Commonwealth of Australia Explanatory Memoranda Commonwealth of Australia Explanatory Memoranda[Index] [Search] [Download] [Bill] [Help]
2022
THE PARLIAMENT OF THE COMMONWEALTH OF AUSTRALIA
HOUSE OF REPRESENTATIVES
TREASURY LAWS AMENDMENT (CONSUMER DATA RIGHT) BILL 2022
EXPLANATORY MEMORANDUM
(Circulated by authority of the Assistant Treasurer and Minister for Financial Services,
the Hon Stephen Jones MP)
Table of Contents
Glossary................................................................................................. iii
General outline and financial impact ...................................................... 1
CDR action initiation .................................................... 3
Statement of Compatibility with Human Rights .......... 47
Attachment 1: Regulatory Impact Analysis: Inquiry into Future
Directions for the Consumer Data Right .................... 55
Glossary
This Explanatory Memorandum uses the following abbreviations and acronyms.
Abbreviation Definition
ACCC Australian Competition and Consumer
Commission
Bill Treasury Laws Amendment (Consumer
Data Right) Bill 2022
CCA Competition and Consumer Act 2010
CDR Consumer Data Right
consumer data rules Competition and Consumer (Consumer
Data Right) Rules 2020
SES Senior Executive Service
Treasury Laws Amendment (Consumer Data Right) Bill 2022
General outline and financial impact
Outline
The CDR framework was created to provide individuals and businesses with a right to
access and share their data in sectors that have been designated by the Minister. This
Bill expands on this by introducing 'action initiation' reforms, which would enable
CDR consumers to direct accredited persons to instruct on actions on their behalf using
the CDR framework. These actions could include making a payment, opening and
closing an account, switching providers, and updating personal details (such as an
address) across providers.
Date of effect
The amendments commence on the day after Royal Assent, except for a small number
of minor and technical amendments which commence on the later of:
• immediately after the commencement of the balance of the Bill; and
• the commencement of the Privacy Legislation Amendment (Enforcement and
Other Measures) Act 2022.
Proposal announced
This Bill implements recommendations from the Inquiry into the Future Directions for
the Consumer Data Right to introduce an action initiation framework.
Financial impact
Nil.
Regulation Impact Statement
The following four reports were certified as equivalent to a Regulation Impact
Statement relating to the amendments in this Bill:
1. Issues Paper of the Inquiry into Future Directions for the Consumer Data
Right;
2. Final Report of the Inquiry into Future Directions for the Consumer Data
Right;
3. Supplementary analysis; and
4. Decision map
1
General outline and financial impact
The Issues Paper of the Inquiry into Future Directions for the Consumer Data Right,
the supplementary analysis and the decision map have been included in Attachment 1.
The Final Report of the Inquiry into Future Directions for the Consumer Data Right1
provided options to expand and enhance the functionality of the CDR and made
100 recommendations. A key recommendation was to strengthen and deepen the
CDR's functionality and use through the implementation of third-party action initiation
reforms.
The Inquiry into Future Direction for the Consumer Data Right considered 73 formal
submissions in response to the issues paper and met virtually with over
300 representatives from industry, peak bodies, consumer groups, regulators,
government and academia.
The inquiry examined the risks and benefits of various actions which are considered
high value such as payments and switching providers. It analysed how the CDR's
functionality could be expanded to include action initiation, and discussed the potential
process to bring new action types into the CDR.
Human rights implications
This Bill raises human rights issues. See Statement of Compatibility with Human
Rights -- Chapter 2.
Compliance cost impact
There is no compliance cost impact associated with this measure as the measure
comprises enabling legislation. Compliance cost impact will be assessable during the
ministerial declaration and rule-making processes.
1
https://treasury.gov.au/sites/default/files/2021-02/cdrinquiry-final.pdf.
2
CDR action initiation
Table of Contents:
Outline of chapter .................................................................................. 3
Context of amendments ......................................................................... 4
Comparison of key features of new law and current law ........................ 5
Detailed explanation of new law ............................................................ 6
Declared action types ...................................................................... 7
Participants in the CDR system ..................................................... 10
Participant obligations ................................................................... 18
Consumer data rules ..................................................................... 22
Privacy safeguards ........................................................................ 30
Regulator roles .............................................................................. 39
Consequential and minor amendments ......................................... 40
Commencement, application, and transitional provisions .................... 45
Outline of chapter
1.1 The CDR framework was created to provide individuals and businesses with a
right to access and share their data in sectors that have been designated by the
Minister to be part of the CDR system.
1.2 This Bill introduces reforms to the CDR framework, referred to as 'action
initiation' reforms, which enables consumers to direct accredited persons to
send instructions to initiate actions on their behalf. These actions could include
making a payment, opening or closing an account, switching providers, and
updating personal details (such as an address) across providers.
1.3 These reforms expand the CDR from a data sharing scheme to a scheme that
allows consumers to act on information they receive. For example, this could
allow consumers to change energy providers following receipt of information
about other providers that offer more suitable or lower cost services.
3
CDR action initiation
1.4 CDR action initiation builds on the existing infrastructure, objectives and
principles underpinning the current data sharing framework, within sectors that
are already designated for data sharing.
Context of amendments
1.5 The CDR framework was introduced by the Treasury Laws Amendment
(Consumer Data Right) Act 2019, following a range of reviews including the
Productivity Commission Inquiry Report into Data Availability and Use and
the Review into Open Banking in Australia.
1.6 In the existing CDR system, individuals and business consumers consent to
data holders in designated sectors (e.g. banking and energy sectors) disclosing
their information to accredited third parties of their choice within the CDR
framework.
1.7 The Inquiry into the Future Directions for the Consumer Data Right
recommended strengthening and deepening the CDR's functionality and use
through the implementation of third-party action initiation reforms.2
1.8 Increasing functionality of the CDR to include action initiation empowers
consumers to authorise, manage and facilitate actions securely in the digital
economy. They would potentially be able to use the CDR to, for example, open
and close an account, switch providers, apply for services or make payments
where the CDR system extends to such actions. This will reduce complexity,
time and cost for consumers looking to securely get better deals and services
that meet their needs, unlock new business models, drive innovation and
increase competition.
1.9 References to legislation in this Explanatory Material are to the CCA unless
otherwise stated.
2
https://treasury.gov.au/publication/inquiry-future-directions-consumer-data-right-final-report
4
Treasury Laws Amendment (Consumer Data Right) Bill 2022
Comparison of key features of new law and
current law
Table 1.1 Comparison of new law and current law
New law Current law
(in addition to the application of the CDR to data
under the current law)
Consumers can use the CDR to have an Consumers can use the CDR to access or
action initiated on their behalf. direct that their data be shared with
accredited data recipients.
The consumer requests an accredited action The consumer consents to an accredited data
initiator to instruct an action service recipient collecting their data from a data
provider (entities that can receive holder.
instructions through the CDR to perform an The accredited data recipient then uses it to
action) on their behalf. provide goods or services to the consumer
The action service provider must perform (such as a comparison service or budgeting
the action if it is a type of action they app).
would ordinarily perform in the course of
their business. They cannot discriminate
against an instruction received through the
CDR, compared to other channels.
The Minister can declare (by legislative The Minister may designate (by legislative
instrument) types of actions that can be instrument) a sector of the Australian
initiated under the CDR, and the data economy for CDR data sharing, specifying
holders that are to be action service data holders and datasets.
providers.
Action service providers can only charge Data holders may only charge fees for
fees for processing requests received sharing requested data if permitted by the
through the CDR if the Minister makes Minister's designation instrument.
rules permitting it. They can charge fees for
performing the action, subject to a non-
discrimination principle.
Accredited persons must act efficiently, No equivalent.
honestly and fairly when initiating CDR
actions.
The Minister has comprehensive rule- The Minister has comprehensive rule-
making powers for action initiation, making powers in relation to all aspects of
including on accreditation of action the CDR including accreditation of data
initiators, how actions are initiated, how recipients, use, storage and accuracy of CDR
requests are processed and factors relevant data, the format of CDR data and the data
to assessing discrimination. standards.
5
CDR action initiation
New law Current law
(in addition to the application of the CDR to data
under the current law)
The privacy safeguards are extended for The CDR includes a set of CDR specific
action initiation so that they apply to CDR privacy safeguards, modelled off the existing
data that flows in the instruction layer from Australian Privacy Principles but with
an accredited action initiator to an action additional obligations.
service provider.
Detailed explanation of new law
1.10 The Bill amends the CCA to extend the CDR to action initiation. This builds
on the existing CDR data sharing system, where individuals and businesses can
directly access or direct that their data be shared with certain participants.
1.11 In CDR action initiation, a consumer can request an accredited action initiator
to instruct an action service provider on their behalf. The action service
provider must carry out the requested action if it is a type of action they
ordinarily perform in the course of their business. That is, they cannot
discriminate between instructions received through the CDR and those
received through other channels.
1.12 A consumer may use action initiation as a complement to CDR data sharing,
typically using information gained from that process to select a desired action,
or access action initiation on its own.
1.13 CDR action initiation is generally only concerned with the 'instruction layer'
of an action, including:
• consumers' requests to give instructions;
• accredited action initiators giving instructions to action service
providers;
• how action service providers process instructions; and
• communication from the action service provider back to the accredited
action initiator (including after the action has been performed).
1.14 The CDR and its expansion to action initiation does not alter how the 'action
layer' - that is, performing the action - operates. Existing laws and practices
that govern the performance of actions are intended to continue unaffected.
1.15 The Bill amends the objects provision and simplified outline for Part IVD of
the CCA to convey these key concepts. [Schedule 1, items 1 to 3,
sections 56AA and 56AB]
6
Treasury Laws Amendment (Consumer Data Right) Bill 2022
Declared action types
1.16 The Minister may declare types of actions that can be initiated under the CDR.
To do so, the Minister makes a legislative instrument declaring one or more
types of actions for which an instruction may be given under the consumer data
rules. Potential action types include specific types of payments (for example,
variable recurring payments), open and closing accounts with utility providers,
and updating contact details with specified providers. [Schedule 1, items 4 and
5, heading of Subdivision B of Division 1 of Part IVD and paragraph
56ACA(a)]
1.17 The instrument also declares classes of data holders that are to be action
service providers. These are the entities that will receive instructions through
the CDR to perform an action (e.g. banks or energy retailers). [Schedule 1,
item 5, paragraph 56ACA(b)]
1.18 The Bill defines such a declaration as a CDR declaration. The CDR and its
expansion to action initiation do not alter how the 'action layer' - that is,
performing the action - operates. CDR action initiation is generally only
concerned with the 'instruction layer' of the action. The Bill also defines CDR
action as an action of a type so declared. [Schedule 1, item 43,
section 56AMA]
1.19 Under the existing CDR system, no data sharing rights or obligations take
effect until the Minister designates the relevant sector of the Australian
economy and makes rules enabling that data sharing.
1.20 Similarly, no action initiation rights or obligations take effect until the Minister
declares the relevant action type and makes rules enabling that action initiation.
1.21 Like the designation process for CDR data sharing, the declaration process
allows for identification and prioritisation of action types that represent the
most benefit for consumers and the Australian economy.
1.22 The Minister's declaration instrument is subject to the scrutiny of Parliament
and is disallowable.
Example 1.1 Declaration of variable recurring payment initiation
The Minister makes a legislative instrument declaring:
• variable recurring payments as a type of action for which
an instruction may be given under the consumer data rules;
and
• authorised deposit-taking institutions as the class of data
holders that will become action service providers for
variable recurring payments.
7
CDR action initiation
Authorised deposit-taking institutions would be required to
participate in the CDR as action service providers, with obligations
taking effect after the Minister makes relevant rules (from the time
specified in those rules).
Minister's tasks before declaring action types
1.23 The Minister must consider a series of matters before making a declaration.
These are generally the same matters that already apply for a designation in
CDR data sharing, including the interests of consumers, privacy, competition,
innovation, intellectual property and the public interest. The Minister may also
consider any other matters the Minister considers relevant, which could include
the liability arrangements and fraud protection arrangements in the action
layer. [Schedule 1, items 6 to 9, section 56AD (heading), subsection 56AD(1),
subparagraph 56AD(1)(a)(vi) and paragraph 56AD(1)(b)]
1.24 The CCA requires the Minister to consider certain matters before making a
designation for data sharing that permits data holders to charge fees. These
matters are not included in the list of mandatory considerations for action type
declarations because the ability to allow fees in CDR action initiation is a
matter for the consumer data rules instead. [Schedule 1, item 10,
paragraph 56AD(1)(c)]
1.25 The Minister would not need to consider whether to specify a gateway in
relation to action type declarations because gateways are not a proposed
feature of the CDR action initiation model.3 [Schedule 1, item 11,
paragraph 56AD(1)(d)]
Role of the Secretary
1.26 As with data sharing designations under the CDR data sharing provisions, the
Secretary of the Treasury must arrange for:
• an analysis of those same matters that the Minister must consider;
• public consultation for at least 28 days;
• consultation with the ACCC, the Australian Information
Commissioner and any other person or body prescribed in regulations;
and
• the preparation of a report for the Minister (which must be published)
about that analysis and consultation.
3
A gateway is a person, designated by the Minister, whose role it is to facilitate the transfer of
data between certain participants in the CDR. This is a feature of the CDR data sharing system
established by the CCA, but has not been enlivened in consumer data rules for any designated
sectors to date.
8
Treasury Laws Amendment (Consumer Data Right) Bill 2022
[Schedule 1, items 13 and 14, heading of section 56AE and
subsection 56AE(1)]
1.27 In addition, for an action type declaration, the Secretary of the Treasury must
arrange for consultation with a person or body (if any) that the Secretary
believes to be a regulator of the action type in question. This recognises that
action types often traverse multiple sectors in the economy, such that it may
not be possible to identify one primary regulator. [Schedule 1, item 16,
subparagraphs 56AE(1)(c)(iii)-(iiia)]
1.28 The Bill corrects a grammatical error in the description of how the public
consultation is to occur. [Schedule 1, item 15, subparagraph 56AE(1)(b)(ii)]
ACCC's role
1.29 When consulted in relation to both data sharing designations and action type
declarations, the ACCC must analyse those same matters that the Minister
must consider. Consideration of 'any other matters the Minister considers
relevant' is excluded because these will not necessarily be within the ACCC's
knowledge. [Schedule 1, items 17 and 18, section 56AEA]
Information Commissioner's role
1.30 Separately, the Minister must also consult the Information Commissioner
about the likely effect of making the action type declaration on the privacy or
confidentiality of consumers' information. As with data sharing designations,
the Information Commissioner must analyse the likely effect of the declaration,
report to the Minister and publish the report (noting the Information
Commissioner can exclude parts of the report in accordance with the existing
provisions). [Schedule 1, items 12 and 19, subsection 56AD(3) and the
heading of section 56AF]
Proceeding to make the instrument
1.31 The Minister can only proceed to make the action type declaration once all of
the above has taken place and at least 60 days after the Secretary of the
Treasury publishes their report. The Minister must be satisfied that the
Secretary of the Treasury has complied with all of these requirements.
[Schedule 1, item 12, subsection 56AD(2)]
1.32 As with the provisions that apply to data sharing designations, failure to
comply with these tasks and requirements does not invalidate an action type
declaration. This is achieved by extending the existing no-invalidity clause in
Part IVD of the CCA to action type declarations. [Schedule 1, item 20,
section 56AH]
1.33 This provides certainty on the validity of CDR instruments for the benefit of
entities within the CDR framework. The provision reflects the general position,
as set out in section 19 of the Legislation Act 2003, that the validity or
9
CDR action initiation
enforceability of a legislative instrument is not affected by a failure to consult.
Recognising the importance of consultation given the broad instrument-making
powers, the CCA creates considerably stricter consultation requirements in
relation to the CDR than those set out in the Legislation Act 2003. This sets
significantly higher expectations in respect of the CDR than standard
legislative processes. The no-invalidity clause recognises that the importance
of thorough consultation must be balanced against the need for certainty and
consumer protection.
Participants in the CDR system
1.34 Existing participants in the CDR system include:
• data holders - persons who hold data specified in a designation
instrument and meet relevant conditions in the CCA, who may be
required to disclose data under the CDR system (such as banks or
energy retailers); and
• accredited data recipients - entities accredited to receive the data
through the CDR system, that then use it to provide a good or service
requested by the consumer (such as a budgeting app or comparison
service).
1.35 CDR action initiation builds on the existing CDR data sharing framework and
introduces two new types of participants:
• action service providers -entities that carry out an action initiated by
an accredited action initiator on a consumer's behalf; and
• accredited action initiators -entities that, with the consumer's consent,
initiate an action by instructing the action service provider on the
consumer's behalf.
