EXPLANATORY STATEMENT

Competition and Consumer Act 2010

Competition and Consumer (Consumer Data Right) Amendment (2024 Measures No. 1) Rules 2024

Section 56BA of the Competition and Consumer Act 2010 (the Act) provides that the Minister may, by legislative instrument, make consumer data rules for designated sectors in accordance with Part IVD of the Act.

A ‘designated sector’ is a sector of the Australian economy designated, by legislative instrument made under section 56AC of the Act, as subject to the consumer data right (CDR). The designation instrument for a sector also specifies the data (CDR data) that is subject to the CDR and the classes of persons who hold the CDR data. Those persons, and certain other classes of persons covered by section 56AJ of the Act, are ‘data holders’ of CDR data in that sector. 

The CDR framework is set out in Part IVD of the Act and the Competition and Consumer (Consumer Data Right) Rules 2020 (the CDR Rules). Under the CDR, individuals and businesses (CDR consumers) may, through trusted third parties, request access to certain data sets relating to them. Data holders are required or authorised to provide access to the data, subject to controls ensuring the data’s quality, security, privacy and confidentiality. Data holders are also required or authorised to disclose publicly available information on specified product offerings to CDR consumers or other persons.

Rules applying generally across all designated sectors are set out in Parts 1 to 9 of, and Schedules 1 and 2 to, the CDR Rules. Sector-specific rules are set out in Schedule 3 (relating to the banking sector) and Schedule 4 (relating to the energy sector).

In addition to the CDR Rules, data standards are developed and maintained by the Data Standards Body and made by the Data Standards Chair in accordance with the CDR Rules. The data standards underpin the technical delivery and consumer experience of the CDR. This includes imposing requirements for data security, language, and format.

The Competition and Consumer (Consumer Data Right) Amendment (2024 Measures No. 1) Rules 2024 (the Amending Rules) amend the CDR consent process and introduce several other operational enhancements to the CDR Rules.

Consent amendments

Consent is the primary basis on which a data recipient may collect, use and disclose CDR data for which there are one or more consumers. The amendments to the consent process seek to improve the consumer experience by:

                 extending the data minimisation principle to disclosure, ensuring privacy protection coverage for consumers;

                 enabling consumers to provide multiple CDR consents with a single action;

                 allowing data recipients to pre-select the particular consent elements that would be reasonably needed to provide a consumer’s requested good or service;

                 simplifying the information that data recipients are required to provide to the consumer at the time of seeking the consumer’s consent;

                 allowing data recipients to consolidate the delivery of 90-day notifications to minimise the notification fatigue that consumers may currently experience; and

                 requiring data recipients to provide consumers with information about all supporting parties who may access a consumer’s data at the time a consumer’s consent is sought.

Operational enhancements

The operational enhancements focus on supporting use case development.

The Amending Rules make changes to the rules of general application, as well as the banking and energy sector rules. Such changes include the following:

                 allowing accredited authorised deposit-taking institutions (ADIs) to hold CDR data as a data holder where a consumer has applied to acquire a product from an ADI;

                 clarifying that a CDR representative principal must ensure their CDR representative(s) comply with consumer experience data standards as if they were an accredited data recipient (ADR);

                 removing the obligation for data holders to provide account holders with an online service that allows them to stop CDR data being disclosed to a particular ADR in response to data sharing requests made by secondary users; and

                 providing a trial products exemption in the energy sector, similar to the existing exemption in the banking sector.

Further information

Before making consumer data rules, the Minister must comply with the requirements in section 56BP of the Act. First, section 56BP requires the Minister to have regard to certain matters set out in section 56AD. These include the likely effect of making the rules on the interests of consumers, the efficiency of relevant markets and the privacy and confidentiality of consumers’ information, and the likely regulatory impact of allowing the rules to impose requirements. The Minister will consider each of the relevant matters when making the Amending Rules.

Second, the Minister must, before making consumer data rules, be satisfied that the Secretary of the Department has arranged for consultation and the making of a report in accordance with section 56BQ of the Act. This requirement has been met in relation to the Amending Rules.

Third, the Minister must wait at least 60 days after the day public consultation begins before making consumer data rules. With public consultation having commenced on 9 August 2024 with publication of draft exposure rules on the Treasury website, this requirement has been met.

The exposure draft of the Amending Rules was released for consultation from 9 August 2024 to 9 September 2024. Submissions were received from 41 respondents, including CDR participants, CDR agencies, the banking and energy sectors, and their respective regulators.

