Johnson Winter & Slattery is engaged by major businesses, investment funds and government agencies as legal counsel on important transactions and disputes throughout Australia and surrounding regions.
We are continually evolving and adapting our diversity and inclusion programs to better support our people, clients and communities.
Our news and media coverage including major transaction announcements, practitioner appointments and team expansions.
We support a number of community initiatives and not for profit organisations across Australia through pro bono legal work and charitable donations.
Our firm provides a diverse range of opportunities for talented, enthusiastic people to develop brilliant legal careers.
In May 2018, the Federal Government announced its intention to introduce a Consumer Data Right (CDR) across the whole economy in Australia, starting with the banking sector from 1 July 2019 and with the energy and telecommunications sectors to follow.
The CDR will oblige participants in affected sectors to share certain data they have collected about their consumer customers (i.e. “CDR Data”) with other participants (i.e. including competitors). At present, despite the looming start date, the legislation creating the CDR has not yet been passed and the specific details of what data is caught and how it is to be securely shared has not yet been finalised.
Organisations (particularly in the energy and telecommunication sectors) should pay close attention to how the CDR is implemented in the banking sector to ensure they are ready, as the transition window for them may be short. Steps that can be taken now include:
Taking these steps now will enable organisations to prepare themselves for the implementation of the CDR in their industry sectors while the rule book is still being written.
Currently, the draft Bill provides that consumers will have a right to direct their service provider to provide some or all of the designated CDR Data they hold to be shared with one or more other accredited organisations in the affected industry sector. To be entitled to receive this CDR Data, an organisation will need to be “accredited” to the level of security necessary for the relevant data. The types of CDR Data will be designated by the Minister, which means it can change quite rapidly. Currently it appears that CDR Data in the banking sector will include: personal information about each consumer; information about banking products and information about how the consumer has used those products.
The responsibility for developing the accreditation for CDR Data recipients, and the Open Banking standard for the APIs and infrastructure facilitating transfer of CDR Data has been designated to the Consumer Data Standards team within Data61 (the CSIRO’s digital innovation arm). Working drafts of the standards are available at consumerdatastandards.org.au.
CDR Data will be protected by 13 “Privacy Safeguards” which are based on the 13 Australian Privacy Principles and will operate concurrently. This means most CDR Data that is also personal information will need to comply with both the Privacy Safeguards and Australian Privacy Principles, though there will be some nuances in application, depending on whether the CDR Data is being held, transmitted or received and whether that CDR Data is also personal information.
As with privacy compliance, much of the Safeguards centre on the consent provided by the consumer. The effectiveness of the consent may be lost by bundled, unclear or generic consents buried in a policy or set of terms. This may be further complicated by the proposed tiered accreditation, which may limit the classes of CDR Data that can be transferred to accredited organisations in different tiers, which in turn means the consent process must accommodate those tiers.
Should a CDR Data recipient or holder fail to comply with applicable Privacy Safeguards, a civil penalty may be issued against them. Treasury is considering civil penalties for breaches of the Privacy Safeguards of up to $500,000 for individuals and $10,000,000 for corporations; three times the total value of any benefits obtained; or 10% of the annual turnover of the company, which are aligned with Part VI of Competition and Consumer Act 2010 penalty amounts.
Unlike the Privacy Act, the CDR will provide an aggrieved party with a direct right of action against a non-compliant organisation. The Treasury also notes in their CDR Privacy Impact Assessment paper that this may give rise to consumers taking class-action against entities who have breached the new Privacy Safeguards.
Be the first to receive the latest articles, news and publications.
Who makes decisions about the development of Australia’s offshore oil & gas resources, and who pays to decommission end-of-life assets, have been high on the news agenda since the owner of the...
We have advised on the establishment of Gurīn Energy, a new Asian renewable energy development platform backed by Infratil Limited.
On 27 August 2021, the Department of the Treasury of the Australian Government (Treasury) released a package of documents including exposure draft legislation and exposure draft explanatory...