[Schedule 1, item 43, sections 56AMB and 56AMC]
1.36 The Bill also introduces the term CDR action participant to apply to both
action service providers and accredited action initiators. [Schedule 1, item 43,
section 56AMD]
10
Treasury Laws Amendment (Consumer Data Right) Bill 2022
Diagram 1.1 - Participant roles in CDR data sharing and action initiation
The grey arrows indicate the typical CDR data sharing process, while the black arrows indicate
the typical CDR action initiation process.
Action service providers must also be data holders
1.37 All declared action service providers must also be data holders. If an entity has
been designated by the Minister as a data holder for CDR data sharing, the
Minister can declare the entity to be an action service provider and
participation is mandatory. The Minister can only select from the existing pool
of designated data holders.4 [Schedule 1, items 5 and 43,
paragraphs 56ACA(b) and 56AMB(1)(a)]
1.38 In any particular CDR interaction involving both data sharing and action
initiation, it is possible that a single entity is both a data holder and an action
service provider. That is, the entity may be doing some tasks in its capacity as
a data holder and others in its capacity as an action service provider.
Example 1.2 Single entity acting in different capacities
A consumer requests that money be paid from their account to a
relative. With the consumer's consent, XYZ Ltd (a fintech firm)
checks the consumer's account balance with ABC Bank and
confirms there is enough money in it. XYZ Ltd does this in its
capacity as an accredited data recipient and ABC Bank, consistent
4
It is possible for the Minister to simultaneously designate data holders and declare them to
become action service providers, by making a data sharing designation instrument and action
type declaration instrument at the same time.
11
CDR action initiation
with an authorisation by the consumer, discloses the balance in its
capacity as a data holder.
XYZ Ltd then instructs ABC Bank to make the payment. XYZ Ltd
does this in its capacity as an accredited action initiator; and ABC
Bank receives the instruction and performs the action (makes the
payment) in its capacity as an action service provider. ABC Bank
makes the payment using its existing payment infrastructure
outside of the CDR, and subject to existing rules and processes.
1.39 Alternatively, it is possible that the data holder and action service provider
could be two different entities, or there could even be multiple action service
providers involved. For example, if a consumer uses action initiation to switch
energy providers, both the outgoing and incoming providers are considered
action service providers.
Example 1.3 Multiple action service providers
A consumer wants to find out the best deal for their circumstances
and then switch energy providers. With the consumer's consent,
XYZ Ltd obtains electricity usage data from the consumer's current
provider, Utility A. XYZ Ltd does this in its capacity as an
accredited data recipient and Utility A provides the data in its
capacity as a data holder.
XYZ Ltd's analysis shows that Utility B offers the best deal for the
consumer. On the consumer's behalf and with their consent, XYZ
Ltd instructs Utility A to close the consumer's account and
instructs Utility B to open an account for the consumer.
XYZ Ltd is instructing in its capacity as an accredited action
initiator, Utility A closes the account in its capacity as an action
service provider and Utility B opens an account also in its capacity
as an action service provider.
1.40 Action service providers can receive data as part of action requests without
becoming an accredited data recipient, although they can choose to become an
accredited data recipient. An action service provider may choose to become an
accredited data recipient to give them more rights in terms of receiving data
outside of an action initiation request. [Schedule 1, item 41,
paragraph 56AK(e)]
Voluntary action service providers
1.41 While all declared action service providers must also be data holders, other
entities can apply on their own initiative to become voluntary action service
providers. [Schedule 1, item 43, paragraph 56AMB(1)(b) and
subsection 56AMB(2)]
12
Treasury Laws Amendment (Consumer Data Right) Bill 2022
1.42 As explained at paragraph 1.1321.132, the consumer data rules may specify
eligibility criteria and the process for approving applicants to be voluntary
action service providers. [Schedule 1, items 48 and 64, paragraph 56BB(da)
and section 56BHA]
1.43 Those rules may include, for example:
• a requirement for applicants to demonstrate that they perform actions
outside the CDR of a comparable type to the declared action types they
wish to participate in; and
• information security requirements for applicants.
Adjustments to definition of data holder
1.44 Previously, there were three ways a person became a data holder:
• they were specified in a designation instrument;
• reciprocity arising from the person being accredited and disclosed
other CDR data under the consumer data rules;
• they were an accredited person who is made a data holder via
conditions in the consumer data rules.
1.45 Under the typical route - being specified in a designation instrument - the
CDR data cannot have been disclosed to the person under the consumer data
rules. If it was disclosed to them in that way, the person would not be
considered a data holder for that particular data, even where they are a data
holder for other data (because they are an authorised deposit-taking institution
for instance).
1.46 The Bill establishes a rule-making power for the Minister to specify conditions
under which a person specified in a designation instrument can become a data
holder for designated CDR data disclosed to them under the rules. [Schedule 1,
item 38, subsection 56AJ(5)]
1.47 This establishes a mechanism for action service providers to be considered data
holders for designated CDR data that is disclosed to them as part of action
initiation under the consumer data rules. For example, this may be necessary
where a consumer uses the CDR to switch providers (banks, energy retailers,
etc.), so that the incoming provider is considered a data holder (as well as an
action service provider) for the data related to the consumer it received through
that process. The incoming provider would therefore be obliged to share it with
accredited persons later if the consumer so chooses, perhaps to help switch
again.
1.48 In another example, a consumer could use the CDR to update their address via
a third party. The updated address would be received by their service provider
(e.g. bank) in their capacity as an action service provider. However, once the
13
CDR action initiation
address is updated in their system, they would hold this as a CDR data holder,
if enabled by the consumer data rules.
1.49 This rule-making power could also be used to support special cases in CDR
data sharing where it may be necessary for a recipient of particular data to be
treated as a CDR data holder of it.
1.50 Separately, paragraphs 1.75 to 1.79 explain an additional way in which a
person may now become a data holder - namely as a voluntary action service
provider in certain circumstances. This is a new type of 'reciprocity'.
1.51 The Bill also introduces a power for the consumer data rules to make carveouts
from the second pathway listed above (reciprocity arising from an accredited
data recipient or voluntary action service provider being disclosed other CDR
data under the consumer data rules), to address unintended consequences
where CDR data is disclosed to, for example, an accredited data recipient
through other channels. [Schedule 1, item 35, paragraph 56AJ(3)(c)]
1.52 The Bill also makes minor amendments to headings and cross-references to
reflect the new data holder pathways. [Schedule 1, items 33, 34 and 37,
section 56AJ]
1.53 Consumer data rules can specify different conditions under each of the powers
in the section that defines 'data holder'.
Accredited action initiators must also be accredited persons
1.54 All accredited action initiators must also be accredited persons. Consumer data
rules are expected to be made to require prospective accredited action initiators
to have first been accredited to receive data, even if they have not yet in fact
received any.
1.55 Accredited data recipients can choose whether to keep providing services just
using data sharing or seek specific accreditation to enable them to expand their
business into action initiation.
1.56 An accredited person becomes an accredited action initiator if their
accreditation authorises them to initiate the type of action they are accredited to
perform. The consumer data rules may include rules about accreditation,
including about different levels of accreditation. [Schedule 1, items 43 and 57
to 61, section 56AMC and subsection 56BH(1)]
1.57 If an accredited person becomes an accredited action initiator without already
being an accredited data recipient, they will become an accredited data
recipient if they receive CDR data under the consumer data rules for the
purposes of preparing a valid instruction for an action.
1.58 Again, in any particular CDR interaction involving both data sharing and
action initiation, it is possible that a single entity is both the accredited data
recipient and accredited action initiator.
14
Treasury Laws Amendment (Consumer Data Right) Bill 2022
1.59 Alternatively, it is possible that the consumer chooses one entity as accredited
data recipient to collect their data and analyse it for them, and another entity as
accredited action initiator to instruct for the consumer's desired action in
response to that information.
Building on the existing CDR system
1.60 CDR action initiation builds on the existing infrastructure and participant
profile for CDR data sharing.
1.61 This approach helps limit the scope of action initiation and reflects that many
use cases for consumers will involve data sharing prior to action initiation. The
crucial aim of the CDR is to access data and then be able to act on it.
1.62 This does not mean that a consumer must use CDR data sharing before
accessing action initiation. It is possible for a consumer to approach or request
an accredited action initiator to instruct for an action on their behalf, without
the consumer first having their CDR data shared between a data holder and
accredited data recipient.5 Instructions will likely include CDR data, although
this is not a requirement. Instructions may also include some non-CDR data,
such as data about the action service provider.
Example 1.4 Action initiation without CDR data sharing preceding it
A consumer wants to switch their utilities plan from Utility A to
Utility B because they have moved to a rural area only serviced by
Utility B. There is no need for data sharing to compare the options
and work out the best deal, and the consumer is not transferring
data from Utility A to Utility B.
The consumer requests XYZ Ltd to initiate the switch. XYZ Ltd
does this in its capacity as an accredited action initiator, and
Utility A and Utility B are both acting in their capacity as action
service providers. Nobody takes any step in a data holder capacity,
however XYZ Ltd becomes an accredited data recipient for data
received from the consumer to make this switch.
CDR consumers
1.63 In the existing CDR system, a CDR consumer is the person or entity that holds
the 'rights' to access the data held by a data holder and to direct that this data
be shared with an accredited person. The consumer can be an individual or a
business.
1.64 In CDR action initiation, the scope of who can be a CDR consumer is broader
because a person or entity can seek to have an action initiated and performed
5
In Diagram 1.1, this would involve the black arrows occurring, but not the grey arrows.
15
CDR action initiation
on their behalf without CDR data sharing having previously occurred and
without a pre-existing relationship with a data holder.
Definition of CDR consumer for a CDR action
1.65 Accordingly, the Bill introduces the concept of a CDR consumer for a CDR
action. A CDR consumer for a CDR action is a person for whom the CDR
action in question is being performed, which is intended to capture the
consumer who requests (via an accredited action initiator) the action, but also
other individuals who may be acting on their behalf. [Schedule 1, item 32,
subparagraph 56AI(3A)(a)(i)]
1.66 The Bill also includes a power for regulations to prescribe additional
circumstances that make a person a CDR consumer for a CDR action.
[Schedule 1, item 32, subparagraph 56AI(3A)(a)(ii)]
1.67 Importantly, action service providers must act on instructions given on behalf
of a prospective customer, not just an existing one. For example, a consumer
might be using the CDR to set up a new account with an action service
provider with which they have no prior relationship (and that therefore does
not hold the consumer's CDR data).
Exclusions
1.68 Action service providers and accredited action initiators are not CDR
consumers for a CDR action, unless they are using the CDR to request an
action in their own right (that is, in their capacity as a business consumer that]
happens to also act as an action service provider or accredited action initiator at
other times). [Schedule 1, item 32, paragraph 56AI(3A)(b)]
Example 1.5 CDR action participants are not consumers, unless they are
using the CDR in their own right
Assume X and Y are both accredited action initiators, and Y gives a
valid instruction for the performance of a CDR action (that relates
to the supply of accounting services) on X's behalf. X will be a
CDR consumer for the CDR action, but Y will not be.
1.69 Regulations may also prescribe other exclusions from being a CDR consumer
for a CDR action. [Schedule 1, item 32, paragraph 56AI(3A)(c)]
1.70 Separately, the consumer data rules may specify criteria to be an eligible
consumer to make an action request.
Adjustments to definition of CDR consumer for CDR data
1.71 The Bill adds another circumstance where a person is considered a 'CDR
consumer for CDR data', assuming other limbs of the definition are satisfied.
This is where the CDR data is held by an entity holding it as an action service
16
Treasury Laws Amendment (Consumer Data Right) Bill 2022
provider, or by someone else holding it on that entity's behalf. [Schedule 1,
items 29 and 30, subparagraphs 56AI(3)(b)(iia)-(iii)]
1.72 This adjustment reflects that it is possible to have an action service provider
who is not a data holder, in the form of a voluntary action service provider.
1.73 The CCA contains an existing power for regulations to prescribe circumstances
in which a person is excluded from being a 'CDR consumer for CDR data'. To
assist comprehension, the Bill includes an amendment to describe these as
'exclusions' rather than 'conditions'. [Schedule 1, item 31,
paragraph 56AI(3)(d)]
1.74 The Bill inserts subsection headings to improve navigability of the section in
the CCA that defines 'CDR data', 'directly or indirectly derived' and 'CDR
consumer'. [Schedule 1, items 21, 27 and 28, section 56AI]
Reciprocal data holders
1.75 In the existing CDR system, an accredited data recipient will be a data holder
for certain data where the entity holds data specified in the designation
instrument and that data was not transferred to it under the consumer data rules
(or derived from such data). Such an entity is known as a reciprocal data
holder.
1.76 In CDR action initiation, it is also possible for a voluntary action service
provider to become a reciprocal data holder. This occurs if a voluntary action
service provider holds designated data relevant to the type of action that they
are performing in the CDR. The data could be held either at the time they are
approved as voluntary action service providers or subsequently. [Schedule 1,
item 36, subsection 56AJ(3A)]
1.77 If an entity holds data (received outside the consumer data rules) covered by
that CDR designation, they become reciprocal data holders for any data within
scope of that designation if:
• the entity is a voluntary action service provider for a type of CDR
action; and
• for the type of CDR action, the declaration identifies the mandated
action service providers, who will also be designated data holders
under an existing CDR designation.
1.78 Without this reciprocity principle for voluntary action service providers, there
could be a scenario where closing and opening accounts are declared as action
types in the CDR and those entities could sign up existing CDR consumers to
them as a new service provider, with those consumers then losing their data
sharing rights.
1.79 However, the Bill also includes a power for consumer data rules to make
carveouts from this reciprocity principle, to address unintended consequences.
[Schedule 1, item 36, paragraph 56AJ(3A)(e)]
17
CDR action initiation
Example 1.6 Voluntary action service provider becomes a reciprocal data
holder
A data sharing designation is in force, designating authorised
deposit-taking institutions as data holders, and specifying data
about credit provided to consumers as the dataset.
The Minister declares the switching of small loan providers as an
action type, and authorised deposit-taking institutions as the data
holders that are to become action service providers.
Lender A holds an Australian credit licence and provides credit to
its consumers but is not an authorised deposit-taking institution.
Lender A wants borrowers to be able to switch and take out a small
loan with them. Therefore, Lender A decides to apply to join the
CDR as a voluntary action service provider (for the action type of
switching small loan providers).
At the time it is approved to join, Lender A holds data about credit
provided to consumers, which it obtained in the ordinary course of
its business. This causes Lender A to become a reciprocal data
holder for the CDR.
As such, Lender A must share CDR data validly requested by an
accredited data recipient with consumer consent. This is especially
important for consumers who switch to Lender A and take out a
loan with them, so that those consumers can use the CDR to
manage their finances and consider their options to switch to
someone else.
Participant obligations
1.80 The Bill imposes a number of obligations on CDR action participants. Certain
obligations are introduced to deal with wrongdoing specific to CDR action
initiation; others are modelled on existing requirements applicable to CDR
participants for CDR data.
Obligations of action service providers: the non-discrimination
principle
1.81 Action service providers must uphold the non-discrimination principle. The
non-discrimination principle operates in relation to performing actions and
charging fees. [Schedule 1, item 85, sections 56BZC and 56BZD]
1.82 Firstly, action service providers must not discriminate against an instruction
merely because it arrives via the CDR. They must perform a validly requested
18
Treasury Laws Amendment (Consumer Data Right) Bill 2022
action in relation to a CDR consumer if, having regard to criteria to be set out
in the consumer data rules, they would ordinarily perform actions of that type
in the course of their business.
1.83 This is not intended to prevent an action service provider applying extra
security or other checks to CDR action requests on the basis that a third party
is involved, provided this is consistent with the service provider's existing
practices. Nor would it prevent a service provider from refusing to perform an
action, as long as the refusal was not based solely on the fact that the
instructions had come through the CDR.
1.84 Secondly, when performing CDR actions, action service providers must not
impose charges higher than their ordinary fees (worked out by reference to
criteria in the consumer data rules). They must not charge any fees for
processing CDR action instructions unless permitted to do so by the consumer
data rules.
1.85 If the ACCC has determined the amount of a fee that specified providers may
charge for processing an instruction, or a method for working out the amount,
those providers' fees must not exceed that amount. [Schedule 1, item 85,
section 56BZE]
1.86 The ACCC's power to determine fees chargeable by action service providers
for processing CDR action instructions is discussed below in the section
entitled 'Regulator roles'.
