TREASURY LAWS AMENDMENT (CONSUMER DATA RIGHT) BILL 2019
This is a Bill, not an Act. For current law, see the Acts databases.
TREASURY LAWS AMENDMENT (CONSUMER DATA RIGHT) BILL 2019
2019
The Parliament of the
Commonwealth of Australia
HOUSE OF REPRESENTATIVES
Presented and read a first time
Treasury Laws Amendment (Consumer
Data Right) Bill 2019
No. , 2019
(Treasury)
A Bill for an Act to amend the law relating to
competition, fair trading, consumer protection and
privacy, and for related purposes
No. , 2019
Treasury Laws Amendment (Consumer Data Right) Bill 2019
i
Contents
1
Short title ........................................................................................... 1
2
Commencement ................................................................................. 1
3
Schedules ........................................................................................... 2
Schedule 1--Consumer data right
3
Part 1--Main amendments
3
Competition and Consumer Act 2010
3
Part 2--Other amendments
91
Australian Information Commissioner Act 2010
91
Competition and Consumer Act 2010
92
Privacy Act 1988
105
No. , 2019
Treasury Laws Amendment (Consumer Data Right) Bill 2019
1
A Bill for an Act to amend the law relating to
1
competition, fair trading, consumer protection and
2
privacy, and for related purposes
3
The Parliament of Australia enacts:
4
1 Short title
5
This Act is the Treasury Laws Amendment (Consumer Data Right)
6
Act 2019.
7
2 Commencement
8
(1) Each provision of this Act specified in column 1 of the table
9
commences, or is taken to have commenced, in accordance with
10
column 2 of the table. Any other statement in column 2 has effect
11
according to its terms.
12
13
2
Treasury Laws Amendment (Consumer Data Right) Bill 2019
No. , 2019
Commencement information
Column 1
Column 2
Column 3
Provisions
Commencement
Date/Details
1. The whole of
this Act
The day after this Act receives the Royal
Assent.
Note:
This table relates only to the provisions of this Act as originally
1
enacted. It will not be amended to deal with any later amendments of
2
this Act.
3
(2) Any information in column 3 of the table is not part of this Act.
4
Information may be inserted in this column, or information in it
5
may be edited, in any published version of this Act.
6
3 Schedules
7
Legislation that is specified in a Schedule to this Act is amended or
8
repealed as set out in the applicable items in the Schedule
9
concerned, and any other item in a Schedule to this Act has effect
10
according to its terms.
11
Consumer data right Schedule 1
Main amendments Part 1
No. , 2019
Treasury Laws Amendment (Consumer Data Right) Bill 2019
3
Schedule 1--Consumer data right
1
Part 1--Main amendments
2
Competition and Consumer Act 2010
3
1 After Part IVC
4
Insert:
5
Part IVD--Consumer data right
6
Division 1--Preliminary
7
Subdivision A--Object and simplified outline
8
56AA Object of this Part
9
The object of this Part is:
10
(a) to enable consumers in certain sectors of the Australian
11
economy to require information relating to themselves in
12
those sectors to be disclosed safely, efficiently and
13
conveniently:
14
(i) to themselves for use as they see fit; or
15
(ii) to accredited persons for use subject to privacy
16
safeguards; and
17
(b) to enable any person to efficiently and conveniently access
18
information in those sectors that:
19
(i) is about goods (such as products) or services; and
20
(ii) does not relate to any identifiable, or reasonably
21
identifiable, consumers; and
22
(c) as a result of paragraphs (a) and (b), to create more choice
23
and competition, or to otherwise promote the public interest.
24
56AB Simplified outline
25
Rules made under this Part may:
26
Schedule 1 Consumer data right
Part 1 Main amendments
4
Treasury Laws Amendment (Consumer Data Right) Bill 2019
No. , 2019
(a)
enable consumers in certain sectors of the Australian
1
economy to require information relating to themselves in
2
those sectors to be disclosed to themselves or to
3
accredited persons; and
4
(b)
enable any person to be disclosed information in those
5
sectors that is about goods (such as products) or
6
services, and does not relate to any identifiable, or
7
reasonably identifiable, consumers; and
8
(c)
may require these kinds of disclosures, and other things,
9
to be done in accordance with data standards.
10
A register is to be kept of accredited persons.
11
Privacy safeguards apply. These mainly apply to accredited
12
persons who, under those rules, are disclosed information relating
13
to identifiable, or reasonably identifiable, consumers.
14
Subdivision B--Designating sectors subject to the consumer
15
data right
16
56AC Designated sectors subject to the consumer data right
17
Designating a sector
18
(1) A designated sector means a sector of the Australian economy
19
designated under subsection (2).
20
(2) The Minister may, by legislative instrument, designate a sector of
21
the Australian economy by specifying:
22
(a) classes of information (the designated information); and
23
(b) persons who hold one or more specified classes of the
24
designated information (or on whose behalf such information
25
is held); and
26
(c) the earliest day (the earliest holding day) applicable to the
27
sector for beginning to hold the designated information; and
28
(d) each of the classes of information within the designated
29
information for which a person may charge a fee if:
30
(i) the person is required under the consumer data rules to
31
disclose information within that class to another person
32
in specified circumstances; or
33
Consumer data right Schedule 1
Main amendments Part 1
No. , 2019
Treasury Laws Amendment (Consumer Data Right) Bill 2019
5
(ii) another person uses information within that class in
1
specified circumstances as the result of a disclosure
2
required of the first-mentioned person under the
3
consumer data rules; and
4
(e) if the sector is to have one or more gateways:
5
(i) the particular persons who are gateways; and
6
(ii) for each of those persons, the classes of information
7
within the designated information for which the person
8
is a gateway.
9
Note 1:
The persons specified under paragraph (b):
10
(a) may be specified by class (see subsection 13(3) of the Legislation
11
Act 2003); and
12
(b) will be holders of the information, rather than the consumers to
13
whom the information relates; and
14
(c) may not be the only holders of the information who can be
15
required to disclose it under the consumer data rules (see
16
section 56AJ (about the meaning of data holder)).