While there was general support for most aspects of the rules, the following key changes were made in response to consultation feedback:

                 not proceeding with amendments that would have required data to be deleted by default;

                 broadening the measure to enable electricity plans to be trialled outside of the CDR for a period of up to 24 months (up from the proposed 12 months) and supplied to no more than 2,000 customers (up from the proposed 1,000 customers);

                 not proceeding with amendments that would have required data holders to provide an online service for appointing an account administrator as a nominated representative; and 

                 simplifying the notification requirements for accredited authorised deposit-taking institutions (‘accredited banks’) seeking to hold CDR data as a data holder.

The Amending Rules are disallowable and their principal instrument – the CDR Rules – is subject to sunsetting in the ordinary way.

Section 56GB of the Act provides that the CDR Rules may apply, adopt or incorporate by reference any matter contained in any other instrument or writing as in force or existing at a particular time, or from time to time. The Amending Rules incorporate consumer data standards made by the Data Standards Chair under section 56FA of the Act as existing from time to time. Members of the public can freely access and use the standards from https://consumerdatastandards.gov.au/.

The Amending Rules are a legislative instrument for the purposes of the Legislation Act 2003.

The Amending Rules commenced on the day after registration on the Federal Register of Legislation.

Details of the Amending Rules are set out in Attachment A.

A Statement of Compatibility with Human Rights is at Attachment B.

The Office of Impact Analysis (OIA) has been consulted (OIA ref: OIA23005564, OIA2406965 and OIA24-08244) and agreed that an impact analysis is not required. Treasury expects the amendments to have a minor regulatory impact.

In citations of provisions in this explanatory material, unless otherwise specified, references to rules are to the CDR Rules.

 

ATTACHMENT A

Details of the Competition and Consumer (Consumer Data Right) Amendment (2024 Measures No. 1) Rules 2024

Section 1 – Name

This section provides that the name of the instrument is the Competition and Consumer (Consumer Data Right) Amendment (2024 Measures No. 1) Rules 2024 (the Amending Rules).

Section 2 – Commencement

This section provides that the Amending Rules commence the day after they are registered on the Federal Register of Legislation.

Section 3 – Authority

This section provides that the Amending Rules are made under section 56BA of the Competition and Consumer Act 2010 (the Act).

Section 4 – Schedules

This section provides that each instrument that is specified in a Schedule to this instrument is amended or repealed as set out in the applicable items in the Schedule concerned, and any other item in a Schedule to this instrument has effect according to its terms.

Schedule 1 – Amendments

Amendments relating to consent

Consent bundling

  1.              The Amending Rules provide that accredited persons and CDR representatives:

     may include together (‘bundle’) collection, use and disclosure consents under the CDR Rules in a single request, and in such a way that the consumer can agree to all consents with a single action; but

     must not bundle direct marketing or de-identification consents, or any type of consent that is not within the CDR Rules, with a request for a CDR consumer’s collection, use or disclosure consent under the CDR Rules.                                          [Schedule 1, items 53 and 77, rules 4.10 and 4.20D]

  1.              These provisions as amended, combined with the existing obligations on an accredited person or CDR representative under the data minimisation principle in rule 1.8, mean that each bundled collection, use and disclosure consent will still need to be separately identified in the request, each retains its identity as a collection, use or disclosure consent (bundled consents do not become a different type of consent), and only consents that are reasonably needed to provide the particular good or service the CDR consumer has requested can be bundled together.
  2.              The Amending Rules also clarify that collection and use consents for CDR data are not required to be given before a disclosure consent in relation to the data can be requested. Rather, an accredited person or CDR representative can request a collection, use and disclosure consent relating to CDR data at the same time. [Schedule 1, items 45 to 48, rule 4.2 and subrules 4.3(2A) and 4.3A(3)]

Pre-selecting consent elements

  1.              Rules setting out how accredited persons and CDR representatives seek CDR consumers’ consent to:

               the types of data a collection or disclosure consent applies to;

               who the data may be disclosed to;

               the specific uses for the collected data; and

               the period of the consent;

are amended to permit an accredited person or CDR representative, when requesting the consumer’s consent, to either:

               allow the CDR consumer to actively select or otherwise clearly indicate each of the above consent elements; or

               present the consumer with each element already selected, and seek the consumer’s agreement to all the elements so presented. In this case, the consumer is only able to either agree to proceed with all the consent elements as presented, or to not proceed with the entire request for the good or service.