1.87 The fee-charging aspect of the non-discrimination principle would not prevent
an action service provider offering a discount for processing action instructions
received via the CDR, relative to what they would charge to process an
instruction of that type received through another channel (for example, by
phone). Similarly, the principle would not prevent an action service provider
offering a discount for performing CDR actions.
1.88 Criteria relating to the two aspects of the non-discrimination principle will be
set out in the consumer data rules. The criteria will be tailored appropriately to
action types once they have been declared and take into account general
industry practices for the types of actions.
Obligations of accredited persons
Acting efficiently, honestly and fairly
1.89 Accredited persons must act efficiently, honestly and fairly when initiating
CDR actions. Initiating CDR actions includes proposing to give an instruction
on behalf of a potential CDR consumer for a type of CDR action. Failing to act
in this manner is a contravention of the CCA and could result in a civil penalty
being imposed. [Schedule 1, item 85, section 56BZA]
19
CDR action initiation
1.90 The obligation to act efficiently, honestly and fairly is modelled on a core
obligation in the Australian financial services licensing regime in the
Corporations Act 2001, and adapted for the CDR context.
1.91 The obligation is intended to capture actions contrary to a consumer's interest
such as the accredited action initiator:
• repeatedly switching the consumer's providers to gain commissions
(although this example should not be taken to preclude the accredited
action initiator from making a commission or monetising the action);
or
• pushing to switch the consumer's provider by falsely representing that
the switch would benefit the consumer; or
• only recommending sponsored products (such that the consumer is
offered an incomplete product range) and not communicating that fact
to the consumer.
Only initiating actions in accordance with consumers' valid requests
1.92 The Bill inserts a new civil penalty provision that targets an accredited action
initiator who purports to give a valid instruction for the performance of a CDR
action in cases where there was no valid request by the consumer to give the
instruction, or the initiator failed to comply with a relevant requirement in the
consumer data rules. [Schedule 1, item 85, section 56BZB]
Obligations of all CDR participants: prohibition on holding out
1.93 The Bill repeals the existing criminal and civil prohibitions on holding out, and
replaces them with new provisions covering both CDR participants for CDR
data and CDR action participants.6 These new provisions are substantially the
same as the repealed ones, with updates to reflect the introduction of CDR
action participants. [Schedule 1, items 85 and 86, sections 56BZI and 56BZJ]
1.94 It is a criminal offence for a person to hold themselves out to be any of the
following if that is not the case:
• an accredited person;
• an accredited person holding an accreditation at a particular level;
• an accredited person holding an accreditation authorising the person to
do something;
• an accredited data recipient of CDR data;
6
The introduction of action initiation has created a need to distinguish between participants for
data sharing, known as 'CDR participants for CDR data' and CDR action participants.
20
Treasury Laws Amendment (Consumer Data Right) Bill 2022
• an accredited action initiator for a type of CDR action;
• an action service provider for a type of CDR action;
• approved as an action service provider at a particular level;
• authorised to do something by their approval as an action service
provider.
[Schedule 1, item 85, subsection 56BZI(1)]
1.95 If the criminal offence of holding out is committed by a body corporate, it is
punishable by a fine of not more than the greater of certain specified amounts,
taking into account the benefit obtained from committing the offence and the
size of the business, based on the body corporate's annual turnover. If the court
can determine the value of the benefit obtained, the maximum penalty is the
greater of:
• three times the value of the benefit obtained; and
• $10 million.
If the court cannot determine the value of the benefit obtained, the maximum
penalty is the greater of:
• $10 million; and
• 10 per cent of the annual turnover of the body corporate for the
12 - month period ending the month before the offence was committed
or began to be committed.
'Annual turnover' has the same meaning as in Division 1 of Part IV of the
CCA. [Schedule 1, item 85, subsection 56BZI(2)]
1.96 If the offence is committed by a person other than a body corporate, it is
punishable by no more than five years imprisonment or a fine of not more than
$500,000, or both. [Schedule 1, item 85, subsection 56BZI(3)]
1.97 The new civil penalty provision on holding out applies to a person who
untruthfully holds themselves out to be something they are not in any of the
ways mentioned above. [Schedule 1, item 85, section 56BZJ]
1.98 The Bill includes an application provision stating that the repeal of the existing
criminal and civil provisions applies in relation to acts or omissions on or after
the Bill's commencement. This has the effect of preserving the operation of the
repealed provisions in relation to pre-commencement acts or omissions.
[Schedule 1, item 87]
General obligations
1.99 The Bill amends the existing prohibitions on misleading and deceptive conduct
to extend their application to CDR action initiation. The additional prohibited
conduct is conduct that misleads a person into believing that a person is a CDR
21
CDR action initiation
consumer for a CDR action or has satisfied the criteria under the consumer
data rules for making a request, or giving or processing a valid instruction, for
the performance of a CDR action. [Schedule 1, items 78 to 81, subsections
56BN and 56BO]
Enforcement
1.100 The new CDR action-specific offences and civil penalty provisions described
above will attract the operation of the existing enforcement and remedy
provisions in Part VI of the CCA. The existing regime in the CCA allows
courts the flexibility to deal with large and small businesses and serious and
minor contraventions.
1.101 Setting the right penalties is integral to CDR action initiation. Misuse of CDR
data as a consequence of initiating CDR actions has the potential to cause harm
to consumers and impair confidence in the system. It is important that the
penalties operate as a deterrent, discouraging misuse of CDR data, and are not
seen as a cost of doing business.
Consumer data rules
1.102 Part IVD of the CCA contains the key framework provisions for the CDR
scheme. These include rule-making powers in relation to more fine-grained
aspects of the scheme. The Bill empowers the Minister to make consumer data
rules to deal with the specific steps involved in initiating actions, accreditation
of action initiators and other related matters. (Note that the Minister has a
separate power to declare action types and data holders that are to be action
service providers. See the section headed 'Declared action types' above.)
Setting out requirements in the consumer data rules allows the scheme to be
responsive to changes in technology as well as consumer demand for certain
types of CDR actions. The scheme must adapt to these changes if it is to
effectively regulate participants and benefit and protect consumers.
[Schedule 1, item 44, subsection 56BA(1)]
1.103 The scope of the rule-making powers is designed to ensure the CDR roll-out
can respond flexibly to market and technological changes and maximise the
potential benefit to consumers. All procedures set out in the rules are subject to
the strict privacy and security safeguards contained in the CCA. In addition,
other key safeguards make the roll-out appropriately subject to public
consultation and scrutiny. No obligations can apply under the consumer data
rules until these steps have occurred. Further, the consumer data rules, along
with designation and declaration instruments, are disallowable, hence subject
to parliamentary oversight.
22
Treasury Laws Amendment (Consumer Data Right) Bill 2022
1.104 The Minister may make rules for different types of CDR actions and different
classes of CDR action participants and CDR consumers. [Schedule 1, item 45,
paragraphs 56BA(2)(e) and (f)]
1.105 Currently, the rules must require accredited data recipients to delete CDR data
in response to a valid request to do so by a CDR consumer for the data. A
minor amendment clarifies that the obligation to delete the data is only
enlivened if the CDR consumer requests it. [Schedule 1, item 165, subsection
56BAA(1)]
1.106 Section 56BD of the CCA limits the scope of the consumer data rules to,
among other things, require CDR data to be disclosed to CDR data sharing
participants. This is done to ensure the rules do not encroach on other
regulatory frameworks. The Bill extends this aspect of the limiting provision to
cover action initiation. It does so by picking up the expanded meaning of 'CDR
data' to include information:
• that relates to a CDR consumer for a CDR action; and
• that the rules authorise an accredited action initiator to use or disclose
in order to prepare or provide valid instructions for the performance of
the CDR action on behalf of the consumer.
1.107 The CDR rules can also only require the disclosure of CDR data if the
information is within a class of information specified in an instrument
designating a sector. [Schedule 1, item 51, paragraph 56BD(1)(a)]
1.108 The Bill also extends the list of persons to whom CDR data can be disclosed to
include data holders of other CDR data and action service providers for a type
of CDR action. [Schedule 1, item 52, subparagraphs 56BD(1)(iva) and (ivb)]
1.109 A note has been included to clarify that CDR cannot be required to be
disclosed if it is only CDR data because it is directly or indirectly derived from
other CDR data within a class specified, or other CDR data about a CDR
consumer for a CDR action that an accredited action initiator is authorised to
use to prepare or give a valid instruction for the performance of CDR data.
[Schedule 1, item 54, note 1 to subsection 56BD(1)]
Rules about accreditation
1.110 The Bill extends the Minister's power to make rules relating to accreditation to
the accreditation of action initiators. Accreditation ensures the credibility and
integrity of CDR participants, encouraging consumer confidence in the CDR
system. [Schedule 1, item 47, paragraph 56BB(d)]
1.111 Accordingly, the heading to the section concerning accreditation rules has been
amended to reflect that the rule-making power covers both data recipients and
action initiators. [Schedule 1, item 57, heading of section 56BH]
1.112 The rules may grant accreditation at different levels corresponding to different
specified risks. The list of risks has been extended to include those associated
23
CDR action initiation
with specified types of CDR actions. [Schedule 1, items 58 and 60 and 61,
subparagraph 56BH(1)(d)(iia) and notes to subsection 56BH(1)]
1.113 Further to this, the Minister may make rules specifying what a person
accredited at a particular level is authorised or not authorised to do.
[Schedule 1, item 59, paragraph 56BH(1)(da)]
1.114 Grounds for variation, suspension or revocation of an accreditation could
include failure to comply with a requirement in Part IVD of the CCA or in the
consumer data rules. A technical amendment has been made to reflect the fact
that the privacy safeguards are contained in that Part of the CCA. [Schedule 1,
item 62, subsection 56BH(3)]
Review of decision-making processes for accreditation
1.115 Currently, where the consumer data rules provide for decisions to be made to
vary, suspend, or revoke an accreditation, the rules must also permit
applications to be made to the Administrative Appeals Tribunal for review of
those decisions. To enhance the procedural fairness afforded by this
requirement, it is extended to include the refusal to make such a decision.
[Schedule 1, item 63, subsection 56BH(4)]
Rules about participant roles and activities
Accredited action initiators
1.116 To facilitate the introduction of accredited action initiators into the CDR
framework, the Bill empowers the Minister to make rules about initiating CDR
actions, including rules regulating interactions between different parties in the
action initiation framework. Such interactions could involve declared and
voluntary action service providers. [Schedule 1, items 46 and 56,
paragraph 56BB(ca) and subsection 56BGA(1), particularly paragraph
56BGA(1)(f)]
1.117 The consumer data rules may include requirements on accredited action
initiators in relation to giving valid instructions in specified circumstances, and
may include rules about how a CDR consumer for a CDR action may make a
valid request. [Schedule 1, item 56, paragraphs 56BGA(1)(a) and (c)]
1.118 The consumer data rules may include requirements on an accredited action
initiator for a type of CDR action relating to giving a valid instruction after a
series of specified interactions between the initiator, provider, consumer, or
other persons. This will allow the rules to set out interactions that may or must
take place before instructions are provided. [Schedule 1, item 56,
subparagraph 56BGA(1)(a)(iv)]
1.119 The consumer data rules may prescribe how an instruction is to be prepared for
it to be a valid instruction for the performance of a specific type of CDR
24
Treasury Laws Amendment (Consumer Data Right) Bill 2022
action, what matters the valid instruction may cover, and when such an
instruction ceases to be valid. [Schedule 1, item 56, paragraph 56BGA(1)(b)]
1.120 The consumer data rules may include rules on the authorisation of disclosure or
use of CDR data in accordance with a valid consent. The Minister's rule-
making powers are an effective mechanism to ensure proper oversight in the
face of constantly changing technology and business practices. [Schedule 1,
item 56, paragraphs 56BGA(3)(a) and (b)]
1.121 They may also set out how a CDR consumer may make a valid consent (for
authorised disclosures or use of CDR data); what consent must include in order
to be valid; the types of disclosures, uses or other matters it may cover; and
when a consent ceases to be valid. [Schedule 1, item 56,
paragraph 56BGA(3)(c)]
1.122 The Minister may make rules authorising an accredited action initiator to use
or disclose information relating to a consumer that is disclosed to the initiator
or otherwise held by the initiator for the purpose of preparing a valid
instruction. [Schedule 1 item 56, paragraph 56BGA(1)(d)]
1.123 If such information, or information directly or indirectly derived from it, is
disclosed to a CDR action participant under the consumer data rules, that
participant may be subject to rules affecting the use, accuracy, storage, security
or deletion of the information. [Schedule 1, item 56, subsection 56BGA(5)]
1.124 The Bill also amends the definition of 'CDR data' to include information that
relates to a consumer and where the consumer data rules authorise the
accredited action initiator to use or disclose the information to prepare or give
an instruction for an action. This is intended to capture data that may be needed
as an input for initiating the action, but which has not been shared under the
existing CDR rules by a designated data holder. An example is a consumer
manually inputting their address to the accredited action initiator. [Schedule 1,
items 21 to 26, subsection 56AI(1)]
1.125 As explained in paragraph 1.1551.155, accredited action initiators become
accredited data recipients for this data, which also ensures the privacy
safeguards apply in full. No person has data holder obligations for this data at
the time it is shared with the accredited action initiator. When this data is
shared with an action service provider, the Bill establishes a rule-making
power for the Minister to specify conditions such that a person specified in a
designation instrument can become a data holder for designated CDR data
disclosed to them under the rules. See paragraph 1.48.47 for an example.
1.126 An accredited action initiator or action service provider may receive incidental,
non-CDR data through CDR processes. To address these circumstances, the
Minister may make rules relating to information that is not CDR data but
relates to a CDR action. [Schedule 1, item 56, paragraph 56BGA(1)(h)]
25
CDR action initiation
Action service providers
1.127 The Minister is explicitly empowered to make rules about how an action
service provider for a type of CDR action processes a valid instruction.
[Schedule 1, item 56, paragraph 56BGA(1)(e)]
1.128 The initiation of an action and its performance are two separate processes. The
CDR framework is not intended to regulate how actions are performed. Each
sector is already governed by laws and regulations specifically designed for
that sector. Therefore, the CCA explicitly provides that the consumer data rules
cannot include rules requiring an action service provider for a type of CDR
action to perform (or not perform) a CDR action of that type in a particular
way. [Schedule 1, item 56, subsection 56BGA(4)]
1.129 The consumer data rules may also allow an action service provider to charge
fees at the instruction layer. At the action layer, action service providers can
charge a fee to execute CDR action requests as long as the fee does not exceed
what they would ordinarily charge. This enables action service providers to
pass on existing charges like home loan application fees without being
considered to breach the non-discrimination principle. [Schedule 1, item 56,
subsection 56BGA(2)]
1.130 Before making consumer data rules about fees at the instruction layer, the
Minister must consider the following matters:
• if performers of actions of a particular type currently charge fees for
processing instructions to perform such actions;
• if the incentive to perform actions of that type would be reduced if fees
could not be charged for processing such instructions;
• the marginal cost of processing such instructions in accordance with
the consumer data rules.
[Schedule 1, item 75, paragraph 56BP(aa)]
1.131 The provisions about the Secretary, ACCC and Information Commissioner's
roles are amended because of the new matters the Minister is required to
consider in relation to making rules about fees that may be charged at the
instruction layer. [Schedule 1, items 76 and 77, paragraph 56BQ(a) and
section 56BR]
Voluntary action service providers
1.132 The Minister is explicitly empowered to make rules concerning approvals of
persons to be voluntary action service providers for types of CDR action.
Placing approval processes in the rules provides enough flexibility for the
consumer data rules to adapt to the different types of actions that might be
declared while facilitating sufficient oversight over new entrants. [Schedule 1,
items 48 and 64, paragraph 56BB(da) and subsection 56BHA(1)]
26
Treasury Laws Amendment (Consumer Data Right) Bill 2022
1.133 Any functions or powers conferred on the Minister under the consumer data
rules regarding voluntary action service providers may be delegated to an SES
level employee or acting SES level employee in the Department or in the
ACCC. In performing a delegated function or exercising a delegated power,
the delegate must comply with any written directions of the Minister.