17
Note 2:
While a class of information specified under paragraph (b), (d) or (e)
18
needs to be of the information specified under paragraph (a), it need
19
not be the same class as a class specified under paragraph (a).
20
Note 3:
Subparagraph (e)(i) allows only particular persons to be specified, not
21
classes of persons.
22
Note 4:
For variation and repeal, see subsection 33(3) of the Acts
23
Interpretation Act 1901.
24
Geographical limitation on information that can be designated
25
(3) Despite paragraph (2)(a), treat a class of information specified as
26
described in that paragraph as only including so much of the
27
information in that class as:
28
(a) has at any time been generated or collected wholly or partly
29
in Australia or the external Territories, and:
30
(i) has been so generated or collected by (or on behalf of)
31
one or more Australian persons; or
32
(ii) relates to one or more Australian persons (other than the
33
persons who so generated or collected it); or
34
(iii) relates to goods or services supplied, or offered for
35
supply, to one or more Australian persons; or
36
(b) has only ever been generated and collected outside of
37
Australia and the external Territories, and:
38
Schedule 1 Consumer data right
Part 1 Main amendments
6
Treasury Laws Amendment (Consumer Data Right) Bill 2019
No. , 2019
(i) has been so generated or collected by (or on behalf of)
1
one or more Australian persons; and
2
(ii) relates to one or more Australian persons (other than the
3
persons who so generated or collected it), or relates to
4
goods or services supplied, or offered for supply, to one
5
or more Australian persons.
6
In this subsection, Australian person has the same meaning as in
7
subsection 56AO(5).
8
Limitation on the earliest holding day
9
(4) While the earliest holding day may be before the day the
10
instrument under subsection (2) is made, the earliest holding day
11
must not be earlier than the first day of the calendar year that is 2
12
years before the calendar year in which that instrument is made.
13
Example: The instrument is made on 1 July 2020. The earliest holding day could
14
be 1 January 2018, but not before.
15
Note:
The earliest holding day helps to work out if a person is a data holder
16
of information specified under paragraph (2)(a), and so whether that
17
information is subject to the consumer data right.
18
56AD Minister's tasks before designating a sector etc.
19
(1) Before making an instrument under subsection 56AC(2), the
20
Minister must consider all of the following:
21
(a) the likely effect of making the instrument on:
22
(i) the interests of consumers; and
23
(ii) the efficiency of relevant markets; and
24
(iii) the privacy or confidentiality of consumers'
25
information; and
26
(iv) promoting competition; and
27
(v) promoting data-driven innovation; and
28
(vi) any intellectual property in the information to be
29
covered by the instrument; and
30
(vii) the public interest;
31
(b) the likely regulatory impact of allowing the consumer data
32
rules to impose requirements relating to the information to be
33
covered by the instrument;
34
Consumer data right Schedule 1
Main amendments Part 1
No. , 2019
Treasury Laws Amendment (Consumer Data Right) Bill 2019
7
(c) the following matters when considering whether to specify a
1
class of information, as described in paragraph 56AC(2)(d),
2
in the instrument:
3
(i) whether not specifying that class could result in an
4
acquisition of property (within the meaning of
5
paragraph 51(xxxi) of the Constitution);
6
(ii) whether holders of information within that class
7
currently charge a fee for disclosing such information;
8
(iii) whether the incentive to generate, collect, hold or
9
maintain information within that class would be reduced
10
if that class were not so specified;
11
(iv) the marginal cost of the disclosures required under the
12
consumer data rules of information within that class;
13
(d) whether one or more gateways need to be specified in the
14
instrument in order to facilitate access to the information to
15
be covered by the instrument;
16
(e) any other matters the Minister considers relevant.
17
Note:
The consumers could be individuals or other persons such as
18
companies (see also subsection 56AI(4)).
19
(2) Before making an instrument under subsection 56AC(2), the
20
Minister must:
21
(a) consult each of the following about the matters in
22
paragraphs (1)(a) to (e) of this section:
23
(i) the Commission;
24
(ii) any person or body prescribed by the regulations; and
25
(b) wait at least 60 days after the day the Commission publishes
26
its report arising from that consultation (see section 56AE).
27
(3) Before making an instrument under subsection 56AC(2), the
28
Minister must consult the Information Commissioner about the
29
likely effect of making the instrument on the privacy or
30
confidentiality of consumers' information.
31
56AE Commission must analyse, consult and report about an
32
instrument proposing to designate a sector
33
(1) When the Commission is consulted under subsection 56AD(2), the
34
Commission must:
35
Schedule 1 Consumer data right
Part 1 Main amendments
8
Treasury Laws Amendment (Consumer Data Right) Bill 2019
No. , 2019
(a) analyse the matters in paragraphs 56AD(1)(a) to (e) in
1
relation to the instrument; and
2
(b) consult the public about those matters in relation to the
3
instrument:
4
(i) for at least 28 days; and
5
(ii) in one or more ways that includes making information
6
available on the Commission's website and inviting the
7
public to comment; and
8
(c) consult each of the following about those matters in relation
9
to the instrument:
10
(i) the Information Commissioner;
11
(ii) the person or body (if any) that the Commission
12
believes to be the primary regulator of the sector that the
13
instrument would designate;
14
(iii) any person or body prescribed by the regulations; and
15
(d) report to the Minister about that analysis and consultation.
16
(2) The Commission must publish the report on its website.
17
56AF Information Commissioner must analyse and report about an
18
instrument proposing to designate a sector
19
(1) When the Information Commissioner is consulted under
20
subsection 56AD(3), the Information Commissioner must:
21
(a) analyse the likely effect of making the instrument on the
22
privacy or confidentiality of consumers' information; and
23
(b) report to the Minister about that analysis.
24
(2) The Information Commissioner must publish the report on the
25
Information Commissioner's website, except for any excluded part
26
of the report.
27
(3) In deciding whether or not to exclude a part of the report from
28
publication, the Information Commissioner must:
29
(a) have regard to the need to prevent the matters in
30
subsection 33(2) of the Privacy Act 1988; and
31
(b) try to achieve an appropriate balance between the need to
32
prevent those matters and the desirability of ensuring that
33
interested persons are sufficiently informed of the
34
Information Commissioner's analysis in the report.