[Schedule 1, items 54 to 57, 67, 78 to 81 and 91, subrules 4.11(1), 4.12C(2), 4.20E(1) and 4.20I(2)]

  1.              Direct marketing and de-identification consents are not able to be presented as preselected consent options under the above provisions.                                               [Schedule 1, items 58 and 83, subrules 4.11(2) and 4.20E(2)]
  2.              These amendments will enable an accredited person or CDR representative, when seeking a CDR consumer’s consent, to present the consumer with the data types and uses, data recipients and the consent durations that are needed to provide the good or service the consumer has requested, and the consumer is able to agree to all with a single action.
  3.              This will help avoid the inefficiencies produced by requiring a CDR consumer to individually select and agree to, datasets, data recipients and consent periods in a situation where the good or service the consumer has requested can only be provided if the accredited person or CDR representative has the access enabled by those consent elements.
  4.              As the data minimisation principle in rule 1.8 applies to any collection, use or disclosure (following the amendment to extend the principle to disclosure outlined below) of a CDR consumer’s CDR data, whether the relevant consents were asked for separately, or pre-selected, the accredited person or CDR representative can still only collect, use or disclose the data as reasonably needed to provide the good or service the consumer has requested. The accredited person or CDR representative will still be required to provide the consumer with an explanation of why the collection, use or disclosure does not go beyond what is reasonably needed.                                        [Schedule 1, items 59 and 84, paragraphs 4.11(3)(c) and 4.20E(3)(f)]
  5.              The meaning of ‘reasonably needed’ should be assessed on a case by cases basis. In general, it should involve an objective assessment about whether a reasonable and informed person would consider the consent is needed to provide the consumer with the requested good or service. In other words, it would not be sufficient if the consent was only useful or preferable for the accredited person or CDR representative to have.

Data minimisation principle

  1.          Rule 1.8 is amended to extend the data minimisation principle to disclosure of CDR data.                                                                                                                   [Schedule 1, item 41, subrule 1.8(2)]
  2.          This means that any use or disclosure of CDR data cannot exceed what is reasonably needed by the accredited person or CDR representative in order to provide the requested goods or services or to effect another permitted use or disclosure.
  3.          For clarity and consistency with current drafting practice, the note to the heading of rule 1.8 is removed.                                                                                                     [Schedule 1, item 40, rule 1.8 (note)]
  4.          A number of other minor amendments are made to reflect the extension of the data minimisation principle to disclosure.                                                                             [Schedule 1, items 39, 43, 44, 49 to 52 and 66, rules 1.4, 4.1, 4.4, 4.7A and 4.12]

Withdrawing consent

  1.          The Amending Rules remove the requirement that, when being asked to give a consent, a CDR consumer must be informed about how to withdraw a consent and the consequences of doing so (although the consumer must still be informed, when being asked for a consent, that they are able to withdraw their consent at any time). [Schedule 1, items 62 and 87, paragraphs 4.11(3)(g) and 4.20E(3)(m)]
  2.          Information about how to withdraw a consent and the consequences of doing so will still be provided in the CDR receipt a consumer receives when a consent has been given, in the notifications given about current consents, and when a collection consent expires but a use or disclosure consent remains current.
  3.          This change will help streamline the process for requesting and giving consents, and reflects a more intuitive approach for the consumer who will only need to think about the process for withdrawing their consent at the point they are, or may be, considering doing so.

Notifications about current consents

  1.          The CDR Rules require, where a collection or use consent is current, but 90 days have passed since the CDR consumer either gave or amended the consent, used their consumer dashboard or received a notification under the same rule, the consumer to be notified that the consent is still current.
  2.          Minor amendments are made to allow, where these circumstances apply to more than one current collection, use or disclosure consent, an accredited person or CDR representative to give the consumer a single notification setting out all the current consents. In other words, a separate notification does not need to be given for each consent. In addition, the notifications must be given in accordance with the consumer data standards.                                                                                                                [Schedule 1, items 73 to 76, 96 to 99 and 100, rules 4.20 and 4.20U and paragraph 8.11(1)(fb)]
  3.          In order to align applicable obligations, the existing notification provisions will continue to apply until data standards for this purpose are made and in effect. [Schedule 1, item 103, rules 504 and 507]
  4.          The existing requirements to notify a CDR consumer when a collection consent expires but a use consent is still current, are amended to include disclosure consents that are still current.                                                                                                      [Schedule 1, items 70 to 72 and 93 to 95, rules 4.18A and 4.20Q]

Direct marketing and de-identification consents

  1.          A note is added to clarify that direct marketing and de-identification consents may consist of either a use or disclosure consent, or a combination of use and disclosure consents. This is designed to clarify how these consents are to be treated under the CDR Rules, consistently with the original intention.                                                    [Schedule 1, item 42, subrule 1.10A(1) (note)]
  2.          When an accredited person or CDR representative is seeking a direct marketing consent, they must inform the CDR consumer about how the CDR data covered by the consent may be used or disclosed.                                                                          [Schedule 1, items 60, 64, 65, 85, 88, 89, paragraph 4.11(3)(da), subrule 4.11(3) (notes), paragraph 4.20E(3)(ga) and subrule 4.20E(3) (notes)]
  3.          A minor amendment is made to rule 4.15 (additional information provided when a de-identification consent is sought) to clarify the wording in line with current drafting practice.                                                                                                         [Schedule 1, item 68, rule 4.15]