[Schedule 1, items 176 and 177, section 56GAA (heading) and
subsections 56GAA(1A) and (1B)]
1.134 This provision is needed because it is not practicable for such functions and
powers to only be exercisable at the Ministerial level, but also recognises the
significance of a person's voluntary participation as a CDR action participant,
by requiring the delegation to only be made to an employee at SES level. This
is consistent with Senate Standing Committee for the Scrutiny of Bills
Guidelines--Principle (ii).7
1.135 To maximise participation and oversight of entrants within the CDR
framework, the criteria for a person to be approved as an action service
provider may differ for each class of person, and may permit a person to be
approved even if the person:
• is not a body corporate established by or under a law of the
Commonwealth, of a State or of a Territory; and
• is neither an Australian citizen, nor a permanent resident (within the
meaning of the Australian Citizenship Act 2007).
1.136 Approval criteria may also include payment of a fee as long as it does not
amount to taxation. [Schedule 1, item 64, subsection 56BHA(2)]
1.137 The consumer data rules may provide that the level at which approvals to be
voluntary action service providers are granted may correspond to different
risks associated with:
• specified types of CDR action;
• classes of CDR data; and
• classes of applicants for such approvals.
[Schedule 1, item 64, paragraph 56BHA(1)(d)]
1.138 The consumer data rules may also specify what a voluntary action service
provider approved at a particular level is or is not authorised to do.
[Schedule 1, item 64, paragraph 56BHA(1)(e)]
1.139 The consumer data rules may also provide for approval to be granted with
conditions, noting conditions may be imposed after the approval has been
7
The Commonwealth of Australia, 'Standing Committee for the Scrutiny of Delegated
Legislation' Guidelines, February 2022, 2nd Edition, Principle (c), 14. Accessed at: Guidelines -
Parliam...~https://www.aph.gov.au/Parliamentary_Business/Committees/Senate/Scrutiny_of_D
elegated_Legislation/Guidelines. See also Australian Senate, 'Principle (c): Scope of
administrative powers', revised February 2022.
27
CDR action initiation
granted. The rules may also impose notification requirements on entities
approved to be voluntary action service providers, including when such
approvals are renewed, transferred, varied, suspended, revoked, or surrendered.
Rules may also be made about publishing details of such matters. [Schedule 1,
item 64, paragraphs 56BHA(1)(c), (g) and (h)]
1.140 Similar to the processes in relation to accredited data recipients, where the
consumer data rules provide for decisions to be made to vary, suspend, or
revoke the approval of a voluntary action service provider, or for the refusal to
make such decisions, the rules must also permit applications to be made to the
Administrative Appeals Tribunal for review of those decisions. [Schedule 1,
item 64, subsection 56BHA(5)]
1.141 The consumer data rules may also provide that certified copies or extracts of
specified published details of a matter are admissible in proceedings as prima
facie evidence of the matter. If so, the rule may provide that the certificate
must not be admitted in evidence in proceedings relating to a person unless the
person or their legal representative has, at least 14 days before the certificate is
sought to be admitted, been given a copy of that certificate with notice of the
intention to produce the certificate as evidence in the proceedings.
[Schedule 1, item 64, subsection 56BHA(6)]
1.142 No compensation is payable if the approval is transferred, suspended, revoked,
or surrendered in any way. [Schedule 1, item 64, subsection 56BHA(3)]
1.143 To manage the various implications of an approval being varied or suspended
or ending, the Minister may make transitional rules for such events, including
about the disclosure, collection, use, accuracy, storage, security, or deletion of
CDR data. [Schedule 1, item 64, paragraph 56BHA(1)(i)]
Rules about reporting, record keeping and auditing
1.144 The consumer data rules may include a power for a CDR consumer of a CDR
action to direct an accredited action initiator for CDR actions of that type to
give reports. These reports may concern the consumer's valid request made to
the accredited action initiator under the consumer data rules or a valid
instruction given by the accredited action initiator under the rules on the
consumer's behalf. [Schedule 1, item 65, paragraph 56BI(1)(ca)]
1.145 The consumer data rules may also provide transparency in relation to action
service providers by enabling a CDR consumer to direct an action service
provider for CDR actions of that type to provide reports about their processing
of valid instructions given on the consumer's behalf. [Schedule 1, item 65,
paragraph 56BI(1)(cb)]
1.146 The consumer data rules may include requirements for action service providers
and accredited action initiators to give the ACCC or Information
Commissioner copies of required records or information from such records
28
Treasury Laws Amendment (Consumer Data Right) Bill 2022
periodically or on request. A cross-reference in the relevant provision is
revised for more precision. [Schedule 1, items 67 and 68, subsection 56BI(2)]
1.147 The consumer data rules may also include requirements for action service
providers and accredited action initiators to give reports to the ACCC or
Information Commissioner. [Schedule 1, item 66, paragraph 56BI(1)(d)]
Other amendments relating to the consumer data rules
1.148 The Bill removes some previous constraints on certain rule-making powers, as
follows:
• consumer data rules can now include requirements on a CDR
participant for CDR data to disclose data to a data holder of other CDR
data, in response to a valid consumer request [Schedule 1, item 49,
subparagraph 56BC(1)(a)(iii)]
• consumer data rules can now require a disclosure of certain CDR data
for which there are one or more CDR consumers to data holders of
other CDR data, or to action service providers (or to persons acting on
their behalf). This applies to designated data and the new category of
CDR data used by accredited action initiators. [Schedule 1, items 50
to 54, subsection 56BD(1)]
• consumer data rules can now include rules affecting a data holder that
relate to deletion of CDR data for which there are one or more CDR
consumers if it was disclosed to the data holder under the consumer
data rules. However, the consumer data rules are still barred from
requiring data holders to delete data they already hold outside the CDR
(that is, data generated or received during their usual course of
business). [Schedule 1, item 55, subsection 56BD(3)]
1.149 The Bill extends the following existing rule-making powers to accommodate
action initiation:
• rules about the manner in which CDR action participants may charge
(or cause to be charged) a fee for a matter covered by the consumer
data rules [Schedule 1, item 69, subparagraph 56BJ(f)(i)]
• rules requiring CDR action participants to have internal or external
dispute resolution processes that meet specified criteria [Schedule 1,
item 70, paragraph 56BJ(g)]
• rules requiring agents of an action service provider to do or not to do
specified things when acting on behalf of the provider and within the
agent's actual or apparent authority [Schedule 1, item 71,
subparagraph 56BJ(ia)(iv)]
29
CDR action initiation
• rules requiring action service providers to do something on a particular
day, in relation to CDR data generated or collected on an earlier day.
[Schedule 1, item 72, paragraph 56BK(2)(e)]
1.150 The Bill removes the power for regulations to exclude or limit specified
consumer data rules having effect. This is because the power is redundant, with
the rule-making function having been transferred to the Minister in 2021.
[Schedule 1, items 73 and 74, subsections 56BK(3) and (4)]
Privacy safeguards
1.151 The new CDR framework has privacy protections ('Privacy Safeguards')
comparable to the Australian Privacy Principles. There are 13 Australian
Privacy Principles. They govern standards, rights, and obligations around:
• collection, use and disclosure of personal information
• an organisation or agency's governance and accountability
• integrity and correction of personal information
• the rights of individuals to access their personal information.
1.152 Civil penalties apply to most contraventions of the Privacy Safeguards.
1.153 The Privacy Safeguards intend to provide a higher level of protection for data
used and shared within the CDR framework. The Privacy Safeguards apply to
consumer data of both individual and business enterprises. However, they
generally contain more restrictive requirements on handling of CDR data than
requirements applying to personal information under the Privacy Act 1988.
The Minister may make rules relating to the privacy safeguards in relation to
an instruction or request relating to a CDR action. [Schedule 1, item 56,
paragraph 56BGA(1)(g)]
1.154 All privacy safeguards are currently expressed to apply to either accredited
data recipients of CDR data, or to accredited persons who are or may become
accredited data recipients of CDR data. These references capture accredited
action initiators who may handle, or are handling, CDR data. Privacy
safeguards 3 and 4 have been amended to expressly refer to accredited action
initiators or to kinds of CDR action participants. [Schedule 1, item 96,
sections 56EF and 56EG]
1.155 As explained above in paragraph 1.124, the Bill amends the definition of 'CDR
data' to include information that relates to a consumer, in cases where the
consumer data rules authorise an accredited action initiator to use or disclose
the information to prepare or give an instruction for an action. The receipt of
this data makes an accredited action initiator an accredited data recipient for
that particular data. This is the means by which the privacy safeguards are
made to apply in full to accredited action initiators. [Schedule 1, items 39 to
42, section 56AK]
30
Treasury Laws Amendment (Consumer Data Right) Bill 2022
1.156 The Bill extends the following privacy safeguards to action service providers:
• privacy safeguard 1: open and transparent management of data;
• privacy safeguard 3: requirements on when an entity can solicit CDR
data from CDR participants;
• privacy safeguard 4: dealing with unsolicited CDR data from
participants in the CDR;
• privacy safeguard 10: notifying of the disclosure of CDR data;
• privacy safeguard 11: ensuring quality of the data; and
• privacy safeguard 13: correction of CDR data
[Schedule 1, items 93, 94, 95, 96, 99, 100, 101, 102, 103, 106-109, sections
56ED, 56EF, 56EG, 56EM, 56EN and 56EP]
1.157 The privacy safeguards are generally intended to apply to action service
providers in relation to the instruction layer rather than the action layer. Action
service providers are likely to collect data externally to the CDR framework
because of pre-existing, everyday business practices involving the use and
disclosure of information. If the privacy safeguards and the Australian Privacy
Principles applied to action service providers concurrently in relation to the
action layer, this would create unnecessary duplication, increasing the risk of
confusion. The existing Australian Privacy Principles, and the Privacy
Act 1988 more broadly, are intended to apply to action service providers in
respect of the action layer.
1.158 The privacy safeguards were introduced to facilitate further protection of
information being used within the CDR framework. The purpose of extending
these privacy safeguards to action service providers is to manage risks
associated with the flow of CDR data in the instruction layer, and where
information and privacy risks are specifically attributable to the CDR.
1.159 The simplified outline of Division 5 of Part IVD of the CCA has been amended
to reflect the introduction of action service providers and accredited action
initiators. Table 1.2 provides a summary of changes to the privacy safeguards.
[Schedule 1, item 88, section 56EA]
Table 1.2 Application of privacy safeguards
Privacy Currently applies to Extended to apply
safeguard to
1. Open and transparent Accredited Data Recipient; Accredited Action
management Data Holder Initiator; Action Service
Provider
2. Anonymity and Accredited Data Recipient Accredited Action
pseudonymity Initiator
31
CDR action initiation
Privacy Currently applies to Extended to apply
safeguard to
3. Soliciting CDR Data Accredited Data Recipient Accredited Action
Initiator; Action Service
Provider
4. Dealing with Accredited Data Recipient Accredited Action
unsolicited CDR data Initiator; Action Service
Provider
5. Notifying about the Accredited Data Recipient Accredited Action
collection Initiator
6. Use or disclosure Accredited Data Recipient Accredited Action
Initiator
7. Use or disclosure for Accredited Data Recipient Accredited Action
direct marketing Initiator
8. Overseas disclosure Accredited Data Recipient Accredited Action
Initiator
9. Government related Accredited Data Recipient Accredited Action
identifiers Initiator
10. Notifying of Accredited Data Recipient; Accredited Action
disclosure of CDR Data Holder Initiator; Action Service
data Provider
11. Quality Accredited Data Recipient; Accredited Action
Data Holder Initiator; Action Service
Provider
12. Security Accredited Data Recipient Accredited Action
Initiator
13. Correction Accredited Data Recipient; Accredited Action
Data Holder Initiator; Action Service
Provider
Application of privacy safeguards and Australian Privacy
Principles
1.160 The interaction between the privacy safeguards and the Australian Privacy
Principles is governed by section 56EC of the CCA. Under this provision, if a
particular privacy safeguard applies to a specified person in relation to CDR
data, the corresponding Australian Privacy Principle generally does not apply.
This section has been updated to provide that the privacy safeguards are
intended to apply to action service providers in the same manner that the
privacy safeguards currently apply to data holders. Specifically:
32
Treasury Laws Amendment (Consumer Data Right) Bill 2022
• if privacy safeguards 1 or 2 apply to an accredited person in relation to
CDR data--the corresponding Australian Privacy Principle does not
apply; and
• if privacy safeguards 3 or 4 applies to an accredited person or a CDR
action participant in relation to CDR data--the corresponding
Australian Privacy Principle does not apply; and
• if privacy safeguards 11 or 13 apply to a disclosure of CDR data by a
data holder or action service provider--the corresponding Australian
Privacy Principle does not apply. [Schedule 1, items 89 and 91,
paragraphs 56EC(4)(aa) to (c) and (5)(c)]
1.161 Despite the provisions in the Privacy Act 1988, if a small business operator is
an action service provider for a type of CDR action, the Privacy Act 1988
applies in relation to personal information that is disclosed under the consumer
data rules, where the CDR privacy safeguards do not apply. The action service
provider will be treated as if the small business were an organisation within the
meaning of the Privacy Act 1988. [Schedule 1, item 90,
paragraph 56EC(4)(e)]
1.162 Note 1 to subsection 56EC(5) has been updated to accommodate the entrance
of accredited action initiators and action service providers into the CDR
framework. This clarifies that privacy safeguard 1 is intended to apply to
action service providers in the same manner that it currently applies to data
holders. [Schedule 1, item 921, note 1 to subsection 56EC(5))]
Changes to privacy safeguards
Consideration of CDR data privacy
Privacy safeguard 1 - Open and transparent management of CDR data
1.163 The object provision of privacy safeguard 1 has been amended to bring action
service providers within its scope. Action service providers have been brought
within the definition of 'CDR entity' for the purposes of this privacy
safeguard. As action service providers will ultimately use and disclose CDR
data collected through the CDR system, it is appropriate that they comply with
privacy safeguard 1. [Schedule 1, item 93, subsection 56ED(1)]
1.164 Action service providers are subject to all existing requirements of privacy
safeguard 1 that apply to CDR entities generally. Additionally, an action
service provider that has been, or may be, disclosed CDR data under the
consumer data rules must have a policy with the following information:
• how a CDR consumer for the CDR data may access the CDR data and
seek correction of the CDR data;
• how a CDR consumer for the CDR data may complain about a failure
of an action service provider to comply with Part IVD of the CCA or
33
CDR action initiation
the consumer data rules, and how the CDR entity will deal with such a
complaint.
[Schedule 1, items 94 and 95, paragraph 56ED(3)(c) and
subsection 56ED(6A)]
1.165 It is appropriate for action service providers to comply with privacy
safeguard 1 because an action service provider is required to 'use' CDR data in
accordance with instructions provided by an accredited action initiator.
Compliance with privacy safeguard 1 will provide further assurance that an
action service provider manages CDR data in an open and transparent way.
The requirement for the CDR entity to have a clearly expressed and up-to-date
policy about CDR data management is a civil penalty provision. [Schedule 1,
item 94, subsection 56ED(3)]
Privacy safeguard 2 - anonymity and pseudonymity
1.166 Privacy safeguard 2, which is not amended by the Bill, will apply to accredited
action initiators. It requires accredited data recipients, or accredited persons
who may become accredited data recipients, to facilitate the anonymity or
pseudonymity of CDR consumers to whom the data relates, unless
circumstances specified in the consumer data rules apply. As explained above,
accredited action initiators become accredited data recipients as soon as they
use information to prepare or give an instruction for an action.
Collecting CDR data
Privacy safeguard 3 - Soliciting CDR data
1.167 Privacy safeguard 3 has been amended to cover accredited action initiators and
action service providers and reformatted to include a table. Table item 1 sets
out existing requirements covering accredited persons seeking to collect CDR
data from data holders. The requirements in table item 2 reflect the extension
of privacy safeguard 3 to accredited action initiators and action service
providers. This safeguard is a civil penalty provision. [Schedule 1, items 95
and 122, subsection 56EF(1) and section 56EU]
1.168 An accredited person must not seek to collect data from a CDR participant for
the CDR data unless:
• a CDR consumer for CDR data has validly requested this under the
consumer data rules for the purposes of a use or disclosure under the
rules; and
• the accredited person complies with all other requirements in the
consumer data rules for the collection of the CDR data from that other
participant.
This will ultimately reduce the risk of data misuse by accredited persons
because accredited persons will only be able to collect CDR data under
34
Treasury Laws Amendment (Consumer Data Right) Bill 2022
specified circumstances. [Schedule 1, item 96, table item 1 of
subsection 56EF(1)]
1.169 An action service provider or an accredited action initiator must not seek to
collect CDR data under the consumer data rules from another action participant
unless certain conditions are met. The conditions are that a CDR consumer for
the CDR data has requested this for the purposes of a valid instruction to be
given:
• by one of the CDR action participants (as an accredited action initiator
for a type of CDR action) to the other; and
• under the consumer data rules; and
• for the performance of a CDR action of that type.
