Draft Privacy Safeguard Guidelines for Consumer Data Right Released

What is the Consumer Data Right?

The new Consumer Data Right (CDR) will take effect in February 2020, first in the banking sector then later in the telecommunications and energy sectors.

The Government’s objective is to promote competition, choice and innovation. For example, it should become easier for a consumer to change banks because they will be able to tell their current bank to provide their data to other banks or comparison services.

Privacy Safeguard Guidelines released for comment

The Office of the Australian Information Commissioner (OAIC) has now released its draft Privacy Safeguard Guidelines (Guidelines) for the CDR.

The OAIC will regulate the privacy aspects of the CDR and provide the primary complaints handling process for the scheme.

The Guidelines aim to provide assistance to entities who will be participating in the CDR to understand their privacy obligations, which will be given effect by Part IVD of the Competition and Consumer Act 2010 (Cth) (Privacy Safeguards). There are 13 Privacy Safeguards in total. The Privacy Safeguards are legally binding, however, the Guidelines are not.

The OAIC anticipates that for small businesses that are currently not subject to the Privacy Act 1988 (Cth) (Privacy Act), compliance with the Privacy Safeguards may be a new experience, if they become participants in the CDR framework. Therefore it is seeking submissions from small businesses in particular, to identify knowledge gaps and provide further guidance where necessary.

Applicability of the Privacy Safeguards

The Privacy Safeguards will apply differently depending on the roles of the participants in the CDR framework. The table below identifies the Privacy Safeguards that apply to specific roles.

In the CDR:

• an accredited person is a person who has received accreditation from the Australian Competition and Consumer Commission that they comply with the requirements of the applicable Consumer Data Rules to participate in the CDR framework;[1]
• an accredited data recipient is an accredited person who collects, receives or holds CDR data under the consumer data rules, but does not hold it as a data holder or designated gateway;[2]
• a data holder is a person that holds CDR data for or on behalf of a consumer;[3] and
• a designated gateway is an entity that facilitates the transfer of CDR data in accordance with the applicable Consumer Data Rules.[4]

A business may fall within the definitions of an accredited person, an accredited data recipient or a data holder for different consumers or depending on the role the business is fulfilling at any given time. For example, from an open banking context, a bank can:

• be an accredited person in order to participate in the CDR framework;
• become an accredited data recipient once it has collected CDR data as authorised by a consumer, such as on receipt of account information from another bank to create a new account for a customer; and
• become a data holder when holding CDR data for and on behalf of a consumer.

As such, it is important for businesses to understand how each of the Privacy Safeguards apply to them in the different roles and functions they may perform in the course of their operations, and how they can integrate the requirements for the Privacy Safeguards into their broader privacy compliance regime.

Interaction with the Privacy Act

The draft Guidelines seek to clarify the interaction between the Privacy Safeguards and the Privacy Act and Australian Privacy Principles (APPs). The OAIC addresses this in the draft Guidelines by setting out summaries of how each of the Privacy Safeguards applies to each type of CDR entity. In some instances, depending on the status of the CDR entity (e.g. an accredited person or an accredited data recipient), the relevant APP will apply in parallel with the specific Privacy Safeguard. In other instances, the Privacy Safeguard will apply instead of the corresponding APP or vice versa.

An accredited person may only collect and use CDR data with the consent of the consumer. There are stricter consent requirements under the Privacy Safeguards in respect of CDR data than under the Privacy Act. Under the Privacy Act, for instance, consent must be express or implied. However, the Privacy Safeguards require accredited persons to procure ‘voluntary, express, informed, specific as to purpose, time limited, and easily withdrawn’ consent from consumers for the collection and use of their CDR data.

To comply with this higher standard, the draft Guidelines require accredited persons to provide consumers with a ‘consumer dashboard’, which must contain certain details relating to each consent to collect and use their CDR data. Depending on the practical and commercial implications of implementing the ‘consumer dashboard’ requirement, businesses may consider either:

• isolating CDR data from other personal information and records to ensure that they comply with the higher standard of consent in respect of CDR data; or
• altering their existing practices to apply the higher standard of consent in respect of all information collected from consumers. We note that the ACCC has recently recommended to the Government that generally (for privacy law purposes), a higher standard of consent should be required. The Government is currently considering that recommendation, amongst other recommendations.

Next steps

The OAIC is seeking submissions in relation to the draft Guidelines until 20 November 2019. Please see how to make submissions here.

[1] Competition and Consumer Act 2010 (Cth), section 56CA.

[2] Competition and Consumer Act 2010 (Cth), section 56AK.

[3] Competition and Consumer Act 2010 (Cth), section 56AJ.

[4] Competition and Consumer Act 2010 (Cth), section 56FA.

Authored by:

David Smith, Partner

Hazel McDwyer, Partner

Raisa Blanco, Associate