Information about supporting parties

  1.          Rules requiring information to be provided when requesting a CDR consumer’s consent about any outsourced service providers or sponsors that will be collecting and disclosing CDR data under the consent are amended so that the requirements are consistent. This will improve efficiency and transparency for consumers when consents are requested.                                                                                                [Schedule 1, items 61, 63 and 86, paragraphs 4.11(3)(f) and (i) and 4.20E(3)(k)]
  2.          To allow sufficient time for the necessary systems to be updated, the existing requirements will continue to apply until 12 months after the Amending Rules have commenced.                                                                                                                 [Schedule 1, item 103, rules 502 and 505]

CDR receipts

  1.          The requirements regarding CDR receipts are amended so that the CDR Rules only require CDR receipts to be given in accordance with the data standards. The existing timing requirements are retained, that is, a CDR receipt must be given as soon as practicable after a CDR consumer gives, amends or withdraws a collection use or disclosure consent. In addition, the existing requirements regarding CDR receipts will continue to apply until the relevant data standards are made and in effect.                                                                                                                          [Schedule 1, items 69, 92, 100 and 103, rules 4.18 and 4.20O, paragraph 8.11(1)(fa) and rules 503 and 506]
  2.          This simplification of obligations under the CDR Rules and allowing the data standards to specify the information that must be included in receipts will improve consistency and compliance in the provision of CDR receipts.

Miscellaneous amendments

  1.          An incorrect reference to ‘accredited data recipient’ is changed to ‘CDR representative’ in note 3 to subrule 4.20E(1).                                                          [Schedule 1, item 82, subrule 4.20E(1) (note 3)]
  2.          Minor amendments are made to the provisions relating to consumer dashboards provided by accredited persons, to remove the expression ‘functionality’, and clarify the wording in line with current drafting practice.                                                          [Schedule 1, items 8, 14 to 16, 25 and 26, rule 1.11, paragraph 1.14(1)(c), subrules 1.14(2A) and (4) and paragraphs 4.12B(2)(a) and 4.20H(2)(a)]
  3.          Rule 9.8 (civil penalty provisions) is amended to take into account the changes to the current consent notification requirements in rule 4.20 and the CDR receipts provision in rule 4.18.                                                                                                                    [Schedule 1, items 101 and 102, rule 9.8]

Operational enhancements

Accredited authorised deposit-taking institutions holding CDR data as data holders

  1.          The Amending Rules expand the circumstances in which an accredited authorised deposit-taking institution (ADI) can hold data as a data holder. They do this by creating a second set of conditions (in addition to the existing conditions) under subsection 56AJ(4) of the Act to allow accredited ADIs to hold CDR data they receive under the CDR Rules as a data holder.                                                          [Schedule 1, item 29, clause 7.2 of Schedule 3 to the CDR Rules]
  2.          Common aspects across the two conditions for accredited ADIs to hold CDR data as data holders are that the accredited person is an ADI, the CDR data (whether directly or indirectly) has been collected in accordance with the collection consent, and that the accredited ADI believes that the data is relevant to its supply of a product to the CDR consumer.                                                                                                             [Schedule 1, item 29, paragraphs 7.2(1)(a)(b) and (c) of Schedule 3 to the CDR Rules]
  3.          In addition to the above, the new set of conditions will be met if:

               the accredited person is supplying the product to the CDR consumer (being the product that the CDR data collected under the CDR consent is relevant to); or

               the accredited person has received an application from the CDR consumer for the supply of the product; or

               the accredited person is aware that the CDR consumer proposes to apply for the supply of the product; and

               prior to the first collection of CDR data collected in accordance with a collection consent, the accredited ADI notified the consumer that they would hold that data in accordance with their usual data holding practices for consumer data;

[Schedule 1, item 29, paragraph 7.2(1)(d)(i) of Schedule 3 to the CDR Rules]