A note is also included to clarify that the kinds of CDR action participants
referred to in the table are accredited action initiators and action service
providers. [Schedule 1, item 96, table item 2 of subsection 56EF(1)]
1.170 An additional subsection clarifies that, for the purposes of the requirements
discussed above, the collection of data could be direct or indirect. [Schedule 1,
item 96, subsection 56EF(2)]
Privacy safeguard 4 - Dealing with unsolicited CDR data
1.171 The Bill extends the application of privacy safeguard 4 to accredited action
initiators and action service providers. This privacy safeguard is a civil penalty
provision.
1.172 Previously, privacy safeguard 4 only applied to accredited persons collecting
CDR data from a CDR participant. The extension of this privacy safeguard will
mean an accredited action initiator or an action service provider will be
required to delete data they have collected if either collects data from the other
in a way that does not comply with the CDR rules.
1.173 However, the rules may set out circumstances in which data collected by action
service providers need not be deleted. This is to enable flexibility for an
accredited action initiator to send CDR data to an action service provider as the
first step of an action initiation request (which would be unsolicited but
allowed by the rules), noting the rules may specify limitations on the type of
data an accredited action initiator is able to send in the first instance.
Accredited action initiators will always be required to delete unsolicited data,
as there will not be circumstances that would require them to receive
unsolicited CDR data from action service providers under the rules. This is
consistent with the application of Privacy Safeguard 4 to accredited data
recipients, which are unable to receive unsolicited CDR data from data holders.
[Schedule 1, item 96, paragraphs 56EG(1)(a), (b) and (d)]
1.174 Also, the collector need not destroy the data if the collector is required to retain
it under an Australian law, or under a court or tribunal order. This will ensure
35
CDR action initiation
compliance and coordination with pre-existing Australian laws. [Schedule 1,
item 96, paragraph 56EG(1)(c)]
Privacy safeguard 5 - Notifying the collection of CDR data
1.175 The Bill adds a note to privacy safeguard 5 clarifying that the reference to an
accredited data recipient collecting data in accordance with privacy safeguard 3
could be a reference to an accredited action initiator collecting data from an
action service provider. The numbering of the notes has been amended
accordingly. [Schedule 1, items 97 and 98, section 56EH]
1.176 Privacy safeguard 5 has not been extended to action service providers, who
would be covered by Australian Privacy Principle 5.
Dealing with CDR data
Privacy safeguard 10 - Use or disclosure of CDR data
1.177 The amendments insert multiple subsection headings in privacy safeguard 10
to clarify the roles and CDR participants to which specific aspects of this
safeguard apply. This privacy safeguard is a civil penalty provision.
[Schedule 1, items 99 to 102, subsections 56EM(1), (2) and (3)]
1.178 The amendments extend the application of privacy safeguard 10 to action
service providers. In practice, this means an action service provider that is
required or authorised under the consumer data rules to disclose CDR data to
another person must take the steps specified in the consumer data rules to
notify CDR consumers for the CDR data of the disclosure. This notification
must cover the matters specified in the consumer data rules and be given to the
CDR consumers that the consumer data rules require to be notified at or before
the time specified in the consumer data rules. [Schedule 1, item 102,
subsection 56EM(4)].
Integrity of CDR data
Privacy safeguard 11 - Quality of CDR data
1.179 Privacy safeguard 11 has been updated to reflect the introduction of action
service providers into the CDR framework. This means action service
providers will be required to take reasonable steps to ensure CDR data is
accurate, up-to-date and complete. Privacy safeguard 11 is a civil penalty
provision. [Schedule 1, item 103, subsection 56EN(2A) and section 56EU]
1.180 The requirement to advise a CDR consumer in accordance with the consumer
data rules if a person makes a disclosure of the CDR data and later becomes
aware that some or all of the CDR data was incorrect when it was disclosed is
now extended to action service providers. [Schedule 1, item 103,
subsection 56EN(3)]
36
Treasury Laws Amendment (Consumer Data Right) Bill 2022
1.181 If a person is required to advise a CDR consumer for CDR data that some or all
of their data was incorrect when it was disclosed, they must correct the data
and disclose the corrected data:
• if requested to do so by the CDR consumer in accordance with the
consumer data rules; or
• if the disclosure was related to a CDR action, and the person is
required to do so by the consumer data rules.
[Schedule 1, item 103, subsection 56EN(4)]
1.182 The note under privacy safeguard 11 has been updated to reflect its extension
to action service providers. [Schedule 1, item 104, subsection 56EN(5)]
Correction of CDR data
Privacy safeguard 13 - Correction of CDR data
1.183 Privacy safeguard 13 has been extended to apply to action service providers.
This means if a CDR consumer gives a request to an action service provider to
correct CDR data and the action service provider was required or authorised
under the consumer data rules to disclose the data, the action service provider
must respond to the request by taking the steps specified in the consumer data
rules. This obligation applies if the request is not given in response to advice
from a CDR entity under privacy safeguard 11.
1.184 Extending privacy safeguard 13 to action service providers will ensure
consistency for data holders and action service providers to apply irrespective
to what capacity they shared CDR data. This privacy safeguard is a civil
penalty provision. [Schedule 1, item 105, subsection 56EP(1) and
section 56EU]
Compliance with the privacy safeguards
1.185 The Bill extends the Information Commissioner's power to assess whether an
action service provider's management of CDR data is in accordance with the
privacy safeguards in the CCA, or privacy-related aspects of the consumer data
rules. [Schedule 1, item 110, subsection 56ER(1B)]
1.186 The Information Commissioner may conduct assessments as the Information
Commissioner sees fit, and may report to the Minister, ACCC or Data
Standards Chair about an assessment. [Schedule 1, item 111,
subsections 56ER(2) and (3)]
Notifications of CDR data security breaches
1.187 The Privacy Act 1988 contains notification requirements if an eligible data
breach (within the meaning of that Act) has occurred under Part IIIC of the
Privacy Act 1988. The CCA already applies that Part (with modifications) to
37
CDR action initiation
accredited data recipients, which means they must notify the Information
Commissioner about CDR data security breaches.
1.188 For the same reasons as explained in paragraphs 1.154 and 1.1551.155, these
notification requirements apply to accredited action initiators.
1.189 The Bill makes some adjustments to the modifications of Part IIIC of the
Privacy Act 1988 to ensure their application to the CDR operates as intended.
This involves:
• correcting some errors; [Schedule 1, items 112 and 113,
subsections 56ES(2) and (4)] and
• accounting for consequential amendments in the event of the passage
of the Privacy Legislation Amendment (Enforcement and Other
Measures) Act 2022. [Schedule 1, items 220 to 222,
subparagraphs 56ES(4)(a)(ia), (ii) and (iii)]
Investigations
1.190 The Bill expands the ability for the Information Commissioner to investigate a
'privacy safeguard breach' (or possible breach) to include breaches by action
service providers. This is done by applying Part V of the Privacy Act 1988,
with modifications. [Schedule 1, items 114 and 115 and 118-120, paragraphs
56ET(3)(a) and (4)(d) and subparagraphs 56ET(5)(b)(iii) and (iv)
and (d)(iv)]
1.191 For the same reasons as explained in paragraphs 1.154 and 1.1551.155, these
requirements also apply to accredited action initiators.
1.192 The Bill also corrects an error in how the modifications of Part V of the
Privacy Act 1988 affect a heading. [Schedule 1, items 116, 117 and 121,
subsections 56ET(4) and (6)]
Civil penalty settings
1.193 Section 56EU of the CCA, which provides that certain provisions are civil
penalty provisions, has been updated to include contravention by action service
providers of the following privacy safeguards:
• privacy safeguard 10: notifying CDR consumers for the CDR data of
disclosure in a specified manner; and
• privacy safeguard 11: taking reasonable steps to ensure the CDR data
is accurate, up to date and complete, considering the purposes for
which it is held.
[Schedule 1, items 122 and 123, paragraphs 56EU(1)(i) and (j)]
38
Treasury Laws Amendment (Consumer Data Right) Bill 2022
Regulator roles
1.194 In the data sharing context, section 56BV of the CCA empowers the ACCC to
intervene by determining fees chargeable by CDR participants for disclosing or
using CDR data. The Bill repeals and substitutes section 56BV, mainly to
enhance clarity. It also creates an analogous power for the ACCC to intervene
by determining fees for processing instructions for types of CDR actions. The
new power will be triggered if the consumer data rules have declared that fees
are chargeable for CDR actions of that type and the ACCC is satisfied that,
absent its intervention, an unreasonable fee would be charged. To ascertain a
fee's unreasonableness, the ACCC must have regard to the following criteria:
• the likely effect of making the instrument on the interests of
consumers, the efficiency of relevant markets and promoting
competition and data driven innovation;
• the marginal cost of processing the valid instruction in accordance with
the consumer data rules;
• whether a lower fee could result in an acquisition of property or reduce
the incentive to perform actions of that type;
• any other matters the ACCC considers relevant.
[Schedule 1, items 82, 83 and 85, subparagraphs 56BU(2)(a)(i) and (ii),
sections 56BV and 56BZE]
1.195 An example of other matters that the ACCC may consider relevant is whether
an action service provider's cumulative fees for processing an instruction and
performing an action within CDR will exceed the cumulative fees outside
CDR. This may arise as a consideration where the Minister has made rules
permitting fees at the instruction layer, creating the potential for consumers to
be charged two separate fees, one at the instruction layer and one at the action
layer. Such double-charging, if it exceeds the total fee the consumer would be
charged outside the CDR, could serve as a disincentive for consumers to use
CDR to facilitate actions and may ultimately undermine the effectiveness of
action initiation through CDR.
1.196 A fee determined by the ACCC under this new provision must not amount to
taxation. [Schedule 1, item 83, subsection 56BV(6)]
1.197 Fee determinations may specify classes of action service providers or may be
given to particular action service providers. Determinations relating to
particular action service providers are not of legislative character because of
table item 19 of subsection 6(1) of the Legislation (Exemptions and Other
Matters) Regulation 2015. [Schedule 1, item 85, subsections 56BZE(1)
and (2)]
1.198 Both the existing and new kinds of fee determination are reviewable by the
Australian Competition Tribunal. The Bill repeals the existing review
39
CDR action initiation
provisions and replaces them with a new Subdivision dealing with the review
of data sharing and action initiation fee determinations. Applications for
review may be made within 21 days after the making of a determination. If an
application is made, the Australian Competition Tribunal must review the
determination, and, following that review, may make a decision affirming,
setting aside or varying the determination. For the purposes of the review, the
Australian Competition Tribunal may perform all the functions and exercise all
the powers of the ACCC. Division 2 of Part IX of the CCA does not apply in
relation to reviews of fee determinations. [Schedule 1, items 84 and 85,
sections 56BW to 56BY and 56BZF to 56BZH]
1.199 The ACCC, or another person appointed under the CCA, is to be the CDR
Accreditor. This entity was formerly known as the Data Recipient Accreditor.
Its role has been extended to enable it to accredit CDR action participants.
1.200 A new definition for the expression CDR Accreditor has been added to the
general interpretation section in the CCA, and the definition for the expression
Data Recipient Accreditor has been removed, as this term will no longer be
used in the CCA. [Schedule 1, items 124 and 125, subsection 4(1)]
1.201 Minor amendments have also been made to change references from Data
Recipient Accreditor to CDR Accreditor. [Schedule 1, items 126-134 and 136
to 145, sections 56BH, 56BI, 56CA, 56CB, Subdivision C of Division 3 of
Part IVD, heading, sections 56CG, 56CH, 56CI and 56CJ]
1.202 A transitional provision provides that the appointment of the Data Recipient
Accreditor in force immediately before the commencement of the Bill
continues on and after that commencement as if it were an appointment of the
CDR Accreditor, and that actions taken by or in relation to the Data Recipient
Accreditor before that commencement are deemed to have been taken by or in
relation to the CDR Accreditor after that commencement. This is intended to
remove any doubt about whether the current Data Recipient Accreditor
automatically becomes the first CDR Accreditor, and about the validity of any
actions taken by the current Data Recipient Accreditor. [Schedule 1, item 135]
Consequential and minor amendments
1.203 Definitions for the new expressions: accredited action initiator, action service
provider, CDR action, CDR action participant, CDR declaration and voluntary
action service provider have been added to the general interpretation section in
the CCA, and a minor amendment is made to a cross reference in the existing
definition of CDR consumer. [Schedule 1, items 146 to 148, subsection 4(1)]
1.204 Instruments designating sectors of the Australian economy may specify classes
of information and people who hold that information. Minor amendments are
made to clarify that subclasses of that information do not need to be specified
in relation to the people who hold the information. [Schedule 1, items 149
to 150, subsection 56AC(2)]
40
Treasury Laws Amendment (Consumer Data Right) Bill 2022
1.205 Minor amendments are made to clarify terminology in relation to CDR
consumers requesting deletion of data and to correct typographical errors about
persons acting on behalf of accredited persons, designated gateways and data
holders, and a reference to CDR data. [Schedule 1, items 166 and 167,
subsection 56BAA (2) and subparagraph 56BD(1)(b)(v)]
1.206 Before specifying a class of information in a designation instrument, the
Minister must consider whether doing so could result in an acquisition of
property within the meaning of paragraph 51(xxxi) of the Constitution. A
minor amendment is made to clarify that this is referring to an acquisition other
than on just terms (within the meaning of that paragraph). [Schedule 1,
item 151, subparagraph 56AD(1)(c)(i)]
1.207 Currently, conduct done by or to agents of CDR entities (data holders,
accredited persons, and designated gateways) is taken to have been done by or
to that entity. This is extended to include agents of action service providers for
a type of CDR action. [Schedule 1, item 164, paragraph 56AU(3)(d)]
1.208 The CDR provisions are intended to operate concurrently with other legislative
regimes where there is no direct inconsistency, and an amendment is made to
the provision that sets this out to clarify that it applies to other Commonwealth
laws, in addition to those of the States and Territories. [Schedule 1, item 178,
section 56GAB]
1.209 The CDR application provision (previously titled the 'constitutional basis
provision') has been re-drafted to include action service providers and to
accord with recent drafting practices. [Schedule 1, item 186,
subsection 56GF(8)]
1.210 As described above, the current prohibitions on holding out in the CDR
framework are repealed and replaced with new provisions dealing with these
matters for CDR data sharing and CDR actions. The Bill makes consequential
amendments to the provisions in the CCA that deal with enforcement and
remedies, prosecutions and declarations and orders that are needed following
this repeal and replacement. [Schedule 1, items 187 to 214 and 216 to 219,
subsection 75B(1), subparagraph 76(1)(a)(ib), subsection 76(1A) table
item 9, subsections 76B(2), (3) and (4), paragraph 76B(5)(a),
subparagraphs 79A(1)(a)(i), 79B(a)(ii) and 80(1)(a)(iib),
paragraphs 80(9)(a) and (b) and 82(1)(c), subparagraphs 83(1)(a)(ii) and
(b)(iii), paragraphs 84(1)(a) and (b) and (3)(a) and (b), subsections 86(1A)
and (2), paragraph 86A(1)(b), subsection 86C(4), paragraph 86D(1)(b),
subsection 86D(1A), paragraphs 86E(1)(a) and (1A)(a), subsection 87(1),
paragraphs 87(1A)(a), (b), (baa) and (ba), subsection 87(1C),
paragraph 163(2)(a), subsection 163A(4B), paragraph 163A(4C)(a) and
subsection 163A(4D)]
41
CDR action initiation
Extension to external territories and extraterritorial operation
1.211 The meaning of the expression CDR provisions is clarified to include all
instruments made under Part IVD of the CCA. This is in order to ensure all
instruments made under that Part, including data sharing designations and
action type declarations, are covered by that expression, including when used
in extending the CDR provisions to external Territories. [Schedule 1,
items 152 and 153, section 56AN]
1.212 The current extraterritorial operation of the CDR provisions about data sharing
is extended to apply to CDR actions that are performed in Australia, including
by foreign persons, and to acts or omissions relating to CDR actions performed
outside Australia if the act or omission:
• is by or on behalf of an Australian person; or
• occurs wholly or partly in Australia or on board an Australian aircraft
or ship.
