Competition and Consumer (Consumer Data Right) Amendment (2024 Measures No. 1) Rules 2024
I, Stephen Jones, Assistant Treasurer and Minister for Financial Services, make the following rules.
Dated 6 November 2024
Stephen Jones
Assistant Treasurer
Minister for Financial Services
Contents
1 Name
2 Commencement
3 Authority
4 Schedules
Schedule 1—Amendments
Part 1—Operational enhancements
Competition and Consumer (Consumer Data Right) Rules 2020
Part 2—Consent
Competition and Consumer (Consumer Data Right) Rules 2020
Part 3—Application provisions
Competition and Consumer (Consumer Data Right) Rules 2020
This instrument is the Competition and Consumer (Consumer Data Right) Amendment (2024 Measures No. 1) Rules 2024.
(1) Each provision of this instrument specified in column 1 of the table commences, or is taken to have commenced, in accordance with column 2 of the table. Any other statement in column 2 has effect according to its terms.
Commencement information | ||
Column 1 | Column 2 | Column 3 |
Provisions | Commencement | Date/Details |
The whole of this instrument | The day after this instrument is registered. |
|
Note: This table relates only to the provisions of this instrument as originally made. It will not be amended to deal with any later amendments of this instrument.
(2) Any information in column 3 of the table is not part of this instrument. Information may be inserted in this column, or information in it may be edited, in any published version of this instrument.
This instrument is made under the Competition and Consumer Act 2010.
Each instrument that is specified in a Schedule to this instrument is amended or repealed as set out in the applicable items in the Schedule concerned, and any other item in a Schedule to this instrument has effect according to its terms.
Part 1—Operational enhancements
Competition and Consumer (Consumer Data Right) Rules 2020
1 After subrule 1.6(9)
Insert:
(9A) Part 50 of these rules sets out application and transitional provisions.
2 Subrule 1.7(1)
Insert:
consumer experience data standards means data standards expressed to be consumer experience data standards.
Example: The Data Standards Chair must make data standards about disclosure and security of CDR data, including consumer experience data standards for certain disclosures—see subparagraphs 8.11(1)(c)(iii) to (vi).
3 Subrule 1.7(1) (definition of eligible)
Repeal the definition (including the note), substitute:
eligible:
(a) in relation to a particular data holder, at a particular time—has the meaning given by rule 1.10B; and
(b) in relation to a particular data holder in a particular designated sector, at a particular time—has the meaning given by rule 1.10B as affected by clause 2.1 of Schedule 3 and clause 2.1 of Schedule 4.
4 Subrule 1.7(1) (definition of secondary user)
Omit “if:”, substitute “at a particular time, if, at that time:”.
5 Subrule 1.7(1) (subparagraph (c)(ii) of the definition of secondary user)
Repeal the subparagraph, substitute:
(ii) are eligible in relation to the data holder; and
(iii) in accordance with the requirements for the account, have given the data holder an instruction to treat the person as a secondary user for the purposes of these rules; and
(iv) have not withdrawn that instruction.
6 Paragraph 1.10AA(1)(d)
Repeal the paragraph, substitute:
(d) under which the CDR representative is required to comply with:
(i) any rules that are expressed as applying to a CDR representative; and
(ii) any consumer experience data standards that are expressed as applying to an accredited data recipient, as if the CDR representative were an accredited data recipient.
7 Paragraph 1.10C(2)(d)
Omit “ASIC Corporations (Financial Counselling Agencies) Instrument 2017/792”, substitute “Corporations Regulations 2001”.
8 Rule 1.11
Omit “a functionality for amending or withdrawing consents, and for withdrawing authorisations”, substitute “allow CDR consumers to manage consents and authorisations”.
9 Subparagraph 1.13(1)(c)(i)
Omit “manage”, substitute “withdraw”.
10 Subparagraph 1.13(1)(c)(ii)
Omit “revoke”, substitute “withdraw”.
11 Subparagraph 1.13(1)(d)(i)
Omit “manage”, substitute “withdraw”.
12 Subparagraph 1.13(1)(d)(ii)
Omit “revoke”, substitute “withdraw”.
