment of various regulatory bodies (such as the Data Standards Body and the Data Recipient Accreditor).

The new Part in the CCA will also set out the matters that the consumer data rules may cover, as well as various offences and penalties relating to the new regime (for more on penalties for breach of the CDR, see Risky business – remedies and enforcement powers for CDR breaches. But most of the detail will be left to the ACCC to develop alongside industry.

New Privacy Safeguards

The new Part IVD will incorporate a new set of 'Privacy Safeguards', which are modelled on the Australian Privacy Principles (APPs) in the Privacy Act 1988 (Cth) (Privacy Act). These safeguards require CDR data to be handled transparently and appropriate security measures to be maintained (among other things). Interestingly, there is no proposal to amend the Privacy Act itself to extend the application of the APPs from personal information to CDR data. While this would appear to be a simpler method than developing an entirely new set of privacy principles, at the roundtables the Treasury explained that the new CDR Privacy Safeguards have been purposefully crafted to be more 'rigorous and specific' than the existing APPs.

From a practical perspective, it will be interesting to see what the overlap ends up being between CDR data and personal information (once we have a better idea of what will constitute CDR data). In any case, the OAIC will be responsible for handling complaints from both individual and business consumers relating to breaches of the Privacy Safeguards.

The draft legislation also proposes minor consequential amendments to the Privacy Act and the Information Commissioner Act 2010 (Cth).

Data breaches

Finally, the new CCA Part also extends the existing notifiable data breaches regime under the Privacy Act to data breaches involving CDR data. Again, this sits in the CCA rather than the Privacy Act – but the draft legislation does expressly incorporate Part IIIC of the Privacy Act and substitutes various terms for the CDR context.