35
Consumer data right Schedule 1
Main amendments Part 1
No. , 2019
Treasury Laws Amendment (Consumer Data Right) Bill 2019
9
56AG Commission may recommend that a sector be designated etc.
1
(1) The Commission may, in writing, recommend to the Minister that
2
the Minister make an instrument under subsection 56AC(2):
3
(a) designating a particular sector of the Australian economy; or
4
(b) varying or revoking an instrument designating a sector under
5
that subsection.
6
The Commission must publish the recommendation on its website.
7
(2) However, before making a recommendation under subsection (1),
8
the Commission must do all of the following:
9
(a) analyse the matters in paragraphs 56AD(1)(a) to (d) in
10
relation to the proposed instrument;
11
(b) consult the public about those matters in relation to the
12
proposed instrument:
13
(i) for at least 28 days; and
14
(ii) in one or more ways that includes making information
15
available on the Commission's website and inviting the
16
public to comment;
17
(c) consult each of the persons or bodies covered by
18
paragraph 56AE(1)(c) about those matters in relation to the
19
proposed instrument;
20
(d) report to the Minister about that analysis and consultation;
21
(e) publish the report on the Commission's website.
22
(3) If the Commission publishes under subsection (1) a
23
recommendation that the Minister make a proposed instrument, the
24
Minister must wait at least a further 60 days before making the
25
instrument under subsection 56AC(2).
26
Note:
The Minister must also consult the Information Commissioner about
27
the proposed instrument (see subsection 56AD(3)).
28
(4) Neither subsection 56AD(2) nor section 56AE applies in relation to
29
a proposed instrument recommended under subsection (1) of this
30
section.
31
56AH Other matters
32
A failure to comply with section 56AD, 56AE, 56AF or 56AG
33
does not invalidate an instrument made under subsection 56AC(2).
34
Schedule 1 Consumer data right
Part 1 Main amendments
10
Treasury Laws Amendment (Consumer Data Right) Bill 2019
No. , 2019
Subdivision C--Meanings of key terms
1
56AI Meanings of CDR data, directly or indirectly derived and CDR
2
consumer
3
(1) CDR data is information that:
4
(a) is within a class of information specified, as described in
5
paragraph 56AC(2)(a), in an instrument designating a sector
6
under subsection 56AC(2); or
7
(b) is not covered by paragraph (a) of this subsection, but is
8
wholly or partly derived from information covered by:
9
(i) paragraph (a) of this subsection; or
10
(ii) a previous application of this paragraph.
11
Note 1:
Geographical limitations may cause some information within a class
12
specified as described in paragraph 56AC(2)(a) to be disregarded (see
13
subsection 56AC(3)), which means it will not be CDR data.
14
Note 2:
Information covered by paragraph (b) includes information derived
15
from information covered by paragraph (a), information derived from
16
that derived information, and so on.
17
Note 3:
Information covered by paragraph (b), for which there is a CDR
18
consumer, cannot be required to be disclosed under the consumer data
19
rules (see subsection 56BD(1)).
20
Note 4:
Only certain kinds of CDR data for which there are no CDR
21
consumers (also known as product data) can be required to be
22
disclosed under the consumer data rules (see subsection 56BF(1)).
23
(2) CDR data is directly or indirectly derived from other CDR data if
24
the first-mentioned CDR data is wholly or partly derived from the
25
other CDR data after one or more applications of paragraph (1)(b).
26
(3) A person is a CDR consumer for CDR data if:
27
(a) the CDR data relates to the person because:
28
(i) of the supply of a good or service to the person or to one
29
or more of the person's associates (within the meaning
30
of section 318 of the Income Tax Assessment Act 1936);
31
or
32
(ii) of circumstances of a kind prescribed by the regulations;
33
and
34
(b) the CDR data is held by another person who:
35
(i) is a data holder of the CDR data; or
36
(ii) is an accredited data recipient of the CDR data; or
37
Consumer data right Schedule 1
Main amendments Part 1
No. , 2019
Treasury Laws Amendment (Consumer Data Right) Bill 2019
11
(iii) is holding the CDR data on behalf of a person
1
mentioned in subparagraph (i) or (ii); and
2
(c) the person is identifiable, or reasonably identifiable, from:
3
(i) the CDR data; or
4
(ii) other information held by the other person referred to in
5
paragraph (b); and
6
(d) none of the conditions (if any) prescribed by the regulations
7
apply to the first-mentioned person in relation to the CDR
8
data.
9
(4) Subsection 4B(1) (about consumers) does not apply to this Part.
10
56AJ Meaning of data holder
11
(1) A person is a data holder, of CDR data, if:
12
(a) the CDR data:
13
(i) is information within a class of information specified, as
14
described in paragraph 56AC(2)(a), in an instrument
15
designating a sector under subsection 56AC(2) (the
16
designation instrument); or
17
(ii) is directly or indirectly derived from information
18
covered by subparagraph (i); and
19
(b) the CDR data is held by (or on behalf of) the person, and
20
began to be so held on or after the earliest holding day
21
specified in the designation instrument; and
22
(c) the person is not a designated gateway for the CDR data; and
23
(d) subsection (2), (3) or (4) applies to the person and the CDR
24
data.
25
Note 1:
Geographical limitations may cause some information within a class
26
specified as described in paragraph 56AC(2)(a) to be disregarded (see
27
subsection 56AC(3)), which means it will not be CDR data.
28
Note 2:
If the person begins holding the CDR data before the earliest holding
29
day, the person:
30
(a) will not be a data holder of the CDR data; and
31
(b) will not be required to disclose it under the consumer data rules.
32
First case--person is also specified in the designation instrument
33
(2) This subsection applies to a person and CDR data if:
34
(a) the person, or a class of persons to which the person belongs,
35
is specified, as described in paragraph 56AC(2)(b), in the
36
Schedule 1 Consumer data right
Part 1 Main amendments
12
Treasury Laws Amendment (Consumer Data Right) Bill 2019
No. , 2019
designation instrument as holding a class of information to
1
which the CDR data belongs; and
2
(b) neither the CDR data, nor any other CDR data from which it
3
was directly or indirectly derived, was disclosed to the person
4
under the consumer data rules.