13 Subrule 1.13(1) (note 4)
Repeal the note, substitute:
Note 4: To avoid doubt, a service may be offered in an online form even if this subrule does not require it to be an online service.
14 Paragraph 1.14(1)(c)
Repeal the paragraph, substitute:
(c) allows the CDR consumer, at any time, to withdraw a current consent; and
(d) as part of the process of withdrawing a consent, displays a message, in accordance with the data standards, about the consequences of proceeding with withdrawing a consent; and
(e) allows the CDR consumer to elect that redundant data be deleted in accordance with these rules and be able to withdraw such an election; and
(f) is simple and straightforward to use; and
(g) is prominently displayed and readily accessible to the CDR consumer.
15 Subrule 1.14(2A)
Omit all the words after “also”, substitute “allow a CDR consumer to amend a current consent”.
16 Subrule 1.14(4)
Repeal the subrule, substitute:
(4) An accredited person does not contravene paragraph (1)(f) if the accredited person takes reasonable steps to ensure that the online service complies with that paragraph.
17 Paragraphs 1.15(1)(c) and (d)
Repeal the paragraphs, substitute:
(c) allows the CDR consumer, at any time, to withdraw a current authorisation; and
(d) as part of the process of withdrawing an authorisation, displays a message, in accordance with the data standards, about the consequences of proceeding with withdrawing an authorisation; and
(e) is simple and straightforward to use, and is no more complicated to use than the process for giving the authorisation to disclose CDR data; and
(f) is prominently displayed and readily accessible to the CDR consumer; and
(g) contains any other details, and does anything else, required by these rules.
18 Subrule 1.15(4)
Repeal the subrule, substitute:
(4) A data holder does not contravene paragraph (1)(e) if the data holder takes reasonable steps to ensure that the online service complies with the paragraph.
19 Paragraph 1.15(5)(b)
Repeal the paragraph, substitute:
(b) allows the account holder, at any time, to withdraw the secondary user instruction; and
(c) as part of the process of withdrawing a secondary user instruction, displays a message, in accordance with the data standards, about the consequences of proceeding with withdrawing a secondary user instruction; and
(d) is simple and straightforward to use, and is no more complicated to use than the processes for giving the authorisation or instruction; and
(e) is prominently displayed and readily accessible to the account holder.
20 Subrule 1.15(5) (notes)
Repeal the notes, substitute:
Note: This subrule is a civil penalty provision (see rule 9.8).
21 Subrule 1.15(6)
Repeal the subrule, substitute:
(6) A data holder does not contravene paragraph (5)(d) if the data holder takes reasonable steps to ensure that the online service complies with the paragraph.
22 Paragraph 1.16A(2)(a)
Repeal the paragraph, substitute:
(a) fails to comply with a provision required to be included in the CDR representative arrangement by subrule 1.10AA(1), (3) or (4), or takes or omits to take action which would constitute a failure to comply with such a provision even if it is not included in the CDR representative arrangement; or
23 Subrule 1.16A(5)
Repeal the subrule.
24 Rule 4.6A (notes)
Repeal the notes, substitute:
Note: For paragraph (b)—for example, see subrules 4A.10(5) and (6) in relation to joint accounts.
25 Paragraph 4.12B(2)(a)
Omit “offers the consent amendment functionality referred to in”, substitute “allows a consent amendment in accordance with”.
26 Paragraph 4.20H(2)(a)
Omit “offers the consent amendment functionality referred to in”, substitute “allows an amendment to a consent in accordance with”.
27 Paragraph 4A.13(1)(d)
Repeal the paragraph, substitute:
(d) can be used by the relevant account holder to manage approvals in relation to each authorisation to disclose joint account data made by a requester; and
(e) allows for the withdrawal, at any time, of an approval in relation to each authorisation to disclose joint account data made by a requester; and
(f) as part of the process for withdrawing an approval in relation to an authorisation, displays a message, in accordance with the data standards, about the consequences of withdrawing an approval in relation to an authorisation; and
(g) is simple and straightforward to use; and
(h) is prominently displayed and readily accessible by a relevant account holder.