  1.          For an accredited person to be aware that a CDR consumer proposed to apply for the supply of a product, the CDR consumer will have commenced an application for a certain product. This is intended to allow a notification in line with this set of conditions to be provided prior to the CDR consent for the collection of data to be provided, so that if the CDR data collection consent is required for the product application to be submitted, those circumstances are still captured by this amendment.
  2.          It is expected that an accredited ADI will comply with the requirement to notify the consumer that the data will be held in accordance with their usual data holding practices by, for example, explaining to the consumer that the accredited ADI will be holding the data consistent with their privacy policy. Regulator guidance will provide additional clarity on this condition.
  3.          An accredited ADI may only give a notification in accordance with the new set of conditions if they are supplying the product to the consumer (i.e., the consumer has acquired a product), or the consumer has applied or is applying to acquire a product. This will be the case, for example, when a consumer is completing an online application to apply for a personal loan or credit card, but the bank requires the consumer’s transaction data to finalise and assess their application.                            [Schedule 1, item 29, subclause 7.2(2) of Schedule 3 to the CDR Rules]
  4.          Any future CDR data collected in accordance with the collection consent can also be held by the accredited ADI as a data holder. So long as the first notification was provided in accordance with these new conditions, the accredited ADI is not required to provide such a notification each time CDR data is collected in connection with that consent.                                                                                                                 [Schedule 1, item 29, paragraph 7.2(2A)(a) of Schedule 3 to the CDR Rules]
  5.          The existing conditions in the CDR Rules remain in operation, which allow accredited ADIs to hold CDR data as data holders where a consumer has acquired a product from the ADI and has agreed to the ADI holding this data as a data holder, rather than an ADR. These have taken a slightly new form in the Amending Rules, but the effect is intended to remain unchanged.                                                          [Schedule 1, item 29, subclause 7.2(2A) of Schedule 3 to the CDR Rules]
  6.          For clarity, where the original set of conditions are met (i.e., the consumer has consented to the ADI holding the data as a data holder after the data has been collected), an accredited ADI cannot automatically hold any future CDR data collected in accordance with the relevant collection consent as a data holder. To do so, they must satisfy either the existing or new conditions in clause 7.2 of Schedule 3 to the CDR Rules. 
  7.          Accredited ADIs that were holding CDR data as an accredited person in accordance with a collection consent prior to the commencement of the Amending Rules will not be able to use the notification avenue to hold CDR data as a data holder in relation to CDR data collected under that consent. This will apply to any CDR data received in accordance with that consent, even if that data is collected after the commencement of the Amending Rules (so long as the original consent was prior to the amending rules commencing). Accredited ADIs will still be able to rely on the consent conditions that were also available prior to commencement of the Amending Rules in relation to CDR data collected in accordance with a collection consent, so long as the conditions are met .                                                                                                 [Schedule 1, item 103, rule 508]  

CDR representatives complying with standards

  1.          The CDR Rules require CDR representatives to comply with any relevant CDR data standards that relate to the CDR representative doing things in accordance with Division 4.3A of the CDR Rules.
  2.          The Amending Rules create an express requirement that a CDR representative arrangement must contain a term that requires the CDR representative to comply with any consumer experience data standards that are expressed to apply to ADRs, as if the CDR representative were an ADR.                                                                        [Schedule 1, item 6, paragraph 1.10AA(1)(d)]
  3.          This obligation would only apply to CDR representatives when doing anything they are empowered to do under the CDR Rules and does not allow CDR representatives to do things that only ADRs or accredited persons are able to do – for example, to make consumer data requests directly to data holders.
  4.          As is the case in current subrule 1.16A(2), a civil penalty attaches to a breach of a CDR representative principal’s obligation to ensure their CDR representative complies with the relevant consumer experience data standards as if they were an ADR.
  5.          The Amending Rules also clarify that a CDR representative principal is liable for their CDR representative breaching a required term of their CDR representative arrangement, irrespective of whether the term in question was actually included as a provision in their arrangement.                                                                                      [Schedule 1, item 22, paragraph 1.16A(2)(a)]
  6.          Based on this amendment, subrule 1.16A(5) is no longer necessary and has been repealed.                                                                                                                   [Schedule 1, item 23, subrule 1.16A(5)]
  7.          The commencement of this obligation will be deferred by 12 months from the date these amendments take effect.                                                                                      [Schedule 1, item 103, rule 501]
  8.          To support these amendments, the Amending Rules introduce a definition of consumer experience data standards as data standards expressed to be consumer experience data standards. This is intended to capture all data standards made by the Data Standards Chair that operate as consumer experience data standards.                [Schedule 1, item 2, definition of ‘consumer experience data standards’ in subrule 1.7(1)]

Secondary users

  1.          The Amending Rules remove the obligation currently imposed on data holders to offer a functionality that allows an account holder who has given a secondary user instruction to indicate, through their consumer dashboard, that the holder no longer approves CDR data relating to that account being disclosed to a particular accredited person in response to consumer data requests made by that secondary user. The Amending Rules make a minor addition to the data holder consumer dashboard service requirements that the service also be ‘readily accessible’.                              [Schedule 1, item 19, paragraphs 1.15(5)(b) to (e)]
  2.          Data holders may still provide this functionality to account holders but are not compelled to do so. Instead, an account holder can continue to rely on the ability to block secondary user authorised data sharing by stopping all data sharing from the account on behalf of the specified secondary user by withdrawing the secondary user instruction.
  3.          Existing subparagraph 4.6A(a)(ii) in the CDR Rules continues to apply to block data holders sharing data to a particular accredited person where data holders choose to still provide the more granular functionality.
  4.          The Amending Rules maintain the current rule that a data holder will not contravene its obligations to ensure the service is simple and straightforward to use, and no more complicated to use than the processes for giving the authorisation or instruction, so long as it takes reasonable steps to comply with those requirements.                              [Schedule 1, item 21, subrule 1.15(6)]
  5.          As a result of the amendments, Note 2 in subrule 1.15(5) and Note 1 in rule 4.6A are no longer relevant and have been repealed.                                                                                      [Schedule 1, items 20 and 24, subrule 1.15(5) (notes) and rule 4.6A (notes)]
  6.          The Amending Rules also address an irregularity in the CDR Rules that allows a secondary user to make a consumer data request on an account even when the relevant account holder is no longer eligible to share data. This is achieved by amending the definition of secondary user and introducing a temporal requirement. [Schedule 1, items 4 and 5, definition of ‘secondary user’ in subrule 1.7(1)]