5
Second case--reciprocity arising from the person being disclosed
6
other CDR data under the consumer data rules
7
(3) This subsection applies to a person and CDR data if:
8
(a) neither the CDR data, nor any other CDR data from which it
9
was directly or indirectly derived, was disclosed to the person
10
under the consumer data rules; and
11
(b) the person is an accredited data recipient of other CDR data.
12
Note 1:
Paragraph (b) is referring to other CDR data not covered by
13
paragraph (a).
14
Note 2:
The other CDR data referred to in paragraph (b) could be within a
15
class of information specified in another instrument designating a
16
different sector under subsection 56AC(2).
17
Third case--conditions in the consumer data rules are met
18
(4) This subsection applies to a person and CDR data if:
19
(a) the person is an accredited person; and
20
(b) the CDR data, or any other CDR data from which it was
21
directly or indirectly derived, was disclosed to the person
22
under the consumer data rules; and
23
(c) the conditions specified in the consumer data rules are met.
24
56AK Meaning of accredited data recipient
25
A person is an accredited data recipient, of CDR data, if:
26
(a) the person is an accredited person; and
27
(b) the CDR data is held by (or on behalf of) the person; and
28
(c) the CDR data, or any other CDR data from which it was
29
directly or indirectly derived, was disclosed to the person
30
under the consumer data rules; and
31
(d) the person is neither a data holder, nor a designated gateway,
32
for the first-mentioned CDR data.
33
Note:
For paragraph (d), the person will be a data holder of that CDR data if
34
subsection 56AJ(4) applies.
35
Consumer data right Schedule 1
Main amendments Part 1
No. , 2019
Treasury Laws Amendment (Consumer Data Right) Bill 2019
13
56AL Meanings of CDR participant and designated gateway
1
(1) A CDR participant, for CDR data, is a data holder, or an
2
accredited data recipient, of the CDR data.
3
(2) A person is a designated gateway, for CDR data, if:
4
(a) the person is specified as a gateway, as described in
5
subparagraph 56AC(2)(e)(i), in an instrument designating a
6
sector under subsection 56AC(2); and
7
(b) the CDR data is information within a class, specified in that
8
instrument, for which the person is a gateway; and
9
(c) the CDR data is, or is to be, disclosed to the person under the
10
consumer data rules because the person is:
11
(i) acting as described in a subparagraph of
12
paragraph 56BG(1)(a) or (b); or
13
(ii) if there are no consumers for the CDR data--acting
14
between a CDR participant for the CDR data and a
15
person requesting a disclosure of the CDR data;
16
and not because the person is an accredited person or a CDR
17
consumer for the CDR data.
18
56AM Meanings of chargeable CDR data, chargeable circumstances
19
and fee-free CDR data
20
(1) CDR data is chargeable CDR data if the CDR data is information
21
within a class specified, as described in paragraph 56AC(2)(d), in
22
an instrument designating a sector under subsection 56AC(2) (the
23
designation instrument).
24
(2) The chargeable CDR data is disclosed in chargeable
25
circumstances if it is disclosed in circumstances specified:
26
(a) for that class of information; and
27
(b) as described in subparagraph 56AC(2)(d)(i);
28
in the designation instrument.
29
(3) The chargeable CDR data is used in chargeable circumstances if it
30
is used in circumstances specified:
31
(a) for that class of information; and
32
(b) as described in subparagraph 56AC(2)(d)(ii);
33
in the designation instrument.
34
Schedule 1 Consumer data right
Part 1 Main amendments
14
Treasury Laws Amendment (Consumer Data Right) Bill 2019
No. , 2019
(4) CDR data is fee-free CDR data if it is not chargeable CDR data.
1
Subdivision D--Extension to external Territories and
2
extraterritorial operation
3
56AN Extension to external Territories
4
Each of the following provisions (the CDR provisions) extends to
5
every external Territory:
6
(a) a provision of this Part;
7
(b) a provision of the regulations made for the purposes of a
8
provision of this Part;
9
(c) a provision of the consumer data rules;
10
(d) another provision of this Act to the extent that it relates to a
11
provision covered by paragraph (a), (b) or (c);
12
(e) a provision of the Regulatory Powers Act to the extent that it
13
applies in relation to a provision of this Part;
14
(f) a provision of the Privacy Act 1988 to the extent that it
15
applies as described in section 56ES or 56ET of this Act.
16
56AO Extraterritorial operation of the CDR provisions
17
CDR provisions generally apply inside and outside Australia
18
(1) Subject to subsections (2) and (3), the CDR provisions extend to
19
acts, omissions, matters and things outside Australia.
20
CDR provisions apply for CDR data held inside Australia
21
(2) To the extent that the CDR provisions have effect in relation to
22
CDR data held within Australia, the CDR provisions apply in
23
relation to all persons (including foreign persons).
24
CDR provisions can apply for CDR data held outside Australia
25
(3) To the extent that the CDR provisions have effect in relation to an
26
act, or omission, relating to CDR data held outside Australia, the
27
CDR provisions only apply if:
28
(a) the act or omission is by (or on behalf of) an Australian
29
person; or
30
Consumer data right Schedule 1
Main amendments Part 1
No. , 2019
Treasury Laws Amendment (Consumer Data Right) Bill 2019
15
(b) the act or omission occurs wholly or partly in Australia, or
1
wholly or partly on board an Australian aircraft or an
2
Australian ship; or
3
(c) the act or omission occurs wholly outside Australia, and an
4
Australian person suffers, or is likely to suffer, financial or
5
other disadvantage as a result of the act or omission.
6
Interpretation
7
(4) For the purposes of subsection (3), if a person's act or omission
8
includes sending, omitting to send, causing to be sent or omitting
9
to cause to be sent an electronic communication or other thing:
10
(a) from a point outside Australia to a point inside Australia; or
11
(b) from a point inside Australia to a point outside Australia;
12
that act or omission is taken to have occurred partly in Australia.
13
(5) In this section:
14
Australia, when used in a geographical sense, includes all the
15
external Territories.