28 Subrule 4A.13(4)
Repeal the subrule, substitute:
(4) A data holder does not contravene paragraph (1)(g) if the data holder takes reasonable steps to ensure that the online service complies with the paragraph.
29 Subclauses 7.2(1) and (2) of Schedule 3
Repeal the subclauses, substitute:
(1) For the purposes of paragraph 56AJ(4)(c) of the Act, the following conditions are specified:
(a) the accredited person is an ADI;
(b) the accredited person has collected CDR data, or any data directly or indirectly derived from CDR data (together, the relevant CDR data), in accordance with a collection consent;
(c) the accredited person reasonably believes that the relevant CDR data is relevant to its supply of a product to the CDR consumer, for that data;
(d) either:
(i) the conditions specified in subclause (2); or
(ii) the conditions specified in subclause (2A).
Conditions involving notification prior to first collection
(2) For subparagraph (1)(d)(i), the conditions are:
(a) either:
(i) the accredited person is supplying the product to the CDR consumer; or
(ii) the accredited person has received an application from the CDR consumer for the supply of the product to the CDR consumer, or is aware that the CDR consumer proposes to apply for the supply of the product; and
(b) prior to the first collection of the relevant CDR data in accordance with the collection consent, the accredited person notified the CDR consumer that the accredited person would hold that data in accordance with the accredited person’s usual data holding practices for consumer data.
Note: If, prior to the first collection of the relevant CDR data, an accredited person has notified the CDR consumer in accordance with this subclause, the accredited person does not need to notify the CDR consumer again before collecting further data in accordance with the collection consent.
Conditions involving request for consent
(2A) For subparagraph (1)(d)(ii), the conditions are that:
(a) the accredited person is supplying the product to the CDR consumer; and
(b) the accredited person has requested the CDR consumer to consent to the accredited person changing from an accredited data recipient of the relevant CDR data to a data holder of the relevant CDR data; and
(c) the accredited person has informed the CDR consumer:
(i) that, if the consumer consents to that change, the privacy safeguards applicable to a data holder (rather than those applicable to an accredited data recipient) would apply to the accredited person in relation to the relevant CDR data; and
(ii) of the manner in which the accredited person proposes to treat the relevant CDR data; and
(iii) why the accredited person was entitled to request the consumer’s consent to the change; and
(iv) of the consequences of the consumer not giving their consent to the change; and
(d) the CDR consumer has consented.
30 After clause 1.4 of Schedule 4
Insert:
(1) For these rules, in relation to the energy sector, a plan is a trial product if the plan is offered:
(a) with the description “pilot” or “trial”; and
(b) with a statement that it will operate as a pilot or trial for a period that ends no more than 24 months after the initial offering (the trial period); and
(c) on the basis that the number of customers to be supplied with the plan for the purposes of the trial will be limited to no more than 2,000; and
(d) with a statement that the plan may be terminated before the end of the trial period and that, if it is, the CDR data in relation to the plan may not be available for data sharing under these rules.
(2) A plan will cease to be a trial product from the time any of the following occurs:
(a) the plan is supplied or offered after the end of the trial period;
(b) the plan begins to be supplied to more than 2,000 customers.
31 Before clause 3.1 of Schedule 4
Insert:
This Part does not apply in relation to a plan while it is a trial product.
Note: If a plan ceases to be a trial product in accordance with subclause 1.5(2) of this Schedule, the data holder must comply with its obligations under this Part in relation to the plan. The obligations cover any CDR data generated while the plan was a trial product.
32 Clause 8.1 of Schedule 4 (definition of complex request)
At the end of the definition, add:
; or (d) is made on behalf of a CDR consumer who has a nominated representative.
33 Subclause 8.4(1) of Schedule 4
Repeal the subclause.
34 Subclauses 8.4(2) and (3) of Schedule 4
After “Part 2”, insert “of these rules”.
35 Subclause 8.6(1) of Schedule 4
Repeal the subclause.
36 Subclauses 8.6(2) to (5) of Schedule 4
After “Part 4”, insert “of these rules”.