Miscellaneous dashboard requirements for data holders

  1.          The Amending Rules align the consumer dashboard functionality requirements for data holders with new dashboard requirements related to secondary users outlined above.                                                                                                                                [Schedule 1, items 17 and 18, paragraphs 1.15(1)(c) to (g) and subrule 1.15(4)]
  2.          Similar amendments are made to data holder consumer dashboard functionality requirements for joint account holders. The Amending Rules remove the ‘reasonable steps’ protection to the extent it relates to the requirement for the online service to be prominently displayed. This is consistent with other provisions in the CDR Rules that include requirements on data holders to provide services that are ‘prominently displayed and readily accessible’.                                                                                      [Schedule 1, items 27 and 28, paragraphs 4A.13(1)(d) to (h) and subrule 4A.13(4)]
  3.          References in the CDR Rules to services being ‘prominently displayed’ are intended to refer to prominent display on a participant’s app or website.

Trial products for the energy sector

  1.          The Amending Rules intend to remove possible disincentives for electricity retailers to introduce innovative new products in the CDR. The Amending Rules achieve this by mirroring, to some extent, the operation of the ‘trial product’ provisions in the banking schedule of the CDR Rules (Schedule 3). This change will allow retailers to trial products without those products being subject to CDR data sharing obligations. This is achieved by exempting trial products from the application of Part 3 of Schedule 4.                                                                                                                         [Schedule 1, item 31, clause 3.1A of Schedule 4 to the CDR Rules]
  2.          The meaning of trial product for the purposes of the energy sector has a different meaning in the context of the products and services offered in that sector as compared to the banking sector. As such, a trial product is described in the Amending Rules for the energy sector as a plan, which is a more appropriate term for the sector. A plan will be a trial product for the purposes of the energy sector if it is offered:

               with the description ‘pilot’ or ‘trial’;

               with a statement specifying a trial period of no more than 24 months;

               on the basis that it will be supplied to no more than 2,000 customers; and

               with a statement that it may be terminated before the end of the trial period in which case CDR data in relation to the product may not be available.

[Schedule 1, item 30, meaning of ‘trial product’ in subclause 1.5(1) of Schedule 4 to the CDR Rules]

  1.          A plan ceases to be a trial product if it continues to be supplied or offered after the end of trial period, or it is supplied to more than 2,000 customers.                                            [Schedule 1, item 30, meaning of ‘trial product’ in subclause 1.5(2) of Schedule 4 to the CDR Rules]
  2.          The intention is that if a plan ceases to be a trial product, retailers must share data generated while the energy plan was a trial product. However, if a retailer ceases to offer the plan at the end of the trial period, and never exceeded the 2,000 customer limit, there is no obligation to share CDR data generated during the trial.

Equalisation of data holder obligation dates for accredited persons who become small retailers (energy sector)

  1.          Currently, there is no deferral of data holder obligations for accredited persons who become small retailers. This has the effect that those entities are required to comply with data holder obligations as small retailers on the day they become small retailers.
  2.          In contrast, small retailers that become accredited persons have the benefit of a 12-month deferral on the obligation to comply with non-complex consumer data requests made by accredited persons on behalf of CDR consumers. For complex requests, there is an 18-month delay of those obligations.
  3.          The Amending Rules amend clause 8.6 of Schedule 4 to the CDR Rules to align the compliance dates for accredited persons who become small retailers (and vice versa). This is achieved by specifying the dates that Part 4 of the CDR Rules (which deals with consumer data requests made by accredited persons on behalf of CDR consumers) will apply to a person who is both a small retailer and an accredited person for non-complex and complex requests. The amendment also removes reference to the ‘tranche 1’ date, which is no longer relevant, having passed in 2022. [Schedule 1, item 38, subclauses 8.6(7) and (8) of Schedule 4 to the CDR Rules]