1.213 Definitions for the expressions Australian aircraft and Australian ship are
also added, taking the meaning those expressions are given in the Criminal
Code. [Schedule 1, items 154 to 157, section 56AO]
Participation by State or Territory entities
1.214 Currently, Commonwealth, State or Territory government entities may
participate, in the capacity as a CDR consumer, in the CDR in relation to data
sharing if the entity is declared to be a participating entity under
subsection 56AS(1) of the CCA. This is extended to include participation as a
CDR consumer for a type of CDR action. The Bill also clarifies that such a
declaration should specify the capacity or capacities that the entity is
participating in. [Schedule 1, item 158, subsections 56AR(2) and (3)]
1.215 Commonwealth government entities can participate in the CDR and the current
legislation confers such functions as are necessary to enable them to operate as
a data holder or designated gateway. There is no express restriction on
Commonwealth government entities participating as accredited persons, but
the Bill equivalently confers functions for the avoidance of doubt. The Bill also
confers functions necessary to enable Commonwealth government entities to
operate as action service providers. [Schedule 1, items 159 and 160,
subsection 56AR(5)]
1.216 The Bill sets out the following capacities in which a State or Territory entity
may be declared to be a participating entity:
• data holder of CDR data;
• accredited person;
• designated gateway for CDR data;
42
Treasury Laws Amendment (Consumer Data Right) Bill 2022
• action service provider for a type of CDR action.
Minor amendments are also made to clarify that the relevant State or Territory
agrees to the entity participating in the capacity or capacities as specified in the
declaration. [Schedule 1, items 161 and 162, section 56AS]
1.217 A declaration under subsection 56AS(1) that is in force immediately before the
commencement of Part 8 of Schedule 1 to the Bill continues in force as a
declaration made under that subsection after that commencement that declared
the applicable entity a participating entity in the capacity as a data holder of
CDR data. [Schedule 1, item 163]
1.218 Only one such declaration has been made, the Competition and Consumer
(Consumer Data Right--Participating Victorian Government entity)
Declaration 2022, which declares the Department of State administered by the
Minister of Victoria administering the National Electricity (Victoria) Act 2005
(Vic.), a participating entity as a data holder of CDR data.
External dispute resolution schemes
1.219 The Minister may currently recognise external dispute resolution schemes for
the resolution of disputes relating to designated sectors for CDR data and
participants in relation to CDR data sharing. This is extended to include
disputes in relation to types of CDR action, CDR action participants and CDR
consumers for CDR actions. [Schedule 1, items 168 to 170,
subsection 56DA(1)]
Data standards
1.220 The current provisions that allow the Data Standards Chair to make data
standards about certain matters to do with CDR data sharing, is extended to
allow data standards to be made about similar matters to do with giving and
preparing valid instructions, and in relation to action service providers and
types of CDR actions. [Schedule 1, items 171 to 174, paragraphs 56FA(1)(da)
and (db) and 56FB(1)(ba), (ca) and (2)(b)]
1.221 In addition, the legal effect of binding data standards is extended to provide
that where such a standard applies to an action service provider and accredited
action initiator for a type of CDR action, it constitutes an enforceable contract
between those persons. [Schedule 1, item 175, subsection 56FD(2A)]
Referring to external instruments
1.222 The consumer data rules, regulations and instruments that designate sectors for
data sharing are able to apply, adopt or incorporate material in any other
instrument or writing as in force at a particular time or from time to time. This
is extended to apply to declarations for types of CDR actions. [Schedule 1,
item 179, paragraph 56GB(1)(aa)]
43
CDR action initiation
1.223 It is important to have this flexibility for delegated legislation in the CDR
because of the broad range of sectors the CDR could apply to and the
corresponding range of standards, codes and other regulatory instruments that
may have relevant material that it may be necessary to incorporate into an
instrument in CDR.
Protection from liability
1.224 Currently, data holders, accredited data recipients and designated gateways
will not be liable in relation to a civil or criminal action against them where
they allow access to CDR data in good faith and in compliance with Part IVD
of the CCA, the consumer data rules and the regulations.
1.225 This protection is extended to apply to accredited action initiators and action
service providers for a type of CDR action. The circumstances of the CDR
actions that a person could engage in that would be covered by the protection
are outlined, as well as providing that the action should be in compliance with
CDR provisions and any Commonwealth, State or Territory law prescribed by
the regulations. For action service providers for a type of CDR action, the
relevant conduct is the processing of the instruction received under the CDR,
rather than the actual performance of the action, which does not occur within
the CDR. [Schedule 1, items 180 and 181, section 56GC (heading) and
subsection 56GC(1)]
1.226 A person who wishes to rely on the protection from liability bears an evidential
burden. This is appropriate as the person will know whether or not they
received evidence of a valid consent or request and otherwise met their CDR
obligations.
1.227 The effect of the limitation is that the defendant must merely provide evidence
that suggests a reasonable possibility that the person gave or processed the
instruction in good faith and in accordance with the CDR requirements. Once
this has occurred the prosecution must refute this beyond reasonable doubt to
obtain a conviction (see section 13.3 of the Criminal Code).
1.228 This material will be within the person's knowledge. A person giving or
processing an instruction will need to meet certain record keeping
requirements, and would, for example be able to demonstrate that the correct
consent had been received. Being able to produce this material should place no
additional burden on the person.
Exemptions that may be made
1.229 The ACCC may exempt a person from some or all of the provisions of
Part IVD of the CCA, the consumer data rules or regulations in respect of
particular CDR data, or one or more classes of CDR data. This is extended to
44
Treasury Laws Amendment (Consumer Data Right) Bill 2022
allow such an exemption from a particular CDR action, or one or more types of
CDR action. [Schedule 1, item 182, subsection 56GD(2)]
1.230 Exemptions made under subsection 56GD(2) of the CCA that are in force
immediately before the commencement of Part 8 of Schedule 1 to the Bill
continue in force as if made under that subsection after that commencement.
[Schedule 1, item 183]
1.231 Regulations may be made that exempt a particular person or class of persons,
in relation to particular CDR data or one or more classes of CDR data, from
some or all of the provisions of Part IVD of the CCA, the consumer data rules
or regulations. Regulations may also declare that any such provisions apply as
if specified provisions were omitted, modified or varied as set out in the
declaration. This is extended to allow such exemptions and declarations to be
made in relation to a particular CDR action or one or more types of CDR
action. [Schedule 1, item 184, subsection 56GE(2)]
1.232 Regulations made for the purposes of subsection 56GE(2) of the CCA
immediately before the commencement of Part 8 of Schedule 1 to the Bill
continue in force as if so made after that commencement. [Schedule 1,
item 185]
Disclosure to foreign agencies
1.233 The ACCC may disclose information it obtains under the CCA or the
consumer data rules to an agency of a foreign country that has the function of
supervising or regulating disclosure of similar information to that covered by a
designation instrument made under subsection 56AC(2) of the CCA. This is
extended to include agencies in foreign countries that have the function of
supervising or regulating types of actions similar to declared types of actions
for which instructions may be given under the consumer data rules.
[Schedule 1, item 214, paragraph 157AA(3)(aa)]
Commencement, application, and transitional
provisions
1.234 The amendments commence on the day after Royal Assent, except for a small
number of amendments explained at paragraph 1.189, which commence on the
later of:
• immediately after the commencement of the balance of the Bill; and
• the commencement of the Privacy Legislation Amendment
(Enforcement and Other Measures) Act 2022.
[section 2]
45
CDR action initiation
1.235 Those latter amendments do not commence at all if the Privacy Legislation
Amendment (Enforcement and Other Measures) Act 2022 does not commence.
[section 2]
1.236 However, before any substantive rights or obligations can come into effect,
both of the following must occur:
• the Minister makes an action type declaration; and
• the Minister makes consumer data rules establishing such rights and
obligations.
1.237 The substantive rights or obligations then come into effect on the application
date set by those consumer data rules.
1.238 An exemption under subsection 56GD(2) of the CCA that is in force
immediately before the commencement of these amendments continues in
force (and may be dealt with) as if the exemption had been given under that
subsection as amended by this Bill [Schedule 1, item 183].
46
Statement of Compatibility
with Human Rights
Prepared in accordance with Part 3 of the Human Rights (Parliamentary Scrutiny)
Act 2011.
Treasury Laws Amendment (Consumer Data Right) Bill 2022
Table of Contents:
Overview .............................................................................................. 47
Human rights implications .................................................................... 48
Protection from arbitrary or unlawful interference with privacy ...... 48
Penalty provisions ......................................................................... 50
Right to a fair and public hearing ................................................... 54
Conclusion ........................................................................................... 54
2.1 The Bill is compatible with the human rights and freedoms recognised or
declared in the international instruments listed in section 3 of the Human
Rights (Parliamentary Scrutiny) Act 2011.
Overview
2.2 The CDR provides individuals and businesses with a right to access specified
data efficiently and conveniently in relation to them held by businesses and to
authorise secure access to this data by trusted and accredited third parties.
2.3 This Bill introduces 'action initiation' reforms, which will allow CDR
consumers to direct accredited persons to send instructions to initiate actions
on their behalf. Examples may include making a payment, opening and closing
an account, switching providers and updating personal details (such as an
address) across providers.
2.4 This will expand the CDR from a data sharing scheme to a scheme that allows
consumers to act on information they receive. For example, this will allow
47
Statement of Compatibility with Human Rights
consumers to change energy providers following receipt of information about
other providers that offer more suitable or lower cost services.
2.5 CDR action initiation builds on the existing infrastructure, objectives and
principles underpinning the current data sharing framework, within sectors that
are already designated for data sharing.
Human rights implications
2.6 This Bill engages the following rights:
• the right to protection from arbitrary or unlawful interference with
privacy;
• the right to a fair trial and public hearing; and
• the right to be presumed innocent until proved guilty according to law.
Protection from arbitrary or unlawful interference with
privacy
2.7 The Bill engages the right to protection from unlawful or arbitrary interference
with privacy under Article 17 of the International Covenant on Civil and
Political Rights (ICCPR) because it expands how personal information may be
used with consumer consent in the CDR system.
2.8 The Bill introduces new roles in the CDR system: action service providers and
accredited action initiators. The entities performing these roles will include
current CDR participants and new entrants. Consequently, new and existing
parties will receive personal information and will be empowered to complete
actions on behalf of consumers by using their information.
2.9 The right in Article 17 may be subject to permissible limitations, where these
limitations are authorised by law and are not arbitrary. In order for an
interference with the right to privacy to be permissible, the interference must
be authorised by law, be for a reason consistent with the ICCPR and be
reasonable in the particular circumstances. The UN Human Rights Committee
has interpreted the requirement of 'reasonableness' to imply that any
interference with privacy must be proportional to the end sought and be
necessary in the circumstances of any given case.
2.10 In extending the CDR to action initiation, the Bill's purpose is to enhance
consumers' ability to use their own data for their benefit. Consumers will be
able to direct accredited persons to send instructions to initiate actions on their
behalf.
48
Treasury Laws Amendment (Consumer Data Right) Bill 2022
2.11 In the same way that the existing CDR system only allows disclosure of
personal information with the consent of the individual, CDR actions cannot be
initiated without consumer consent.
2.12 The existing CDR legislation protects against arbitrary interference against
privacy by establishing a set of 13 CDR-specific privacy safeguards. These are
modelled on the Australian Privacy Principles in the Privacy Act 1988, but
with additional obligations. The safeguards include:
• restrictions on the use, collection and disclosure of information
received through the consumer data rules to circumstances where the
consumer has given consent;
• obligations on data holders and accredited data recipients to correct
information; and
• obligations on data holders and accredited data recipients to notify the
consumer when information is disclosed.
2.13 These privacy safeguards are correspondingly extended to CDR action
initiation, applying in full to accredited action initiators and, where
appropriate, to action service providers.
2.14 The Minister's rule-making power supplements the safeguards and provides
scope to introduce additional privacy protections. In particular, the Bill
provides that the Minister's power includes making rules relating to the
privacy safeguards in relation to an instruction or request relating to a CDR
action.
2.15 The Bill also contains a number of provisions aimed at enforcing compliance
with the privacy safeguards. For example, the Bill provides that the
accreditation of action initiators or the approval of voluntary service providers
may be varied, suspended or revoked for failure to comply with the privacy
safeguards. Furthermore, the Bill provides that the Information Commissioner
may assess whether a CDR action has been conducted in accordance with
privacy safeguards and provides for the investigation of alleged breaches of the
privacy safeguards, most of which are punishable by civil penalties.
2.16 The accreditation process facilitating the introduction of accredited action
initiators also provides assurance that entities undertaking this role are less
likely to hold or disclose personal information in an improper manner.
2.17 The Bill extends CDR provisions to all CDR actions performed inside
Australia, including those by foreign actors. Further to this, the CDR
framework is extended to CDR actions performed outside of Australia in
certain circumstances. This enhances the protection over Australians' personal
information.
2.18 Despite engaging Article 17, the expansion of the CDR to action initiation
meets the legitimate objective of enhancing consumers' ability to use their own
data for their benefit.
49
Statement of Compatibility with Human Rights
Penalty provisions
Assessment of civil penalties
2.19 The Bill engages the right to a fair trial, as well as the presumption of
innocence in Articles 14 and 15 of the ICCPR. Article 14(2) of the ICCPR
recognises that all people have the right to be presumed innocent until proven
guilty according to the law. Articles 14 and 15 apply only in relation to the
rights of natural persons, not legal persons, such as companies.
2.20 Civil penalty provisions may engage criminal process rights under Articles 14
and 15 of the ICCPR. Although there is a domestic law distinction between
criminal and civil penalties, 'criminal' is separately defined in international
human rights law. Therefore, when a provision imposes a civil penalty, it is
necessary to determine whether or not the penalty amounts to a 'criminal'
penalty for the purposes of Articles 14 and 15 of the ICCPR.
2.21 The following table sets out the new and expanded civil penalty provisions
introduced by the Bill:
Table 2.1
Ref. Description of civil penalty
provision
56BO Misleading or deceptive conduct, in connection with various
CDR matters - existing prohibition extended to cover action
initiation
56BZA Accredited action initiator fails to act efficiently, honestly
and fairly when initiating CDR actions etc.
56BZB Accredited action initiator initiates CDR action without
consumer request
56BZC Action service provider fails to perform a CDR action when
it ordinarily performs actions of that type
56BZD Action service provider discriminates against a CDR action
instruction via fees
56BZJ Holding out that a person is something they are not, in
connection with various CDR roles - existing prohibition
extended to cover action initiation
Div 5 Most privacy safeguard breaches - existing civil penalties
now apply to accredited action initiators and action service
providers, correspondingly to the safeguards' new
application to those entities
2.22 For each of these, the maximum civil penalty on an individual is $500,000.
50
Treasury Laws Amendment (Consumer Data Right) Bill 2022
2.23 Additionally, the CCA already provides that consumer data rules made by the
Minister may include civil penalty provisions (and set the maximum penalty
amount for contraventions of them). This is indirectly expanded by the Bill
because it includes rule-making powers in relation to CDR action initiation.
2.24 The penalties are necessary to promote confidence in the CDR framework.
They will ultimately provide further assurance to consumers that CDR
participants will handle personal information appropriately.
2.25 The civil penalty provisions contained in the Bill are not 'criminal' for the
purposes of human rights law. While the civil penalty provisions included in
the Bill are intended to deter people from not complying with their obligations
under the CDR regime, these provisions are regulatory and disciplinary in
nature.
2.26 Further, most of the provisions do not apply to the general public, but to a class
of businesses who should reasonably be aware of their obligations under the
CCA. Therefore, imposing these civil penalties will enable an effective
disciplinary response to non-compliance. In any event, at the time of writing,
all data holders and accredited data recipients currently participating in the
CDR system are bodies corporate.
2.27 The civil penalty provisions that apply to the general public are the
prohibitions on holding out and misleading or deceptive conduct. These must
necessarily apply to all persons to achieve their objective.
2.28 Further, the judiciary continues to have discretion to consider the seriousness
of the contravention and impose a penalty that is appropriate in the
circumstances. The civil courts are experienced in making civil penalty orders
at appropriate levels having regard to the maximum penalty amount, taking
into account a range of factors including the nature of the contravening conduct
and the size of the organisation involved.
2.29 Therefore, a relevant consideration in setting a civil penalty amount is the
maximum penalty that should apply in the most egregious instances of non-
compliance with the Bill.
2.30 The maximum civil penalty amounts that can be imposed under the Bill are
intentionally significant and are in line with the penalties for other provisions
in the CCA.
2.31 Finally, there is no sanction of imprisonment for non-payment of these civil
penalties.
New criminal offences
2.32 The CCA already includes criminal offences for:
• misleading or deceptive conduct, in connection with various CDR
matters (section 56BN); and
51
Statement of Compatibility with Human Rights
• holding out that a person is something they are not, in connection with
various CDR roles (section 56BZI; formerly section 56CC).