37 Subclause 8.6(6) of Schedule 4
Repeal the subclause, substitute:
Tranche 4 —1 May 2024
(6) Part 4 of these rules applies to a larger retailer in relation to a complex request on and from the later of:
(a) the tranche 4 date; and
(b) the day that is 6 months after the day that it became a larger retailer.
38 Subclauses 8.6(7) and (8) of Schedule 4
Repeal the subclauses, substitute:
Application of Part 4 to small retailers that are accredited persons
(7) Part 4 of these rules applies to a person who is both a small retailer and an accredited person, except in relation to a complex request, on and from the later of the day that is 12 months after:
(a) the day that the person became an accredited person; and
(b) the day that the person became a small retailer.
(8) Part 4 of these rules applies to a person who is both a small retailer and an accredited person, in relation to a complex request, on and from the later of the day that is 18 months after:
(a) the day that the person became an accredited person; and
(b) the day that the person became a small retailer.
Competition and Consumer (Consumer Data Right) Rules 2020
39 Rule 1.4
Omit “Under the data minimisation principle, the accredited person may only collect and use CDR data in order to provide goods or services in accordance with a request from a CDR consumer, and may only use it for that purpose, or for a limited number of other purposes which require an additional consent from the CDR consumer.”, substitute “Under the data minimisation principle, the accredited person may only collect, use and disclose CDR data in order to provide goods or services in accordance with a request from a CDR consumer, and may only use or disclose it for that purpose, or for a limited number of other purposes which require an additional consent from the CDR consumer.”.
40 Rule 1.8 (note)
Repeal the note.
41 Subrule 1.8(2)
Repeal the subrule, substitute:
(2) The use or disclosure of CDR data by an accredited person or a CDR representative complies with the data minimisation principle if, when providing the requested goods or services, or doing any other thing that constitutes a permitted use or disclosure of collected CDR data, the use or disclosure of the collected data, or any CDR data directly or indirectly derived from it, does not go beyond what is reasonably needed in order to provide the requested goods or services or to effect the permitted use or disclosure.
42 At the end of subrule 1.10A(1)
Add:
Note: A direct marketing consent or a de-identification consent could consist of either or both a use consent or a disclosure consent.
43 Rule 4.1
Omit “Collection and use of CDR data under this Part”, substitute “Collection, use and disclosure of CDR data under this Part”.
44 Rule 4.1
Omit “the collected data may be used only”, substitute “the collected data may be used or disclosed only”.
45 Rule 4.2 (note)
Omit “Note:”, substitute “Note 1:”.
46 Rule 4.2 (after Note 1)
Insert:
Note 2: An accredited data recipient may ask the CDR consumer for a collection consent, use consent and disclosure consent at the same time (see subrules 4.3(2) and (2A)).
47 Subrule 4.3(2A) (including the notes)
Repeal the subrule, substitute:
(2A) The accredited person may also ask a CDR consumer to give a disclosure consent in relation to CDR data, either:
Note 1: Requests for collection consent, use consent and disclosure consent may be bundled together (see subrules 4.3(2) and (2A).
Note 2: The CDR data may be disclosed only in accordance with the data minimisation principle: see rule 1.8.
48 Subrule 4.3A(3) (including the notes)
Repeal the subrule, substitute:
(3) The CDR representative may also ask a CDR consumer to give a disclosure consent in relation to CDR data, either:
Note 1: Requests for collection consent, use consent and disclosure consent may be bundled together (see subrules 4.3A(2) and (3).
Note 2: The CDR data may be disclosed only in accordance with the data minimisation principle: see rule 1.8.
49 Paragraph 4.4(1)(c)
Omit “collection consent and use consent”, substitute “collection consent, use consent and disclosure consent”.
50 Paragraph 4.4(1)(d)
Omit “collected and used”, substitute “collected, used and disclosed”.
51 Paragraph 4.7A(1)(c)
Omit “collection consent and use consent”, substitute “collection consent, use consent and disclosure consent”.
52 Paragraph 4.7A(1)(d)
Omit “collected and used”, substitute “collected, used and disclosed”.