Obligation dates for small retailers that become larger retailers

  1.          The Amending Rules fix an inconsistency whereby a small retailer that reaches the customer numbers for a larger retailer has less time to comply with complex data sharing requests (12 months) than a small retailer that becomes an accredited person (18 months).
  2.          The Amending Rules achieve this by clarifying that Part 4 (which deals with consumer data requests by accredited persons on behalf of CDR consumers) of the CDR Rules applies to a larger retailer in relation to a complex request from the later of the tranche 4 date (1 May 2024) and the day that is 6 months after the day that it became a larger retailer. As subclause 8.3(1) of Schedule 4 to the CDR Rules provides a retailer that reaches the customer numbers for a larger retailer with a 12-month delayed obligation period, this amendment has the effect that a small retailer that reaches the customer numbers for a larger retailer will have 18 months prior to its obligations in relation to complex requests taking effect.                                            [Schedule 1, item 37, subclause 8.6(6) of Schedule 4 to the CDR Rules]

Miscellaneous amendments to staged application for energy sector

  1.          The Amending Rules make several minor amendments to Part 8 of Schedule 4 to the CDR Rules to assist clarity and comprehension. These minor changes relate to clauses dealing with the timing of obligations taking effect in relation to product data requests under Part 2 and Part 4 of the CDR Rules.                                                         [Schedule 1, items 33 to 36, clause 8.4 and subclauses 8.6(1) to (5) of Schedule 4 to the CDR Rules]

Nominated representatives

  1.          The CDR Rules oblige a data holder to provide a service that business consumers can use to nominate a representative to take certain actions on their behalf. The Amending Rules modify the existing requirement, that the service can be used to revoke such a nomination, to require that the service must instead provide a mechanism to withdraw the nomination. The use of withdraw is a more appropriate description of the action.                                                                                                    [Schedule 1, items 9 to 12, paragraphs 1.13(1)(c) and (d)]
  2.          Note 4 to subrule 1.13(1) of the CDR Rules is substituted by the Amending Rules, which now explains that a consumer data request service may be offered in an online form even if this subrule does not require it to be an online service.                              [Schedule 1, item 13, subrule 1.13(1) (note 4)]
  3.          In addition, the Amending Rules broaden the definition of complex request in the energy sector to include a request made on behalf of a CDR consumer by a nominated representative.                                                                                                    [Schedule 1, item 32, paragraph 8.1(d) of Schedule 4 to the CDR Rules]

Meaning of ‘financial counselling agencies’

  1.          One of the classes of trusted adviser recognised by the CDR Rules is financial counselling agencies. The Amending Rules update the cross-reference for the meaning of that term, reflecting that the Treasury Laws Amendment (Rationalising ASIC Instruments) Regulations 2022 incorporated the previously referenced ASIC Corporations (Financial Counselling Agencies) Instrument 2017/792 into the Corporations Regulations 2001.

[Schedule 1, item 7, paragraph 1.10C(2)(d)]

  1.          The meaning remains substantively the same – ‘financial counselling agency’ means a person that provides a financial counselling service. A ‘financial counselling service’ means a counselling and advocacy service provided mainly for the purposes of assisting individuals or small businesses who are in financial difficulty to resolve their problems.

Miscellaneous

  1.          The Amending Rules create a new Part of the CDR Rules to house the application and transitional provisions associated with these Amending Rules and any future application or transitional provisions.

[Schedule 1, items 1 and 103, subrule 1.6(9A) and Part 50 of the CDR Rules] 

  1.          The Amending Rules amend the definition of eligible in rule 1.7 (the definitions rule) to more comprehensively cross-reference the existing definition of that term in rule 1.10B, without changing the substance.

[Schedule 1, item 3, definition of ‘eligible’ in subrule 1.7(1)]

 

 

 

 

 

ATTACHMENT B

 

Prepared in accordance with Part 3 of the Human Rights (Parliamentary Scrutiny) Act 2011

Insert Title of Instrument

This Legislative Instrument is compatible with the human rights and freedoms recognised or declared in the international instruments listed in section 3 of the Human Rights (Parliamentary Scrutiny) Act 2011.

The Competition and Consumer (Consumer Data Right) Amendment (2024 Measures No. 1) Rules 2024 (the Amending Rules) amend the consumer data right (CDR) consent process and introduce several other operational enhancements to the Competition and Consumer (Consumer Data Right) Rules 2020 (the CDR Rules).

The consent amendments:

                 extend the data minimisation principle to disclosure, ensuring privacy protection coverage for consumers;

                 enable consumers to provide multiple CDR consents with a single action;

                 allow data recipients to pre-select the particular consent elements that would be reasonably needed to provide a consumer’s requested good or service;

                 simplify the information that data recipients are required to provide to the consumer at the time of seeking the consumer’s consent;

                 allow data recipients to consolidate the delivery of 90-day notifications to minimise the notification fatigue that consumers may currently experience; and

                 require data recipients to provide consumers with information about all supporting parties who may access a consumer’s data at the time a consumer’s consent is sought.