2.33 The Bill extends these offences to cover CDR action initiation.
2.34 It is considered appropriate to apply criminal penalties for these offences as
this type of conduct directly undermines the protections put in place in the
CDR regime.
2.35 These criminal offences do not amend any of the criminal process or
procedural rights that currently exist and are upheld in accordance with
Article 14 of the ICCPR.
2.36 In the case of the misleading or deceptive conduct offence, it is a defence if the
conduct is not misleading or deceptive in a material particular, but a defendant
bears an evidential burden in relation to this.
2.37 It would be unduly onerous to require the prosecution to prove the materiality
in absence of evidence having first been raised by the defendant and, by
comparison, relatively straightforward for the defendant to raise this evidence.
2.38 A person disclosing information will need to meet certain record keeping
requirements, and would, for example be able to demonstrate that the correct
consent documents had been received. Being able to produce this material
should place no additional burden on the person. Such materials may not be
available to the person who is alleging they have been misled or deceived.
2.39 Offence specific defences place the evidentiary burden on the defendant, as the
mitigating circumstance will often rely on information peculiarly within the
knowledge of the defendant.
2.40 This approach is justified as the relevant information would be peculiarly
within the person's own knowledge and control as the person would be aware
of the information they disclosed, the recipient and the manner and purpose for
which it was disclosed. If the prosecution were required to eliminate all
possible exemptions beyond reasonable doubt it would likely to be too
difficult, costly and resource intensive.
2.41 The offence is consistent with equivalent provisions in the Criminal Code and
is appropriate as they are enacted to regulate similar kinds of circumstances.
Evidentiary burden
2.42 An offence provision which requires a defendant to carry an evidential burden
may be considered to engage the right to the presumption of innocence.
Existing sections 56BN and 56GC of the CCA engage the right to the
presumption of innocence because a defendant bears an evidential burden.
52
Treasury Laws Amendment (Consumer Data Right) Bill 2022
Misleading or deceptive conduct offence
2.43 Section 56BN prohibits conduct which misleads a person to believe that a
person is a CDR consumer or is acting in accordance with a valid request or
consent from a CDR consumer when in fact they are not. The Bill amends the
section to extend its application to CDR action initiation. The additional
prohibited conduct is conduct that misleads a person into believing that a
person is a CDR consumer for a CDR action or has satisfied the criteria under
the consumer data rules for making a request, or giving or processing a valid
instruction, for the performance of a CDR action.
2.44 It is a defence if the conduct is not misleading or deceptive in a material
particular, but a defendant bears an evidential burden in relation to this.
2.45 Offence specific defences place the evidentiary burden on the defendant, as the
mitigating circumstance will often rely on information peculiarly within the
knowledge of the defendant.
2.46 It would be unduly onerous to require the prosecution to prove the materiality
in absence of evidence having first been raised by the defendant and, by
comparison, relatively straightforward for the defendant to raise this evidence.
2.47 A person disclosing information will need to meet certain record keeping
requirements, and would, for example be able to demonstrate that the correct
consent documents had been received. Being able to produce this material
should place no additional burden on the person. Such materials may not be
available to the person who is alleging they have been misled or deceived.
2.48 The offence in section 56BN is consistent with equivalent provisions in the
Criminal Code and is appropriate as they are enacted to regulate similar kinds
of circumstances.
Good faith liability protection provision
2.49 Section 56GC of the Bill protects a person from liability if the person (the first
person) provided information to another person (the second person) or allowed
the second person access to information in good faith and complying with the
requirements of the CDR regime.
2.50 The Bill extends this protection to accredited action initiators and action
service providers for a type of CDR action, in terms of giving or processing an
instruction for a CDR action.
2.51 The Bill also provides that regulations may prescribe other Commonwealth,
State or Territory laws that the person must comply with (in addition to the
CDR requirements) to receive the protection.
2.52 The person who wants to rely on the protection from liability bears an
evidential burden. This is appropriate as the person will know whether or not
they received evidence of a valid consent or request and otherwise met the
obligations in the CDR regime.
53
Statement of Compatibility with Human Rights
2.53 The effect of the limitation is that the defendant must merely provide evidence
that suggests a reasonable possibility that the person gave or processed the
instruction in good faith and in accordance with the CDR requirements. Once
this has occurred the prosecution must refute this beyond reasonable doubt to
obtain a conviction (see section 13.3 of the Criminal Code).
2.54 This material will be within the person's knowledge. A person giving or
processing an instruction will need to meet certain record keeping
requirements, and would, for example be able to demonstrate that the correct
consent had been received. Being able to produce this material should place no
additional burden on the person.
Conclusion
2.55 To the extent these provisions might be considered to limit the presumption of
innocence, the limitation is reasonable in all circumstances.
Right to a fair and public hearing
2.56 Article 14 of the ICCPR ensures that everyone shall be entitled to a fair and
public hearing by a competent, independent and impartial tribunal established
by law.
2.57 The CCA already provides that an infringement notice may be given where a
person has contravened a civil penalty provision of the consumer data rules.
2.58 The Bill may be considered to engage the right to a fair and public hearing as
its expansion of the Minister's power to make consumer data rules (to cover
CDR action initiation matters) extends the circumstances where an
infringement notice could be issued.
2.59 However, this does not limit the right to a fair and public hearing by a
competent, independent and impartial hearing because the person may still
elect to have the matter heard by a court rather than pay the amount specified
in the infringement notice. This right must be stated in any infringement notice.
2.60 For these reasons the Bill is not considered to limit the right to a fair and public
hearing.
Conclusion
2.61 The Bill is compatible with human rights because to the extent that the Bill
may limit human rights, those limitations are reasonable, necessary, and
proportionate.
54
Attachment 1: Regulatory Impact
Analysis: Inquiry into Future Directions
for the Consumer Data Right
Table of Contents:
Inquiry into Future Directions for the Consumer Data Right .................. 56
Introduction ................................................................................... 56
What is the Consumer Data Right? ............................................... 57
Future role and outcomes of the Consumer Data Right ................ 58
International context ...................................................................... 60
Switching ....................................................................................... 60
Read access ................................................................................. 61
Write access .................................................................................. 61
Linkages and interoperability with existing frameworks and
infrastructure ................................................................................. 62
Leveraging Consumer Data Right infrastructure ........................... 63
Consumer protection ..................................................................... 64
Supplementary analysis - Inquiry into the Future Directions for the
Consumer Data Right .......................................................................... 64
Background ................................................................................... 64
Issues ............................................................................................ 66
Reasons for disagreement with the reciprocity recommendations 67
Inquiry into Future Directions of Consumer Data Right - Decision-
mapping table - RIS-like process ........................................................ 68
55
Regulatory Impact Analysis: Inquiry into Future Directions for the Consumer Data Right
Inquiry into Future Directions for the Consumer
Data Right
Introduction
In August 2019 the Australian Parliament passed legislation creating the Consumer
Data Right. This significant reform gives customers the right to safely access data held
about them by businesses in the sectors where it is applied. Customers are also able to
choose to direct that this data be transferred to accredited, trusted third parties of their
choice.
The Consumer Data Right promotes competition, making it more convenient for
customers to compare and select products. It also encourages innovation, enabling
businesses to offer new products and services, including products tailored to individual
customers' needs.
Initially, the Consumer Data Right is being implemented in the banking sector, where
it is known as Open Banking. Major banks are already making product data available
and customers will be able to direct them to securely share certain transaction data
from 1 July 2020. Smaller banks will follow, and work is underway to roll out the
Consumer Data Right in the energy sector.
With consumers soon being able to share their banking data, it is an opportune time to
look to the future for the Consumer Data Right, and examine how it can be built upon
to support a thriving digital economy with consumers at its centre.
In January the Treasurer, the Hon Josh Frydenberg MP, announced an Inquiry into
Future Directions for the Consumer Data Right (the Inquiry), to be led by Mr Scott
Farrell. The Inquiry is looking at how the Consumer Data Right could be enhanced and
leveraged to boost innovation and competition, and support the development of a safe
and efficient digital economy, benefiting Australians and Australia.
Under its Terms of Reference, the Inquiry is to make recommendations to the
Treasurer on options to:
• expand the functionality of the Consumer Data Right
• ensure the Consumer Data Right promotes innovation in a manner that
is inclusive of the needs of vulnerable consumers
• leverage Consumer Data Right infrastructure - such as the Data
Standards Body and accreditation regime - to support the development
of broader productivity enhancing standards and a safe and efficient
digital economy
• leverage the development of the Consumer Data Right with other
countries that are developing similar regimes, to enhance opportunities
for Australian consumers, businesses and the Australian economy.
56
Treasury Laws Amendment (Consumer Data Right) Bill 2022
A key focus will be how the Consumer Data Right could be expanded beyond the
current 'read' access to include 'write' access. This could enable customers to direct
third parties to apply for and manage products and services on their behalf - including,
for Open Banking, by making payments and changing accounts - through application
programming interfaces (APIs). The Inquiry will consider potential benefits of, and
barriers to, implementing write access, including regulatory compliance costs.
The Inquiry will be forward-looking, focussing on the future purpose, use and vision
for the Consumer Data Right, rather than its current implementation or the sectors to
which it should be next applied. Full Terms of Reference for the Inquiry can be found
at www.treasury.gov.au/review/future- directions-consumer-data-right/TOR.
We invite interested parties to make submissions on any or all issues raised by
this Issues Paper or the Terms of Reference. This includes views on potential
developments and expansions in Consumer Data Right functionality, including
their benefit and priority.
What is the Consumer Data Right?
The Consumer Data Right gives customers, including individuals and business
customers, the right to safely access certain data about them held by businesses, and
direct that their information be transferred to accredited, trusted third parties of their
choice. It also requires data holders to provide public access to specified information
about their products upon request.
A significant economic reform, the Consumer Data Right is being rolled out on a
sector-by-sector basis to create an economy-wide framework. The implementation of
the Consumer Data Right has been guided by four key principles. These are that the
Consumer Data Right should:
• Be consumer focussed. It should be for the consumer, about the
consumer, and seen from the consumer's perspective.
• Encourage competition. It should seek to increase competition for
products and services available to consumers so that they can make
better choices.
• Create opportunities. It should provide a framework from which new
ideas and business can emerge and grow, establishing a vibrant and
creative data sector that supports better services enhanced by
personalised data.
• Be efficient and fair. It should be implemented with safety, security
and privacy in mind, so that it is sustainable and fair, without being
more complex or costly than needed.
The Consumer Data Right is underpinned by the legislative framework set out in Part
VID of the Competition and Consumer Act 2010, and Consumer Data Right Rules
made by the Australian Competition and Consumer Commission. The Rules set out the
circumstances in which data holders are required to disclose data, and to whom, in
57
Regulatory Impact Analysis: Inquiry into Future Directions for the Consumer Data Right
response to a valid customer request. They also set out consent requirements, how data
may be used and privacy safeguards. Information on the progress of the
implementation of the Consumer Data Right in banking and energy can be found at
https://treasury.gov.au/consumer-data-right. The Inquiry is not focussing on the current
progress of the Consumer Data Right in these sectors or its expansions to specific new
sectors.
While the Rules currently apply only to particular types of banking products and data
holders, it is intended that they will progressively apply to a broader range of data
holders and products throughout the Australian economy. With this in mind, the
Inquiry is interested in receiving submissions from all sectors of the economy, not just
those focussed on banking.
Future role and outcomes of the Consumer Data Right
The economy is becoming increasingly digitised, with Australian consumers sharing
information with businesses that provide them products and services.
As articulated in the Australian Government's Digital Economy Strategy, a challenge
for government is to ensure that the digitised economy delivers Australians "an
enhanced quality of life and [allows them to] share in the opportunities of a growing,
globally competitive modern economy, enabled by technology."8
Consumers reap enormous benefits from digital products and services, but hidden costs
and uncertainty regarding how their information is being used can erode their trust in
both digital services and their own capacity to effectively navigate them.
By giving consumers more control over this information, the Consumer Data Right has
the potential to improve outcomes for consumers including the choice, convenience
and the confidence consumers have in dealing with their data and the digital economy
and in a manner which is inclusive of the needs of all consumers. For consumers, this
can be conceptualised as a safer track to engage with the changing world of the digital
economy.
By establishing a framework that introduces standardisation, systems which support
trust between participants, clear liability and providing access to the data necessary to
create innovative products and services, the Consumer Data Right has the potential to
create the conditions for an Australian digitised ecosystem to grow. Within this
ecosystem, a wide range of products and services that either support consumers or
facilitate specialisation of businesses that service consumers, should be enabled to
flourish.
The benefits of the Consumer Data Right are potentially wide ranging. Detailed and
personalised comparisons drawing upon insights from real customer data, third parties
who consumers engage to create new accounts and close old accounts on their behalf,
8
Australian Government (2018) 'Australia's Tech Future: Delivering a strong, safe and
inclusive digital economy', page 6.
58
Treasury Laws Amendment (Consumer Data Right) Bill 2022
and new technologies that are both informed by, and inform, consumer behaviour
could all be made possible through the expansion of the Consumer Data Right.
Example 2.1 Reducing time spent on life admin, so Australians can spend
their time on what really matters to them
As one example, in future the Consumer Data Right could make it
possible for a consumer to choose to share their data with a trusted
third party that helps people organise their 'life admin'. By
bringing together the consumer's data from their service providers
across a number of sectors (including banking, energy and
telecommunications), this business could give the consumer a
single up-to-date dashboard of all of their products, contracts, and
plans, including the cost and time remaining on each, account
balances and bill due dates, and alert them in real time when better
deals become available. The business could also apply for new
products and cancel old accounts on the consumer's behalf, with
their consent.
This is one hypothetical example of how the Consumer Data Right could deliver
convenience and other benefits to consumers and, as the digital industry grows through
the increase in consumer participation, the number of ways in which it can be used
could be expected to rise. Of course, achieving this convenience and these benefits for
consumers also requires care to assess and manage additional risks which can arise
from a broader and deeper use of data.
The Consumer Data Right offers new ways of innovating, where businesses could use
the information to compete more effectively, understand their customers better,
develop new and improved products and services and assist their customers. With
features designed to provide flexibility for, and fairness between, businesses, the
Consumer Data Right should provide businesses with the clarity, certainty and
consistency needed for them to invest in their technology, people and customers.
Though the potential benefits of consumer directed data portability are great, there are
also potential risks to privacy and security from the sharing of personal data, and these
should be kept in mind in further developing the Consumer Data Right.
The Consumer Data Right also provides opportunities for Australia to participate at the
forefront of digital innovation. And by leveraging the work being done for the
Consumer Data Right, there are also opportunities to provide benefits beyond the
Consumer Data Right system itself. By creating benchmarks, an infrastructure, and an
ecosystem for safe, efficient and fair information sharing, the Consumer Data Right
could provide a framework to help connect different parts of Australia's digital
economy. The Consumer Data Right could help provide a sustainable foundation for
Australian consumers to be in control of their digital future, and for Australian
businesses to grow in the digital economy here and overseas.
The Inquiry invites submissions on the future roles that could be performed by
the Consumer Data Right, the future outcomes which could be achieved, and
what is needed for this to happen.
59
Regulatory Impact Analysis: Inquiry into Future Directions for the Consumer Data Right
International context
Consumer-controlled data portability regimes similar to the Consumer Data Right are
progressing in a range of international jurisdictions, although differing approaches
have been taken to implementation, in terms of scope, compulsion and standards-
setting.
The United Kingdom was the first to develop Open Banking, with the system
commencing operations in January 2018 and having over one million users by January
2020. The UK has announced that its 'Smart Data' model will be extended to the
energy and pension markets, and has set out a strategy for further extension.
In the European Union, Payment Services Directive 2 (PSD2) is the framework which
provides for data portability in the manner which is the most similar to Open Banking
in the United Kingdom. PSD2 requires European banks to give authorised third-party
payment initiation and account information service providers access to customers'
accounts. Aspects of PSD2 have taken effect but others remain subject to a transitional
period.
In 2018 the Canadian Government announced that they would review the merits of
open banking and, in January 2020, released an advisory committee report which
recommended enabling 'consumer- directed finance', through a framework involving
both industry and government. The report recommended that the role for Government
would include connecting consumer-directed finance to discussion about the broader
application of data sharing across all sectors and to government efforts on enabling a
data-driven economy.
