Australian watchdog releases consumer data right privacy guidelines

Australia’s data watchdog has released guidance for businesses on how to protect consumers’ privacy under the country’s new consumer data right. 

The Office of the Australian Information Commissioner’s guidelines, released yesterday, say data can only be shared at the consumer’s request, for a specific purpose, and for a limited time period. Consumers will also have the right to request their data be deleted if it is no longer needed by the business. 

The rules will be rolled out for the banking sector in July 2020 and will be extended to cover other sectors, including energy and telecommunications, at a later date. The right – a form of data portability – is intended to give consumers greater choice and control over how their data is used and disclosed.   

The rules will be jointly administered by the OAIC and the Australian Competition and Consumer Commission (ACCC), the country’s competition watchdog. The ACCC released its own guidelines on 4 February, which clarified the data-sharing obligations banks had as well as addressing the technical aspects of transfer.

“The CDR Privacy Safeguard Guidelines set out how businesses must protect consumers’ data under the new Consumer Data Right,” Australian Information Commissioner and Privacy Commissioner Angelene Falk said in a press release. “They build on Australia’s existing privacy framework and provide detailed guidance for businesses handling consumers’ data in the new system to ensure it is protected.”

Angela Flannery, a partner at Holding Redlich in Sydney, told GDR the initial rollout is “Australia’s version of open banking,” but added the framework has been set up so it can be applied in other sectors. 

McCullough Robertson partner Alex Hutchens described the right as “a measure designed to make it easier for customers to more easily move between service providers.” 

Hutchens said that the right was “more a consumer protection measure than a privacy protection”, feeding into related concerns about the power imbalance between large service providers and consumers. Hutchens said it also feeds into a broader trend towards increasing personal privacy rights. 

Flannery, however, said the entire consumer data right regime “reflects a move towards treating personal information as a commodity to be traded… rather than treating a right to privacy as a human right.” 

She said it would be “interesting” to see how this develops, noting that the government has agreed to undertake a general review of the country’s Privacy Act in 2020 and 2021 in response to the ACCC’s digital platforms inquiry. The ACCC released the results of its study last year and drew harsh criticism from Facebook who issued a point-by-point rebuttal.  

Flannery said a number of stakeholders are unhappy with the consumer data right, something she said emerged after “extensive” consultations between the relevant watchdogs and government. 

She said this has led to a position where some consumer groups are still concerned over inadequate protections while other stakeholders – such as fintech companies – complain there are too many rules. However, Flannery said that one of the benefits of the legislation is the fact that “not all of the rules are set out in the legislation.” She said there is a “flexibility” to set rules outside of the actual legislation and that these might be tailored or changed over time to suit the needs of different sectors.