53 Rule 4.10
Repeal the rule, substitute:
4.10 Requirements relating to seeking consent
A request by an accredited person for a CDR consumer to give or amend a consent:
(a) must comply with any relevant data standards; and
(b) having regard to any consumer experience guidelines made by the Data Standards Body—must be reasonably easy to understand, including by use of plain concise language and, where appropriate, visual aids; and
(c) must not include or refer to the accredited person’s CDR policy or other documents in a way that reduces understandability; and
(d) must not be combined with other requests except for a consent under these rules (other than a request for direct marketing or de-identification consent).
54 Paragraphs 4.11(1)(a), (b) and (ba)
Repeal the paragraphs, substitute:
(a) in the case of a collection consent or a disclosure consent—either:
(i) allow the CDR consumer to actively select or otherwise clearly indicate the particular types of CDR data to which the consent will apply; or
(ii) seek the CDR consumer’s agreement to the particular types of CDR data (as presented to the CDR consumer) to which the consent will apply; and
(aa) in the case of a use consent—either:
(i) allow the CDR consumer to actively select or otherwise clearly indicate the specific uses of collected data to which the consent will apply; or
(ii) seek the CDR consumer’s agreement to the specific uses of collected data (as presented to the CDR consumer) to which the consent will apply; and
(b) in relation to the period of the collection consent, use consent, or disclosure consent (as appropriate)—either:
(i) allow the CDR consumer to actively select or otherwise clearly indicate the period of consent; or
(ii) seek the CDR consumer’s agreement to the period of consent (as presented to the CDR consumer) to which the consent will apply;
where the period of consent is either:
(iii) a single occasion; or
(iv) a specified period of time; and
(ba) in the case of a disclosure consent―either:
(i) allow the CDR consumer to actively select or otherwise clearly indicate the persons to whom the CDR data may be disclosed; or
(ii) seek the CDR consumer’s agreement to the persons (as presented to the CDR consumer) to whom the CDR data may be disclosed; and
55 Paragraph 4.11(1)(c)
Repeal the paragraph, substitute:
(c) seek the CDR consumer’s express consent to the matters referred to in paragraphs (a), (aa), (b) and (ba) for each relevant category of consents; and
56 Subparagraph 4.11(1)(d)(ii)
Omit “actively select or otherwise”.
57 Subrule 4.11(1) (example)
Repeal the example.
58 Subrule 4.11(2)
Omit “present pre-selected options to the CDR consumer”, substitute “request direct marketing consents or de‑identification consents by means of pre-selected options”.
59 Paragraph 4.11(3)(c)
Repeal the paragraph, substitute:
(c) in the case of a collection consent, use consent or disclosure consent—information about how the collection, use or disclosure indicated in a manner consistent with the requirements set out in subrule (1) complies with the data minimisation principle, including:
(i) in the case of a collection consent in relation to the provision of requested goods or services—an explanation of why that collection is reasonably needed, and relates to a time period that is no longer than is reasonably needed; and
(ii) in the case of a use consent or disclosure consent—an explanation of why that use or disclosure does not go beyond what is reasonably needed;
in order to provide the requested goods or services to the CDR consumer, or to effect the permitted uses or disclosures consented to;
60 After paragraph 4.11(3)(d)
Insert:
(da) if the accredited person is seeking a direct marketing consent—information about how the CDR data may be used or disclosed in accordance with the consent;
61 Subparagraphs 4.11(3)(f)(ii) and (iii)
Repeal the subparagraphs, substitute:
(ii) the name of the OSP; and
(iii) the OSP’s accreditation number (if any); and
(iv) if the OSP is based overseas—the country in which it is based; and
(v) a link to a webpage where the accredited person’s CDR policy and the OSP’s CDR policy (if any) can be directly viewed; and
(vi) a statement detailing why the OSP needs to access the consumer’s CDR data; and
(vii) a statement that the consumer can obtain further information about why the OSP needs to access the consumer’s CDR data from the policy if desired;
62 Paragraph 4.11(3)(g)
Repeal the paragraph, substitute:
(g) a statement that, at any time, the consent can be withdrawn;
63 Subparagraphs 4.11(3)(i)(iv) and (v)
Repeal the subparagraphs, substitute:
(iv) if the sponsor is based overseas—the country in which it is based; and
(v) a link to a webpage where the sponsor’s CDR policy can be directly viewed; and
(vi) a statement detailing why the sponsor needs to access the consumer’s CDR data; and
(vii) a statement that the CDR consumer can obtain further information about collections or disclosures of CDR data from the sponsor’s CDR policy if desired.