Singapore and Hong Kong are encouraging banks to adopt APIs. The Hong Kong
Monetary Authority published its Open API Framework for the Hong Kong Banking
Sector in July 2018. The framework applies in phases, commencing with product
information, then customer on boarding, then account information and payment
information services. Singapore has encouraged banks to adopt open banking, by
providing guidelines, including an 'API playbook' with more than 400 recommended
APIs.
The Inquiry invites submissions on how the Consumer Data Right can be
leveraged with international developments of the kinds described above to
enhance opportunities for Australian consumers, Australian businesses and the
Australian economy.
Switching
Evidence suggests that many Australian consumers and businesses could be getting a
better deal on banking and other regulated services. Many customers tend to remain
with the same banking services or electricity provider for extended periods, even in the
presence of more competitive offerings elsewhere. A persistent theme in findings of
poor customer outcomes is the role played by a lack of meaningful information.
60
Treasury Laws Amendment (Consumer Data Right) Bill 2022
The Consumer Data Right seeks to reduce those barriers. Requiring banks to grant
access to data on their product terms and conditions while giving customers the ability
to direct their bank or other service provider to securely share their data with whom
they choose should lead to the development of comparison and more sophisticated
advisory services better able to provide tailored product recommendations. Also the
addition of write access (as described below) should lead to the development of
services which enable customers to change their service provider more easily.
The Inquiry invites submissions on how the Consumer Data Right could be used
to overcome behavioural and regulatory barriers to safe, convenient and efficient
switching between products and providers, whether those barriers are sector-
specific or common across industries.
Read access
The Consumer Data Right currently provides for 'read' access, that is, the transfer of
data about a customer to them or a trusted third party at the customer's direction and
with their consent. A trusted third party can read the customer's data, but they cannot
modify it.
The Inquiry will look at the scope of current 'read' access functionality and consider
options to expand it. This could include looking at:
• the potential to develop a 'consent taxonomy', using standardised
language for consents across providers and sectors
• how best to enable consumers to keep track of, and manage, their
various consents
• the promotion of industry cooperation on standards for 'voluntary' data
sets
• how the creation of a safe and efficient ecosystem of participants and
service providers could be accelerated, and
• the scope for use of tiered accreditation to promote broader access
without increasing risk.
The Inquiry welcomes input from interested parties on these topics - including
their benefits and costs - as well as any other 'read' access functionality that the
Inquiry should consider.
Write access
Under the Terms of Reference, the Inquiry is to examine how the Consumer Data
Right could be expanded to include 'write' access, that is enabling a trusted third party
to change or add to data about a customer at the customer's direction and with their
consent. Write access could allow consumers to authorise trusted third parties to apply
for, manage and change products on their behalf through APIs.
61
Regulatory Impact Analysis: Inquiry into Future Directions for the Consumer Data Right
In Open Banking, a possible use of write access is to enable third parties to initiate
payments on behalf of customers, with the customers' consent. However, the concept
of write access is not limited to payment initiation and extends beyond banking. For
example, in the energy context, write access could enable a consumer to open a new
account, and make changes to or close an existing account, quickly and easily through
a third party. This could enable the development of convenient and efficient switching
services which not only offer to find customers a better deal, but also to switch them.
In addition to considering potential uses and benefits of write access across sectors, the
Inquiry will consider barriers to enabling write access, including possible regulatory
barriers, compliance costs and risks involved. This includes issues such as who should
bear responsibility for payments made, and for changes made to data, and whether
write access should extend to the ability to change details which identify a customer
(and if so, how any associated security risks could be minimised).
The Inquiry is interested in interested parties' views on these issues. In the
context of Open Banking, the Inquiry is particularly interested in interested
parties' views on how the Consumer Data Right could best enable payment
initiation.
Linkages and interoperability with existing frameworks
and infrastructure
Businesses operating in the digital economy rely upon a range of frameworks and
infrastructure to operate efficiently and provide products and services to customers.
The Consumer Data Right regime seeks to build upon and complement the
arrangements businesses use, and not to displace them when they are used for future
data-driven services.
The Inquiry will look at potential linkages and interoperability between the Consumer
Data Right and existing and future frameworks and infrastructure. Some frameworks
and infrastructure will be common across many or all sectors; others relate only to
particular sectors.
The Inquiry will consider, for example, how customer authentication requirements for
the Consumer Data Right relate, or could link, to other digital identification and
verification processes.
In the context of Open Banking, the Inquiry will consider how the Consumer Data
Right, were it expanded to enable write access, could relate to or interact with existing
and future payments systems and infrastructure, such as the New Payments Platform
(NPP), Bulk Electronic Clearing System, and EFTPOS.
The Inquiry welcomes input from interested parties on the above, including
potential linkages and interoperability with other consumer-directed domestic
and international data portability regimes, and accreditation frameworks that
focus on data risk management.
62
Treasury Laws Amendment (Consumer Data Right) Bill 2022
Leveraging Consumer Data Right infrastructure
The Inquiry will look at how legal, infrastructure or organisational arrangements that
have been developed for the Consumer Data Right could play a broader role in the
digital economy.
The Consumer Data Right has established solutions to problems that may also exist
elsewhere in the digital economy - in particular, in relation to data portability and
custodianship of data. For example:
• it has established a Data Standards Body to develop common standards
for data portability in collaboration with industry - to overcome
coordination problems that prevent industry naturally developing and
consistently adopting these.
• it establishes information security standards with the aim of ensuring
that customer data is held safely from internal and external threats.
• it provides systems of assurance and verification relating to
compliance with these security standards (e.g. accreditation and the
associated register).
There are a range of existing regulatory frameworks that seek to address similar
problems - often in potentially inconsistent or industry-specific ways which are not
compatible or interoperable with each other.
The Inquiry will examine whether arrangements, such as the Data Standards Body and
accreditation regime, could be leveraged to support the development of productivity-
enhancing initiatives within the digital economy more broadly.
The Data Standards Body is responsible for setting technical standards for the
Consumer Data Right. We invite submissions on the remit of the Data Standards Body,
including whether there may be a role for it beyond setting standards required to
facilitate the Consumer Data Right.
In order for a data recipient to be able to request and receive data from a data holder
under the Consumer Data Right, the data recipient must first be accredited by the
Australian Competition and Consumer Commission. The Inquiry will consider whether
there is potential to leverage this accreditation regime (or elements of the regime -
such as the information security standards) in other contexts in developing a safe and
efficient digital economy.
The Inquiry welcomes views on the above as well as any broader role that other
aspects of the Consumer Data Right regime could play in supporting productivity
and data security in the digital economy.
63
Regulatory Impact Analysis: Inquiry into Future Directions for the Consumer Data Right
Consumer protection
By giving customers more control over their data, the Consumer Data Right has the
potential to positively impact customers in a wide variety of ways, from cheaper
products and services, to helping customers to choose more suitable products and
services, to providing real time convenience in obtaining and managing products and
services.
However the Inquiry recognises that data-based reforms need to be developed in a
manner that takes into account the potentially diverse needs of customers including the
vulnerable, both in terms of access to relevant technologies, and the impact that data-
based reforms may have on them.
The Inquiry will also consider potential privacy impacts of expanding the functionality
of the Consumer Data Right in the ways described in this Issues Paper, and how any
privacy risks may be mitigated.
The Inquiry invites submissions from interested parties on how to ensure that, as
the Consumer Data Right develops, it does so in a manner that is ethical and fair,
as well as inclusive of the needs and choices of all consumers. This includes ways
to encourage socially beneficial uses for the Consumer Data Right.
Supplementary analysis - Inquiry into the
Future Directions for the Consumer Data Right
This analysis is intended to supplement the analysis in the Inquiry into the Future
Directions for the Consumer Data Right (the Inquiry) for the purpose of consistency
with the Australian Government Guide to Regulatory Impact Analysis (the Guide).
Specifically, it addresses the Guide by setting out the reasons for the Government's
proposed disagree response to Recommendations 6.9 to 6.11 of the Inquiry.
Background
Reciprocity in the CDR
Reciprocity in the CDR follows the principle that those benefiting from receiving data
through the CDR should be obliged to also make equivalent data available to other
CDR participants at the consumer's direction.
Under the current CDR data-sharing regime, if an accredited data recipient (ADR)
collects data through the CDR, a reciprocity obligation may arise in relation to any data
it holds. This obligation would require the ADR to in turn disclose this data if
requested to do so by the consumer.
64
Treasury Laws Amendment (Consumer Data Right) Bill 2022
While the CDR legislation limits the potential application of reciprocity to data
covered by any CDR designation instrument,9 the rules further limit its application to
data of the same types that data holders are required to disclose under those rules.
The reciprocity recommendations
Recommendations 6.9 to 6.11 of the Inquiry (the 'reciprocity recommendations')
recommended the broadening of the scope of reciprocal data sharing requirements
under the Consumer Data Right (CDR), as follows:
• 6.9 - Cross-sector application of reciprocity: The Consumer Data
Right principle of reciprocal obligations of an accredited data recipient
to respond to a consumer's data sharing request should not be limited
by the scope of sectoral designations at the time of accreditation.
Accredited data recipients should be obliged to comply with a
consumer's request to share data which is the subject of a sectoral
designation as well as equivalent data held by them in relation to
sectors which are not yet designated.
• 6.10 - Identifying equivalent data: Equivalent data should exclude
materially enhanced data and voluntary data sets. Equivalent data
applicable to a person seeking accreditation as an accredited data
recipient should be identified by the accreditor during the accreditation
process. Identification of equivalent data should be subject to the same
principles which apply to the selection of data sets through the formal
sectoral assessment and designation process. Guidelines on the
identification of equivalent data should be published by the regulator.
• 6.11 - Exclusion from reciprocal data sharing obligations:
Accredited data recipients should be excluded from reciprocal data
sharing obligations if they are below a defined minimum size.
Per the Inquiry, the reciprocity recommendations are directed at seeking to ensure a
level playing field in terms of access to data and to assist in growing the coverage of
the CDR.10
As is set out in Recommendation 6.9, the Inquiry recommended that these reciprocity
obligations be expanded to oblige the sharing of 'equivalent data', even when not
covered by a designation instrument. The Inquiry notes that the idea of reciprocity
based on 'equivalent data' was previously incorporated into the Review into Open
Banking in Australia, prior to the implementation of the current CDR legislation.
9
Reciprocity is not triggered only in relation to data covered by the designation instrument
covering the data you have received - once triggered it can apply to any data within the scope
of any current designation instruments.
10
Complementing strategically directed growth through sectoral assessment and designation
processes.
65
Regulatory Impact Analysis: Inquiry into Future Directions for the Consumer Data Right
Issues
During industry consultation undertaken by Treasury, stakeholders have indicated that
that reciprocity requirements in their current form under the CDR are a potential
disincentive to firms entering the CDR regime as Authorised Data Recipients (ADRs).
Additional concerns that have been raised regarding the recommended expansion of
reciprocity in line with the Inquiry include the following:
• Cross-sector reciprocity could not occur automatically. Assessments of
the privacy and other risks associated with any equivalent data would
need to be undertaken, and potentially additional mechanisms put in
place to address these risks. Additionally, appropriate data standards
may not be readily implementable.
• There are different views on what 'equivalent data' is. Processes to
identify equivalent data may therefore introduce complexity and
uncertainty.
• The current scope of CDR is limited to data sets for which rules and
standards have already been developed. A broader scope may require
diversions of rule-making and standard-setting resources to bring new
datasets into the system. Modifications to the conformance testing
suite and register may also be required.
- In addition to increasing costs for the program, this may
conflict with strategic decisions to prioritise bringing in
high value data sets into the regime.
- Concerns have also been raised by some stakeholders that
their sectors would have to engage with CDR design work
for sectoral datasets well in advance of their whole sectors
being brought within the CDR.
• The costs for ADRs to build data holder information technology
systems and the commercial impacts of having to provide access to
data holdings may act as a disincentive against their joining the CDR
as an ADR.
These concerns are potentially mitigated by the following factors:
• The proposal for a minimum threshold below which the obligation
would not apply to an ADR; and the exclusion of materially value-
added data sets.
• The expectation that:
- these concerns may lessen as more high priority datasets
are brought within the system and as processes for doing
so become more streamlined (and agencies can
increasingly rely upon previously developed artefacts).
66
Treasury Laws Amendment (Consumer Data Right) Bill 2022
- Conflicts between prioritising organic growth of coverage
(through reciprocity) and strategic growth (through
sectoral assessments and designations) would decrease as
more of the high value datasets are brought within the
system.
- Consideration could be given to adjusting transitional
provisions to ensure that ADRs have a reasonable period
in which to build support for reciprocity.
Reasons for disagreement with the reciprocity
recommendations
There are a range of possible ways that CDR data could be transferred to address the
issue of growing the CDR ecosystem. The Government's response to the Inquiry has
agreed to a number of other Inquiry recommendations that are directed at resolving this
issue.
Noting the issues and mitigating factors above, the preferred alternative to address the
growth of participation in the CDR ecosystem is through the sectoral designation
process. The sectoral designation process remains the most viable means of expanding
the scope of CDR in a targeted, strategic manner, which balances industry concerns
about creating barriers to CDR participation. The following points are particularly
relevant to this conclusion:
• Stakeholders have raised concerns that reciprocity requirements in
their current form act as a disincentive to some firms entering the CDR
regime as ADRs.
• Presently, these requirements mandate reciprocal sharing by ADRs
only with respect to data that is within the scope of a CDR designation
instrument.
• Broadening the scope of these requirements to also apply to
undesignated 'equivalent data' would exacerbate this issue, while
creating additional complexity and resourcing pressures at the
accreditation stage. Concerns raised by stakeholders are particularly
acute with CDR currently being in its infancy as an economy-wide
data sharing regime, and would act as a deterrent for ecosystem
growth.
If future issues arise about data holding entities entering the CDR as ADRs and
whether they should be required to share equivalent data, interventions can be
effectively implemented through revisions to the rules where a strong policy rationale
for this exists.
67
Regulatory Impact Analysis: Inquiry into Future Directions for the Consumer Data Right
Inquiry into Future Directions of Consumer Data
Right - Decision-mapping table - RIS-like
process
RIS type 7 RIS How the Inquiry into Future Directions for the
Questions Consumer Data Right deals with it
Process akin 1. What is the Terms of Reference (Chapter 1)
to an Early problem you
Assessment are trying to • How to expand the CDR?
RIS solve? • How to ensure CDR inclusively promotes innovation for
vulnerable consumers?
• How to leverage CDR infrastructure to support the
development of broader productivity enhancing
standards and a safe and efficient digital economy?
• How to leverage the development of the CDR with other
countries that are developing similar regimes to enhance
opportunities for Australian consumers, businesses and
the Australian economy?
The Terms of Reference also ask the Inquiry to examine how
the CDR could address the behavioural and regulatory
barriers to switching between products and providers. This is
elaborated in Chapter 3 which identifies the market failures
impeding switching.
2. Why is • Expanding the CDR requires government action.
government
action needed? • Chapter 3 - Identifies the problems that the market has
not solved
3. What policy The Final Report of the Inquiry makes 100 recommendations.
options are you
considering? • Chapter 4 - options to expand the CDR to action
initiation (with various options on design features)
• Chapter 5 - options to implement action initiation in the
banking sector (with various options on payment
initiation and general banking actions)
• Chapter 6 - options to enhance CDR read access regime
• Chapter 7 - options to ensure that the CDR is inclusive
of the needs of vulnerable consumers and consumer
• Chapter 8 - options to enhance interoperability and
connect the CDR to overseas data-portability
frameworks to promote cross-border connectivity.
68
Treasury Laws Amendment (Consumer Data Right) Bill 2022
RIS type 7 RIS How the Inquiry into Future Directions for the
Questions Consumer Data Right deals with it
4. What is the Each Chapter of the Final Report considers the net benefit of
likely net its recommendations. The analysis of the net benefit is
benefit of each largely qualitative in nature.
option?
Process 5. Who did you The Inquiry publicly consulted with a wide-range of
akin to a consult and stakeholders following the release of its Issues Paper that
Consultation how did you called for input. The feedback was then reflected in each
RIS incorporate Chapter of the Inquiry's Final Report, and considered to
their feedback? inform the Government's response.
6. What is the Recommended option is considered the best option, unless
best option 'noting' or 'disagree' in response for further consideration.
from those you
have
considered?
7. How will Recommended option, unless 'noting' or 'disagree' in
you implement response for further consideration, will be implemented via
and evaluate legislative amendments to the Competition and Consumer
your chosen Act 2010, rules and/or standards- making. Timing of
option? implementation is subject to Government's prioritisation.
Post-implementation review of action initiation is proposed
to be conducted 24 months after its commencement
(Chapter 9).
69