The Office of the Minister of Commerce and Consumer Affairs has released a Cabinet Paper outlining further decisions on the Consumer Data Right (CDR). Subject to Cabinet agreement, the decisions made in this paper will inform the shape and content of the upcoming CDR Bill. In this article, we’ll talk about a few of the more interesting decisions.
CDR will support competition and increase consumer control
As a reminder, the CDR will require businesses that hold data to share prescribed data that they hold about consumers (CDR data) with trusted third parties, on the consumer’s request and with the consumer’s consent. The CDR is expected to support competition, productivity and innovation in the economy, and increase customer welfare by giving consumers more control over their data, enabling them to shop for services.
Banking should be the first sector to which CDR will apply
To decide which sector should be first for CDR, the Minister assessed several sectors against a set of criteria – including the opportunities a designation could realise, the speed with which CDR could be implemented in the sector, and whether data sharing in the sector was likely without regulatory intervention.
The banking sector received the highest score against these criteria. The Minister determined that ‘open banking’ would enable customers to consent to their data being shared to obtain value-added financial services, and that the sector had already made significant progress towards open banking but that there were obstacles to banks entering the necessary bilateral agreements. Financial services, energy and health also ranked highly, and could be next.
Enforcement powers will be shared between the Commerce Commission and the Privacy Commissioner
Reflecting the CDR’s dual purposes of supporting competition and consumer rights, and bolstering existing access rights contained in the Privacy Act 2020, the Minister proposes to create a shared enforcement regime. The Commerce Commission would be responsible for protecting against harms to the CDR system and ensuring trust in the system. The Privacy Commissioner would be responsible for protecting against harms to individuals caused by privacy-related breaches, including providing a consumer dispute resolution function. It is anticipated that the Privacy Commissioner could collaborate with the Commerce Commission – under a memorandum of understanding – to address patterns of misconduct.
CDR Act will contain prescriptive privacy obligations
The CDR Act will contain a set of privacy obligations that prescribe how CDR data must be used, collected, disclosed or stored in the specific context of CDR. These obligations will be over and above the obligations contained in the Privacy Act’s information privacy principles. The Minister anticipates that this could be implemented by providing that Part 5 of the Privacy Act (complaints etc), applies to breaches of certain CDR obligations.
Importantly, the powers and remedies available to the Privacy Commissioner would not change, and the Privacy Commissioner will not be able to issue infringement notices under the CDR Act. However, as noted above, the Privacy Commissioner could refer certain matters to the Commerce Commission for enforcement.
The Minister notes that many of the elements of the CDR – including enforcement – will have significant costs, which might be covered by fees, sector levies and taxation. It will be interesting to see whether the Privacy Commissioner will receive additional funding for what could be a significant increase in their workload.
A comprehensive compliance and enforcement toolkit will include significant fines
The Commerce Commission, as the CDR enforcement agency, would have access to the powers and remedies proposed in the new CDR Act. These are significant, and include a tiered penalty regime under which the Commerce Commission could issue fines (either via infringement notices or – for the higher penalties – by prosecuting a case in court) for breaches of CDR obligations. The most egregious breaches – involving deliberate or reckless behaviour – would be subject to serious criminal offences and fines of up to $1,000,000 for an individual or, for a body corporate, the greater of $5,000,000 or either (a) three times the value of any commercial gain (from using the CDR data) or (b) 10% of the turnover in the periods in which the breach occurred.
CDR penalties puts privacy further out of step
It is helpful to see this further detail on the CDR, particularly for agencies in the banking sector that must now contemplate the complexity and cost of getting ready for the new obligations and risks the CDR Act will create. It is also heartening to see the government now moving towards penalty regimes that come close to overseas practice.
However, it is perplexing that the government did not have the foresight, or perhaps the confidence, to propose these sorts of penalties when reviewing the Privacy Act only a few years ago. It seems perverse for the CDR to carry such liability while the many fundamental rights and obligations contained in the Privacy Act carry almost none. If this imbalance is not addressed soon, or at the same time as the CDR Bill makes its way through the legislative process, we could see too strong a focus on compliance with the CDR at the expense of other important privacy obligations.
We’ll keep tracking the progress of the CDR, and the upcoming CDR Bill, and will post more on this topic as the details are finalised.