16
Australian person means:
17
(a) a body corporate established by or under a law of the
18
Commonwealth, of a State or of a Territory; or
19
(b) an Australian citizen, a permanent resident (within the
20
meaning of the Australian Citizenship Act 2007), or any other
21
person ordinarily resident within Australia or an external
22
Territory; or
23
(c) an entity covered by subsection 56AR(1), (2) or (3) (about
24
Australian government entities).
25
foreign person means a person other than an Australian person.
26
point includes a mobile or potentially mobile point, whether on
27
land, underground, in the atmosphere, underwater, at sea or
28
anywhere else.
29
56AP Geographical application of offences
30
Division 14 (Standard geographical jurisdiction) of the Criminal
31
Code does not apply in relation to an offence against the CDR
32
provisions.
33
Schedule 1 Consumer data right
Part 1 Main amendments
16
Treasury Laws Amendment (Consumer Data Right) Bill 2019
No. , 2019
Note:
The extended geographical application that section 56AO gives to the
1
CDR provisions applies to the offences against the CDR provisions.
2
Subdivision E--Application to government entities
3
56AQ CDR provisions bind the Crown
4
(1) The CDR provisions bind the Crown in each of its capacities.
5
(2) However, the CDR provisions do not make the Crown:
6
(a) liable to a pecuniary penalty or to be prosecuted for an
7
offence; or
8
(b) subject to a remedy under section 56EY (about actions for
9
damages for contravening the privacy safeguards); or
10
(c) subject to a remedy under Part VI (about enforcement) other
11
than section 87B (about enforceable undertakings); or
12
(d) subject to a remedy under Part 4 (about civil penalties) or 7
13
(about injunctions) of the Regulatory Powers Act; or
14
(e) subject to Part XID of this Act (about search and seizure).
15
56AR Government entities may participate under this Part
16
Application to Commonwealth government entities
17
(1) The CDR provisions apply in relation to an entity that:
18
(a) is part of the Commonwealth; or
19
(b) is a Commonwealth entity (within the meaning of the Public
20
Governance, Performance and Accountability Act 2013); or
21
(c) is a body (whether or not incorporated) established by or
22
under a law of the Commonwealth; or
23
(d) is:
24
(i) holding or performing the duties of an office established
25
by or under a law of the Commonwealth; or
26
(ii) holding an appointment made under a law of the
27
Commonwealth; or
28
(e) is prescribed by the regulations.
29
Note:
For how the CDR provisions so apply, see subsection (4).
30
Consumer data right Schedule 1
Main amendments Part 1
No. , 2019
Treasury Laws Amendment (Consumer Data Right) Bill 2019
17
Application to State or Territory government entities
1
(2) The CDR provisions apply only in relation to an entity that:
2
(a) is part of a State or Territory; or
3
(b) is a body (whether or not incorporated) established for a
4
public purpose by or under a law of a State or Territory; or
5
(c) is:
6
(i) holding or performing the duties of an office established
7
by or under a law of a State or Territory; or
8
(ii) holding an appointment made under a law of a State or
9
Territory; or
10
(d) is an entity prescribed by the regulations in relation to a State
11
or Territory;
12
if a declaration under subsection 56AS(1), that the entity is a
13
participating entity for the State or Territory, is in force.
14
Note:
For how the CDR provisions so apply, see subsection (4).
15
(3) However, whether or not such a declaration is in force for an entity
16
referred to in subsection (2), the CDR provisions apply in relation
17
to the entity to the extent that:
18
(a) the CDR provisions relate to a CDR consumer for CDR data;
19
and
20
(b) the entity is a CDR consumer for CDR data (or would be a
21
CDR consumer for CDR data if the entity were a person).
22
Note:
For how the CDR provisions so apply, see subsection (4).
23
How the CDR provisions apply to a government entity
24
(4) For an entity covered by subsection (1), (2) or (3), the CDR
25
provisions apply as described in that subsection in relation to the
26
entity:
27
(a) as if the entity were a person; and
28
(b) with the modifications (if any) prescribed by the regulations.
29
This subsection does not affect how subsection 56AQ(2) applies to
30
the entity.
31
Schedule 1 Consumer data right
Part 1 Main amendments
18
Treasury Laws Amendment (Consumer Data Right) Bill 2019
No. , 2019
56AS Participating government entities of a State or Territory--
1
declaration
2
(1) The Minister may, by notifiable instrument, declare that an entity is
3
a participating entity for a State or Territory.
4
Note:
An entity may be specified by class (see subsection 13(3) of the
5
Legislation Act 2003).
6
(2) However, the Minister must not do so unless the Minister is
7
satisfied that the State or Territory has agreed to the entity
8
participating under this Part.
9
(3) If:
10
(a) a State or Territory has agreed to an entity of the State or
11
Territory participating under this Part; and
12
(b) the entity is a body corporate;
13
the entity is taken to have also agreed to participate under this Part.
14
56AT Participating government entities of a State or Territory--
15
revocation
16
(1) The Minister may, by notifiable instrument, revoke a declaration
17
made under subsection 56AS(1) that an entity is a participating
18
entity for a State or Territory.
19
(2) If a State or Territory requests in writing the Minister to revoke a
20
declaration made under subsection 56AS(1) that an entity is a
21
participating entity for the State or Territory, the Minister must,
22
under subsection (1) of this section, revoke the declaration as soon
23
as practicable.
24
(3) If the Minister revokes a declaration made under
25
subsection 56AS(1) in relation to an entity, then, despite the
26
revocation, subsection 56AR(2) continues to apply to the entity in
27
relation to:
28
(a) any right, privilege, obligation or liability acquired, accrued
29
or incurred before the revocation; and
30
(b) any investigation, legal proceeding or remedy in respect of
31
any such right, privilege, obligation or liability;
32
as if the declaration were still in force.
33
Consumer data right Schedule 1
Main amendments Part 1
No. , 2019
Treasury Laws Amendment (Consumer Data Right) Bill 2019
19
Division 2--Consumer data right
1
Subdivision A--Power to make consumer data rules
2
56BA Commission may make consumer data rules
3
(1) The Commission may, by legislative instrument, make rules (the
4
consumer data rules) for designated sectors in accordance with
5
this Division.
6
Note:
Subdivision C deals with the process for making the consumer data
7
rules.