The operational enhancements include the following:

                 allowing accredited authorised deposit-taking institutions (ADIs) to hold CDR data as a data holder where a consumer has applied to acquire a product from an ADI;

                 clarifying that a CDR representative principal must ensure their CDR representative(s) comply with consumer experience data standards as if they were an accredited data recipient (ADR);

                 removing the obligation for data holders to provide account holders with an online service that allows them to stop CDR data being disclosed to a particular ADR in response to data sharing requests made by secondary users; and

                 providing a trial products exemption in the energy sector.

The Amending Rules engage the right to protection from unlawful or arbitrary interference under Article 17 of the International Covenant on Civil and Political Rights (ICCPR) because they make amendments that impact on the disclosure of consumers’ CDR data.

The right in Article 17 may be subject to permissible limitations, where these limitations are authorised by law and are not arbitrary. In order for an interference with the right to privacy to be permissible, the interference must be authorised by law, be for a reason consistent with the ICCPR and be reasonable in the particular circumstances. The UN Human Rights Committee has interpreted the requirement of ‘reasonableness’ to imply that any interference with privacy must be proportional to the end sought and be necessary in the circumstances of any given case.

Consent-related amendments

As informed and voluntary consent is critical to ensuring consumers retain control over what is done with their personal information, by making changes to the rules about consent, the Amending Rules engage Article 17.

However, the effect of the Amending Rules is to improve the consent-giving experience for consumers by requiring information about the consents being sought to be given when it will be most relevant and useful to the consumer, and by allowing all the consent elements needed to provide the good or service the consumer has asked for, to be presented together, so the consumer is able to agree to everything needed with fewer separate actions.

Consumer privacy protection is maintained by ensuring:

                 consumers can only be asked for access to their information that is reasonably needed in order to provide the good or service the consumer has asked for; and

                 consumers are fully informed about how the consents being asked for will affect their personal information, and that they are able to withdraw any consent they have given at any time.

Operational enhancements

Accredited authorised deposit-taking institutions holding CDR data as data holders

The Amending Rules also engage Article 17 by broadening the circumstances in which an accredited authorised deposit-taking institution (ADI) is permitted to hold CDR data as a data holder. This means the accredited ADI is no longer bound by the CDR privacy safeguards that would have applied if they had continued to hold the data as an accredited data recipient (ADR) in the expanded circumstances.

However, the ordinary settings under the Australian Privacy Principles in Schedule 1 to the Privacy Act 1988 would still apply to the ADI’s handling of that data.

Further, while this is a simplified notification requirement compared to the existing circumstance where accredited ADIs can hold as a data holder, the ADI must still notify the consumer prior to the first collection of the relevant data that they would hold that data in accordance with their usual data holding practices for consumer banking data.

CDR representatives complying with standards

The independent privacy impact assessment conducted for the Amending Rules concluded that consistent application and reinforcement of the consumer experience data standards is a privacy positive step because it promotes trust, uniformity and predictability across the CDR regime.

Energy sector trial products

In addition, the Amending Rules also engage Article 17 by exempting trial products in the energy sector from the requirements under the CDR Rules. However, the following additional requirements support an appropriate balance with consumers’ privacy protection:

                 the number of customers that may be supplied with a trial product is limited to 2,000 people;

                 when offering the plan, the period of time for which it will operate as a trial product must be stated (the trial period), ending no more than 24 months after the initial offering; and

                 when offering the plan, it must be fully disclosed that it is a ‘pilot’ or a ‘trial’, that the plan may be terminated before the end of the trial period, and in this event, any CDR data collected in relation to the trial product may not be available.

This ensures that before consumers agree to participate in a trial product in the energy sector, they will be well-informed of the nature of the product and how it differs from products that are covered by the CDR. 

Civil penalty provisions

The Amending Rules introduce or alter some civil penalty provisions in the CDR Rules. These civil penalty provisions potentially invoke Articles 14 and 15 of the ICCPR. Although the Articles cover criminal process rights, in international human rights law, where a civil penalty is imposed, it must be determined whether it nevertheless amounts to a ‘criminal’ penalty. As with the existing civil penalties in the current CDR Rules, the new civil penalty provisions should not be considered ‘criminal’ for this purpose. While they are intended to deter non-compliance with CDR obligations, they are not directed at the general public, but at a class of businesses that should be reasonably aware of their obligations under the CDR. In addition, none of the provisions carry a penalty of imprisonment for non-payment of a penalty.

The Amending Rules are compatible with human rights as to the extent that they do engage the relevant human rights and freedoms, they are proportional to the ends sought and reasonable and necessary in the circumstances.