64 Subrule 4.11(3) (note)
Omit “Note:”, substitute “Note 1:”.
65 Subrule 4.11(3) (after Note 1)
Insert:
Note 2: For paragraph (da), the uses or disclosures that are permitted under a direct marketing consent may be limited under another part of these rules (see subrule 7.5(3)).
66 Subrule 4.12(2) (not including the note)
Repeal the subrule, substitute:
(2) An accredited person must not ask for a collection consent, use consent or disclosure consent unless the collection, use or disclosure of CDR data in accordance with the consent would comply with the data minimisation principle.
67 Subrule 4.12C(2)
Repeal the subrule.
68 Rule 4.15
Omit “information relating to de-identification”, substitute “information the accredited person must give the CDR consumer when seeking a de‑identification consent”.
69 Rule 4.18
Repeal the rule, substitute:
An accredited person must give the CDR consumer a notice that complies with the data standards as soon as practicable after the CDR consumer:
(a) gives the accredited person a collection consent, use consent or disclosure consent; or
(b) amends a collection consent, use consent or disclosure consent given to an accredited person in accordance with this Division; or
(c) withdraws a collection consent, use consent or disclosure consent given to an accredited person in accordance with rule 4.13.
Note: This rule is a civil penalty provision (see rule 9.8).
70 Paragraph 4.18A(1)(b)
After “use consent”, insert “, or any disclosure consent,”
71 Subrule 4.18A(2)
After “as soon as practicable”, insert “after the collection consent expires”.
72 Paragraph 4.18A(2)(a)
After “use consent”, insert “or disclosure consent”.
73 Rule 4.20 (heading)
Omit “collection consents and use consents”, substitute “current consents”.
74 Subrule 4.20(1)
Omit “consent or a use consent”, substitute “consent, use consent or disclosure consent”.
75 Subparagraph 4.20(1)(b)(iii)
Repeal the subparagraph, substitute:
(iii) the accredited person last notified the CDR consumer that the consent is still current.
76 Subrules 4.20(2), (3) and (4)
Repeal the subrules, substitute:
(2) The accredited person must notify the CDR consumer, in relation to each consent given by the CDR consumer that is still current, that the consent is still current.
Note: This subrule is a civil penalty provision (see rule 9.8).
(3) The notification must be given in accordance with the data standards.
Note: This subrule is a civil penalty provision (see rule 9.8).
77 Rule 4.20D
Repeal the rule, substitute:
4.20D Requirements relating to seeking consent
A request by a CDR representative for a CDR consumer to give or amend a consent:
(a) must comply with any relevant data standards; and
(b) having regard to any consumer experience guidelines developed by the Data Standards Body—must be reasonably easy to understand, including by use of plain concise language and, where appropriate, visual aids; and
(c) must not include or refer to the CDR representative principal’s CDR policy or other documents in a way that reduces understandability; and
(d) must not be combined with other requests except for a consent under these rules (other than a request for direct marketing or de-identification consent).
