2018 was a busy time for those responsible for the privacy policies and practices of their organisations. In February 2018 came the introduction of the notifiable data breach scheme and the accompanying need for a data breach response plan. In May 2018 came the need to ensure that any personal information caught by the GDPR was identified and is managed in a way which meets the stricter requirements of that regime. But for those who hoped that now would present an opportunity to bed down those skilfully crafted policies and practices, the Treasury Laws Amendment (Consumer Data Right) Bill 2019 (Cth), recently introduced in the Federal House of Representatives, may not have made for pleasant reading.
The Bill, which has bipartisan support, paves the way for the introduction of the consumer data right (CDR) regime, with banking the first sector to be affected.
Should the CDR regime come to fruition, there will be a complex interplay between an organisation's existing obligations under the Australian Privacy Principles (APPs) prescribed by the Privacy Act 1988 (Cth) and a new set of "Privacy Safeguards", which are to be included in the Competition and Consumer Act 2010 (Cth). The Privacy Safeguards may be further supplemented by as yet unwritten consumer data rules and standards.
Organisations covered by the regime will need to be conscious of a number of key privacy issues that will arise if the Bill is enacted in its current form. These issues, which we outline below, will require significant changes to data handling policies and practices, and the underlying software systems which support them.
Will you be affected by the Consumer Data Right?
Banking, telecommunications and energy industry participants will be the first to be targeted, with others such as those in the insurance industry already on notice. But the reach of the CDR regime will extend beyond relevant industry participants to other organisations wishing to become an accredited data recipient (ADR, being the organisation to whom the consumer's data is transferred), including the expected next wave of Fintech organisations eager to assist consumers utilise their rights to maximum effect.
The Consumer Data Right and the Bill's approach to privacy
The key objectives behind the Bill are to ensure the secure transfer of a consumer's data and that strict obligations are imposed as to how that data can be used by ADRs. The Bill and its Privacy Safeguards seek to achieve this objective by partially displacing the operation of the APPs and the Privacy Act in certain situations.
The Privacy Safeguards
While the majority of the Privacy Safeguards are broadly comparable with the APPs, there are some important differences, including that:
- There is no place for unsolicited CDR data in the CDR regime. If unsolicited CDR data is received by an ADR, it must be destroyed (unless retention is required by another Australian law, the Privacy Act excluded).
- The use of CDR data for direct marketing is prohibited, save where permitted under the relevant consumer data rules. There is no longer any 'reasonable expectations' exception of the type available under the Privacy Act.
- ADRs will be required to ensure that CDR data is protected from misuse, interference and loss as well as from unauthorised access, modification or disclosure. Taking 'reasonable steps' will not be enough - compliance with relevant consumer data rules and data standards will be mandatory.
- Both data holders and ADRs will be required to take certain steps where CDR data is inaccurate and requires correction. Depending on the relevant consumer data rules, this may include issuing a notice to the consumer outlining any corrections and the reasons for them.
- Both data holders and ADRs will be required to notify the consumer when they disclose CDR data. The content of these notices will be prescribed by the consumer data rules.
Determining which of the APPs or Privacy Safeguards apply to particular data will present a challenge for participating organisations, as this will depend on the role that organisation is playing in the CDR regime at the relevant time. For example, organisation will need to manage:
- any data of its existing consumers in accordance with the Privacy Act (to the extent it constitutes personal information) prior to receipt of a valid CDR request, but on receipt of such a request, manage the information in accordance with a combination of APPs 1 to 9, 11 and 13, Privacy Safeguards 10, 11 and 13, and any applicable consumer data rules or data standards; and
- any CDR data it receives in its capacity as an ADR in accordance with the Privacy Safeguards (some of which comply concurrently with their APP equivalent) and any applicable consumer data rules or data standards, at least until such time as the relevant consumer becomes a customer of the organisation, in which case it is anticipated that the consumer data rules may provide that the organisation can manage the CDR data in accordance with the APPs.
It is readily apparent that the challenges of putting in place clear and workable data handling policies and practices, and the underlying software systems which support them, that are capable of adapting to the changing nature of the privacy protections in real time, will be a considerable one.
Notification of CDR data breaches
The Bill contains provisions which would see the operation of the notifiable data breach scheme extended to cover data breaches involving CDR data.
Small businesses who are ADRs
In a move which will further extend its reach in the small business sector, the Privacy Act will be amended so that small businesses who are ADRs will be treated as organisations for the purposes of the Privacy Act. This means that they will be required to treat personal information that is not CDR data in accordance with the Privacy Act.
The Commonwealth Government has taken a leaf out of the EU's book by providing that consumers will have a right of action for breaches of the CDR, including in respect of breaches of the Privacy Safeguards. Notably, such a right does not exist under the Privacy Act. These rights will be in addition to access to internal and external dispute resolution processes and the dual-regulatory oversight of the ACCC and OAIC.
What should you do to get ready for the CDR regime
Those involved in industries such as banking, telecommunications and energy (including organisations currently or proposing to provide services related to those industries), will soon need to begin preparing for the commencement of the CDR regime by:
- considering the broad approach to be taken to ensure compliance with the privacy requirements of the CDR regime, including whether attempts will be made to ring-fence or segregate CDR data from other data (such as personal information to which the Privacy Act continues to apply) or whether the more burdensome (but risk averse) option of managing both CDR data and personal information in accordance with the higher standards prescribed by the Privacy Safeguards will be taken;
- auditing current information security processes and procedures and collating a list of the privacy policies and practices which will need to be created, or amended, in order to facilitate compliance with the CDR regime, including a CDR data policy and amended data breach notification plan; and
- ensuring any new or updated business practices are planned with the introduction of the CDR regime in mind.