8
(2) Without limiting subsection (1), the consumer data rules may set
9
out:
10
(a) different rules for different designated sectors; or
11
(b) different rules for different classes of CDR data; or
12
(c) different rules for different classes of persons specified, as
13
described in paragraph 56AC(2)(b), in an instrument
14
designating a sector under subsection 56AC(2); or
15
(d) different rules for different classes of persons who are able to
16
be disclosed CDR data under the consumer data rules.
17
56BB Matters that the consumer data rules may deal with
18
The consumer data rules may deal with the following matters:
19
(a) disclosure, collection, use, accuracy, storage, security or
20
deletion of CDR data for which there are one or more CDR
21
consumers (see also sections 56BC and 56BD);
22
(b) disclosure, collection, use, accuracy, storage, security or
23
deletion of CDR data for which there are no CDR consumers
24
(see also sections 56BE and 56BF);
25
(c) designated gateways for CDR data (see also section 56BG);
26
(d) accreditation of data recipients (see also section 56BH);
27
(e) reporting, record keeping and auditing (see also
28
section 56BI);
29
(f) matters incidental or related to any of the above matters (see
30
also section 56BJ).
31
Schedule 1 Consumer data right
Part 1 Main amendments
20
Treasury Laws Amendment (Consumer Data Right) Bill 2019
No. , 2019
56BC Rules about disclosure, collection, use, accuracy, storage,
1
security or deletion of CDR data for which there are CDR
2
consumers
3
Required disclosures in response to valid requests
4
(1) Without limiting paragraph 56BB(a), the consumer data rules may
5
include the following rules:
6
(a) requirements on a CDR participant for CDR data to disclose
7
all or part of the CDR data, in response to a valid request by a
8
CDR consumer for the CDR data, to:
9
(i) the CDR consumer for use as the CDR consumer sees
10
fit; or
11
(ii) an accredited person for use subject to the privacy
12
safeguards;
13
(b) rules about:
14
(i) how a CDR consumer for the CDR data may make a
15
valid request of the kind described in paragraph (a); and
16
(ii) what must be included in a request for it to be valid,
17
what disclosures or other matters a valid request may
18
cover, and when a request ceases to be a valid request;
19
(c) requirements on a person (other than a CDR consumer for the
20
CDR data) to satisfy in order to be disclosed the CDR data in
21
the way described in paragraph (a).
22
Note 1:
The requirements described in paragraph (a) could, for example,
23
include a requirement that the disclosure be in accordance with the
24
relevant data standards.
25
Note 2:
A fee may be charged for such a disclosure if the CDR data is
26
chargeable CDR data, unless section 56BU provides otherwise.
27
Authorised disclosures or use in accordance with valid consents
28
(2) Without limiting paragraph 56BB(a), the consumer data rules may
29
include the following rules:
30
(a) rules authorising a CDR participant for CDR data to disclose
31
all or part of the CDR data to a person in accordance with a
32
valid consent of a CDR consumer for the CDR data;
33
(b) rules authorising a person to use CDR data in accordance
34
with a valid consent of a CDR consumer for the CDR data;
35
(c) rules about:
36
Consumer data right Schedule 1
Main amendments Part 1
No. , 2019
Treasury Laws Amendment (Consumer Data Right) Bill 2019
21
(i) how a CDR consumer for the CDR data may make a
1
valid consent of the kind described in paragraph (a) or
2
(b); and
3
(ii) what must be included in a consent for it to be valid,
4
what disclosures, uses or other matters a valid consent
5
may cover, and when a consent ceases to be a valid
6
consent.
7
Note:
Fees may be charged for these disclosures or uses.
8
Other rules
9
(3) Without limiting paragraph 56BB(a), the consumer data rules may
10
include the following rules relating to CDR data for which there
11
are one or more CDR consumers:
12
(a) rules relating to the privacy safeguards;
13
(b) other rules relating to the disclosure, collection, use,
14
accuracy, storage or security of the CDR data that affect:
15
(i) an accredited person; or
16
(ii) a CDR participant, or CDR consumer, for the CDR
17
data;
18
(c) other rules relating to the deletion of the CDR data that
19
affect:
20
(i) an accredited person; or
21
(ii) an accredited data recipient of the CDR data; or
22
(iii) a CDR consumer for the CDR data.
23
Note 1:
Subsection 56BD(3) limits how such rules can affect a data holder.
24
Note 2:
The rules may deal with similar or additional matters to those in the
25
privacy safeguards. When doing so, the rules will need to be
26
consistent with those safeguards (see subsections 56EC(1) and (2)).
27
56BD Limitations for rules about CDR data for which there are
28
CDR consumers
29
Only designated CDR data can be required to be disclosed
30
(1) The consumer data rules can only require a disclosure of CDR data
31
for which there are one or more CDR consumers if:
32
(a) the CDR data is within a class of information specified, as
33
described in paragraph 56AC(2)(a), in an instrument
34
designating a sector under subsection 56AC(2); and
35
Schedule 1 Consumer data right
Part 1 Main amendments
22
Treasury Laws Amendment (Consumer Data Right) Bill 2019
No. , 2019
(b) the disclosure is to:
1
(i) one or more of those CDR consumers; or
2
(ii) an accredited person; or
3
(iii) a designated gateway for the CDR data.
4
Note 1:
This means CDR data cannot be required to be disclosed if it:
5
(a) is not within a class specified in such an instrument; and
6
(b) is directly or indirectly derived from CDR data that is within a
7
class specified in such an instrument.
8
Note 2:
The consumer data rules can include other rules relating to this other
9
derived CDR data.
10
Note 3:
Voluntary disclosures of this other derived CDR data can be
11
authorised under the consumer data rules.
12
No fee when fee-free CDR data is required to be disclosed
13
(2) The consumer data rules cannot allow a fee to be charged for:
14
(a) the disclosure of fee-free CDR data under rules like those
15
described in paragraph 56BC(1)(a) or 56BG(1)(a); or
16
(b) the use of fee-free CDR data received as the result of such a
17
disclosure.
18
Note:
Fees may be charged for other kinds of disclosures or uses of fee-free
19
CDR data.