78 Paragraphs 4.20E(1)(a), (b) and (c)
(a) in the case of a collection consent or a disclosure consent—either:
(i) allow the CDR consumer to actively select or otherwise clearly indicate the particular types of CDR data to which the consent will apply; or
(ii) seek the CDR consumer’s agreement to the particular types of CDR data (as presented to the CDR consumer) to which the consent will apply; and
(aa) in the case of a use consent—either:
(i) allow the CDR consumer to actively select or otherwise clearly indicate the specific uses of collected data to which the consent will apply; or
(ii) seek the CDR consumer’s agreement to the specific uses of collected data (as presented to the CDR consumer) to which the consent will apply; and
(b) in relation to the period of the collection consent, use consent, or disclosure consent (as appropriate)—either:
(i) allow the CDR consumer to actively select or otherwise clearly indicate the period of consent; or
(ii) seek the CDR consumer’s agreement to the period of consent (as presented to the CDR consumer) to which the consent will apply;
where the period of consent is either:
(iii) a single occasion; or
(iv) a specified period of time; and
(c) in the case of a disclosure consent―either:
(i) allow the CDR consumer to actively select or otherwise clearly indicate the person to whom the CDR data may be disclosed; or
(ii) seek the CDR consumer’s agreement to the persons (as presented to the CDR consumer) to whom the CDR data may be disclosed; and
79 Paragraph 4.20E(1)(d)
Repeal the paragraph, substitute:
(d) seek the CDR consumer’s express consent to the matters referred to in paragraphs (a), (aa), (b) and (c) for each relevant category of consents; and
80 Subparagraph 4.20E(1)(e)(ii)
Omit “actively select or otherwise”.
81 Subrule 4.20E(1) (example)
Repeal the example.
82 Subrule 4.20E(1) (note 3)
Omit “an accredited data recipient”, substitute “a CDR representative”.
83 Subrule 4.20E(2)
Omit “pre-selected options”, substitute “direct marketing consents or de‑identification consents as pre-selected options”.
84 Paragraph 4.20E(3)(f)
Repeal the paragraph, substitute:
(f) in the case of a collection consent, use consent or disclosure consent—information about how the collection, use or disclosure indicated in a manner consistent with the requirements set out in subrule (1) complies with the data minimisation principle, including:
(i) in the case of a collection consent in relation to the provision of requested goods or services—an explanation of why that collection is reasonably needed, and relates to a time period that is no longer than is reasonably needed; and
(ii) in the case of a use consent or disclosure consent—an explanation of why that use or disclosure does not go beyond what is reasonably needed;
in order to provide the requested goods or services to the CDR consumer, or to effect the permitted uses or disclosures consented to;
85 After paragraph 4.20E(3)(g)
Insert:
(ga) in the case of a direct marketing consent—information about how the CDR data may be used or disclosed in accordance with the consent;
86 Paragraph 4.20E(3)(k)
Omit all words after “or of the CDR representative”, substitute:
principal:
(i) a statement of that fact; and
(ii) the name of the OSP; and
(iii) the OSP’s accreditation number (if any); and
(iv) if the OSP is based overseas—the country in which it is based; and
(v) a link to a webpage where the CDR representative principal’s CDR policy and the OSP’s CDR policy (if any) can be directly viewed; and
(vi) a statement detailing why the OSP needs to access the consumer’s CDR data;
87 Paragraph 4.20E(3)(m)
Repeal the paragraph, substitute:
(m) a statement that, at any time, the consent can be withdrawn;
88 Subrule 4.20E(3) (note)
Omit “Note:”, substitute “Note 1:”.
89 Subrule 4.20E(3) (after Note 1)
Insert:
Note 2: For paragraph (ga), the uses or disclosures that are permitted under a direct marketing consent may be limited under another part of these rules (see subrule 7.5(3)).
90 Subrule 4.20F(2) (not including the note)
Repeal the subrule, substitute:
(2) A CDR representative must not ask for a collection consent, a use consent or a disclosure consent unless the consent would comply with the data minimisation principle in respect of that collection or those uses or disclosures.
91 Subrule 4.20I(2)
Repeal the subrule.
92 Rule 4.20O
Repeal the rule, substitute:
A CDR representative must give the CDR consumer a notice that complies with the data standards as soon as practicable after:
(a) the CDR consumer gives the CDR representative a collection consent, a use consent or a disclosure consent; or
(b) the CDR consumer amends such a consent in accordance with this Division; or
(c) the CDR consumer withdraws such a consent in accordance with rule 4.20J.
Note: A failure to do this could make the CDR representative principal liable for a civil penalty (see rule 1.16A).
93 Paragraph 4.20Q(1)(b)
After “use consent”, insert “, or any disclosure consent,”.
94 Subrule 4.20Q(2)
After “as soon as practicable”, insert “after the collection consent expires”.