20
Rules affecting data holders that relate to the use, accuracy,
21
storage, security or deletion of CDR data
22
(3) For a data holder of CDR data for which there are one or more
23
CDR consumers, the consumer data rules:
24
(a) cannot include rules affecting the data holder that relate to
25
the deletion of the CDR data; and
26
(b) can only include rules affecting the data holder that relate to
27
the use, accuracy, storage or security of the CDR data if such
28
rules also relate to the disclosure of the CDR data under the
29
consumer data rules.
30
Effect of limitations
31
(4) Subsections (1), (2) and (3) apply despite any other provision of
32
this Division.
33
Consumer data right Schedule 1
Main amendments Part 1
No. , 2019
Treasury Laws Amendment (Consumer Data Right) Bill 2019
23
56BE Rules about disclosure, collection, use, accuracy, storage,
1
security or deletion of product data
2
Without limiting paragraph 56BB(b), the consumer data rules may
3
include the following rules for CDR data for which there are no
4
CDR consumers:
5
(a) requirements on a CDR participant for the CDR data to
6
disclose all or part of the CDR data to a person in response to
7
a valid request by the person;
8
(b) rules about:
9
(i) how a person may make a valid request of the kind
10
described in paragraph (a); and
11
(ii) what must be included in a request for it to be valid,
12
what disclosures or other matters a valid request may
13
cover, and when a request ceases to be a valid request;
14
(c) requirements on a person to satisfy in order to be disclosed
15
the CDR data in the way described in paragraph (a);
16
(d) other rules affecting:
17
(i) CDR participants for the CDR data; or
18
(ii) persons wishing to be disclosed the CDR data;
19
that relate to the disclosure, collection, use, accuracy, storage,
20
security or deletion of the CDR data.
21
Note 1:
A request for this CDR data could be made, for example, to assist the
22
development of a product or service.
23
Note 2:
The requirements described in paragraph (a) could, for example,
24
include a requirement that the disclosure be in accordance with the
25
relevant data standards.
26
Note 3:
The privacy safeguards do not apply to this CDR data (see
27
subsection 56EB(1)).
28
56BF Limitations for rules about product data
29
Only certain kinds of product data can be required to be disclosed
30
(1) The consumer data rules can only require a disclosure of CDR data
31
for which there are no CDR consumers if:
32
(a) the CDR data is about the eligibility criteria, terms and
33
conditions, price, availability or performance of:
34
(i) a product or other kind of good; or
35
(ii) a service; and
36
Schedule 1 Consumer data right
Part 1 Main amendments
24
Treasury Laws Amendment (Consumer Data Right) Bill 2019
No. , 2019
(b) in the case where the CDR data is about availability or
1
performance--the CDR data is publicly available.
2
Note 1:
This means other kinds of CDR data for which there are no CDR
3
consumers cannot be required to be disclosed.
4
Note 2:
The consumer data rules can include other rules relating to other kinds
5
of CDR data for which there are no CDR consumers.
6
Note 3:
Voluntary disclosures of other kinds of CDR data for which there are
7
no CDR consumers can be authorised under the consumer data rules.
8
No fee when this CDR data is required to be disclosed
9
(2) The consumer data rules cannot allow a fee to be charged for:
10
(a) the disclosure of CDR data under rules like those described
11
in paragraph 56BE(a) or 56BG(2)(a); or
12
(b) the use of CDR data received as the result of such a
13
disclosure.
14
Note:
A fee could be charged for other disclosures or uses of CDR data for
15
which there are no CDR consumers.
16
Effect of limitations
17
(3) Subsections (1) and (2) apply despite any other provision of this
18
Division.
19
56BG Rules about designated gateways
20
CDR data for which there are CDR consumers
21
(1) Without limiting paragraph 56BB(c), if there is a designated
22
gateway for CDR data for which there are one or more CDR
23
consumers, the consumer data rules may include the following
24
rules:
25
(a) rules like those described in subsection 56BC(1) for the CDR
26
data, but involving the designated gateway:
27
(i) acting between the CDR consumer and the CDR
28
participant in the making of a valid request; or
29
(ii) acting between the CDR consumer and the accredited
30
person who is the proposed recipient of the requested
31
disclosure; or
32
Consumer data right Schedule 1
Main amendments Part 1
No. , 2019
Treasury Laws Amendment (Consumer Data Right) Bill 2019
25
(iii) acting between the CDR participant and the CDR
1
consumer, or accredited person, who is the proposed
2
recipient of the requested disclosure;
3
(b) rules like those described in subsection 56BC(2) for the CDR
4
data, but involving the designated gateway:
5
(i) acting between the CDR consumer and a person
6
authorised as described in that subsection; or
7
(ii) acting between persons authorised as described in that
8
subsection;
9
(c) other rules affecting the designated gateway that relate to the
10
disclosure, collection, use, accuracy, storage, security or
11
deletion of the CDR data.
12
Product data
13
(2) Without limiting paragraph 56BB(c), if there is a designated
14
gateway for CDR data for which there are no CDR consumers, the
15
consumer data rules may include the following rules:
16
(a) rules like those described in paragraphs 56BE(a) to (c), but
17
involving the designated gateway acting between the CDR
18
participant and the person requesting the disclosure;
19
(b) other rules affecting the designated gateway that relate to the
20
disclosure, collection, use, accuracy, storage, security or
21
deletion of the CDR data.
22
Limitation--rules relating to the collection, use, accuracy, storage,
23
security or deletion of CDR data
24
(3) For a designated gateway for CDR data for which there are one or
25
more CDR consumers, the consumer data rules:
26
(a) can only include rules affecting the designated gateway
27
requiring or authorising the disclosure of the CDR data if
28
such rules are as described in paragraph (1)(a) or (b); and
29
(b) can only include rules affecting the designated gateway that
30
relate to the collection, use, accuracy, storage, security or
31
deletion of the CDR data if such rules also relate to a
32
disclosure described in paragraph (a) of this subsection.
33
Note:
Paragraph (a) does not prevent the inclusion of a rule relating to a
34
disclosure described in that paragraph.
35
(4) Subsection (3) applies despite any other provision of this Division.