95 Paragraph 4.20Q(2)(a)
After “use consent”, insert “or disclosure consent”.
96 Rule 4.20U (heading)
Omit “collection consents and use consents”, substitute “current consents”.
97 Subrule 4.20U(1)
Omit “consent or a use consent”, substitute “consent, use consent or disclosure consent”.
98 Subparagraph 4.20U(1)(b)(iv)
Repeal the subparagraph, substitute:
(iv) the CDR representative or the CDR representative principal last notified the CDR consumer that the consent is still current.
99 Subrules 4.20U(2) to (4)
Repeal the subrules (including the note), substitute:
(2) The CDR representative must notify the CDR consumer, in relation to each consent given by the CDR consumer that is still current, that the consent is still current.
Note: A failure to do this could make the CDR representative principal liable for a civil penalty (see rule 1.16A).
(3) The notification must be given in accordance with the data standards.
Note: A failure to do this could make the CDR representative principal liable for a civil penalty (see rule 1.16A).
100 After paragraph 8.11(1)(f)
Insert:
(fa) requirements for a notice to be given to a CDR consumer under rule 4.18 or 4.20O (CDR receipts);
(fb) requirements for a notice to be given to a CDR consumer under subrule 4.20(3) or subrule 4.20U(3) (current consents);
101 Rule 9.8 (table items 34 and 35)
Repeal the items, substitute:
34 | rule 4.18 |
102 Rule 9.8 (after table item 42)
Insert:
42A | subrule 4.20(3) |
Competition and Consumer (Consumer Data Right) Rules 2020
103 After Part 9
Insert:
Part 50—Transitional provisions
Division 50.1—Application provisions relating to the Competition and Consumer (Consumer Data Right) Amendment (2024 Measures No. 1) Rules 2024
In this Division:
principal rules means the Competition and Consumer (Consumer Data Right) Rules 2020.
amending rules means the Competition and Consumer (Consumer Data Right) Amendment (2024 Measures No. 1) Rules 2024.
501 Application—CDR representative arrangements
The amendments of rule 1.16A of the principal rules made by the amending rules apply on and after the day that is 12 months after the commencement of the amending rules.
502 Application—information presented to CDR consumer when accredited person asks for consent
The amendments of paragraph 4.11(3)(f) of the principal rules made by the amending rules apply on and after the day that is 12 months after the commencement of the amending rules.
503 Application—CDR receipts given by accredited persons
Rule 4.18 of the principal rules, as in force immediately before the commencement of the amending rules, continues to apply, on and after that commencement, to an accredited person until the coming into effect of data standards made for the purposes of paragraph 8.11(1)(fa) of the principal rules in relation to rule 4.18.
504 Application—notification of current consents by accredited persons
Rule 4.20 of the principal rules, as in force immediately before the commencement of the amending rules, continues to apply, on and after that commencement, to an accredited person until the coming into effect of data standards made for the purposes of paragraph 8.11(1)(fb) of the principal rules in relation to rule 4.20.
505 Application—information presented to CDR consumer when CDR representative asks for consent
The amendments of paragraph 4.20E(3)(k) of the principal rules made by the amending rules apply on and after the day that is 12 months after the commencement of the amending rules.
506 Application—CDR receipts given by CDR representatives
Rule 4.20O of the principal rules, as in force immediately before the commencement of the amending rules, continues to apply, on and after that commencement, to a CDR representative until the coming into effect of data standards made for the purposes of paragraph 8.11(1)(fa) of the principal rules in relation to rule 4.20O.
507 Application—notification of current consents by CDR representatives
Rule 4.20U of the principal rules, as in force immediately before the commencement of the amending rules, continues to apply, on and after that commencement, to a CDR representative until the coming into effect of data standards made for the purposes of paragraph 8.11(1)(fb) of the principal rules in relation to rule 4.20U.
508 Application—conditions for accredited persons to hold data as data holders
The amendments of clause 7.2 of Schedule 3 to the principal rules made by the amending rules do not apply to an accredited person in relation to CDR data, and any CDR data directly or indirectly derived from that data, if the person started to hold such data before the commencement of those amendments.