36
Schedule 1 Consumer data right
Part 1 Main amendments
26
Treasury Laws Amendment (Consumer Data Right) Bill 2019
No. , 2019
Transitional rules
1
(5) Without limiting paragraph 56BB(c), if there is a designated
2
gateway for CDR data, the consumer data rules may include
3
transitional rules for when a person ceases to be the designated
4
gateway, including about the disclosure, collection, use, accuracy,
5
storage, security or deletion of the CDR data.
6
Note:
These rules could, for example, include a requirement that the CDR
7
data be disclosed in accordance with the relevant data standards to
8
another gateway. Some of these transitional rules could be similar to
9
some of the privacy safeguards.
10
56BH Rules about accreditation of data recipients
11
(1) Without limiting paragraph 56BB(d), the consumer data rules may
12
include the following rules:
13
(a) rules conferring functions or powers on the Data Recipient
14
Accreditor;
15
(b) the criteria for a person to be accredited under
16
subsection 56CA(1);
17
(c) rules providing that accreditations may be granted subject to
18
conditions, and that conditions may be imposed on an
19
accreditation after it has been granted;
20
(d) rules providing that accreditations may be granted at different
21
levels corresponding to different risks, including the risks
22
associated with:
23
(i) specified classes of CDR data; or
24
(ii) specified classes of activities; or
25
(iii) specified classes of applicants for accreditation;
26
(e) rules for the period, renewal, transfer, variation, suspension,
27
revocation or surrender of accreditations;
28
(f) notification requirements on persons whose accreditations
29
have been varied, suspended, revoked or surrendered;
30
(g) transitional rules for when an accreditation is varied, is
31
suspended or ends, including about the disclosure, collection,
32
use, accuracy, storage, security or deletion of CDR data;
33
(h) rules about a matter referred to in subsection 56CE(4) (about
34
the Register of Accredited Persons).
35
Note:
The rules described in paragraph (g) could, for example, include a
36
requirement that the CDR data be disclosed in accordance with the
37
Consumer data right Schedule 1
Main amendments Part 1
No. , 2019
Treasury Laws Amendment (Consumer Data Right) Bill 2019
27
relevant data standards to an accredited person. Some of these
1
transitional rules could be similar to some of the privacy safeguards.
2
(2) Without limiting paragraph (1)(b):
3
(a) the criteria may differ for different classes of persons; and
4
(b) the criteria may include the payment of a fee.
5
Any fee must not be such as to amount to taxation.
6
(3) Without limiting paragraph (1)(e), each of the following may be a
7
ground for varying, suspending or revoking an accreditation:
8
(a) a failure to comply with a requirement in this Part or in the
9
consumer data rules;
10
(b) a failure to comply with a requirement in the privacy
11
safeguards.
12
Note:
An example of a variation could be the imposition of a condition, or
13
changing the level of an accreditation.
14
(4) If the consumer data rules include rules enabling decisions to be
15
made to vary, suspend or revoke accreditations, the rules must
16
permit the making of applications to the Administrative Appeals
17
Tribunal for review of those decisions.
18
Note:
The consumer data rules can also provide for internal review of these
19
decisions, and internal and AAT review of other decisions (see
20
section 56BJ).
21
56BI Rules about reporting, record keeping and auditing
22
(1) Without limiting paragraph 56BB(e), the consumer data rules may
23
include the following rules:
24
(a) a power for a CDR consumer for CDR data to direct a CDR
25
participant for the CDR data to give the consumer, or an
26
accredited person, reports about:
27
(i) the consumer's valid requests to the CDR participant,
28
under rules like those described in
29
paragraph 56BC(1)(a) or 56BG(1)(a), for the CDR data;
30
and
31
(ii) any disclosures made in response to such requests;
32
(b) a power for a CDR consumer for CDR data to direct a CDR
33
participant for the CDR data to give the consumer, or an
34
accredited person, reports about:
35
Schedule 1 Consumer data right
Part 1 Main amendments
28
Treasury Laws Amendment (Consumer Data Right) Bill 2019
No. , 2019
(i) the consumer's valid consents to the CDR participant,
1
under rules like those described in
2
paragraph 56BC(2)(a) or (b) or 56BG(1)(b), for the
3
CDR data; and
4
(ii) any disclosures made in response to such consents;
5
(c) a power for a person referred to in paragraph 56BG(1)(a) or
6
(b) to direct a designated gateway referred to in that
7
paragraph to give reports about:
8
(i) valid requests or consents, affecting the designated
9
gateway, under rules like those described in that
10
paragraph; and
11
(ii) any disclosures made in response to such requests or
12
consents;
13
(d) requirements for CDR participants for CDR data to give
14
reports to the Commission or the Information Commissioner;
15
(e) requirements for accredited persons to give reports to the
16
Commission or the Information Commissioner;
17
(f) requirements for designated gateways for CDR data to give
18
reports to the Commission or the Information Commissioner;
19
(g) requirements for the keeping of records relating to the
20
operation of the consumer data rules;
21
(h) requirements for each of the following entities:
22
(i) the Data Recipient Accreditor;
23
(ii) the Accreditation Registrar;
24
(iii) the Data Standards Chair;
25
to give reports to the Commission or the Information
26
Commissioner about that entity's functions or powers.
27
Note:
Information or documents relating to compliance with the consumer
28
data rules may also be required to be given (see subsections 155(1)
29
and (2)).
30
(2) Without limiting paragraph 56BB(e), the consumer data rules may
31
include requirements for CDR participants or designated gateways
32
for CDR data, or accredited persons, to give to the Commission or
33
Information Commissioner:
34
(a) copies of one or more of the records required to be kept as
35
described in paragraph (1)(g); or
36
(b) information from such records;
37
Consumer data right Schedule 1
Main amendments Part 1
No. , 2019
Treasury Laws Amendment (Consumer Data Right) Bill 2019
29
either periodically, or on request by the Commission or
1
Information Commissioner, or both.
2
56BJ Rules about incidental or related matters
3
Without limiting paragraph 56BB(f), the consumer data rules may
4
include the following rules:
5
(a) rules that refer to the data standards;
6
(b) the circumstances in which persons are, or may be, relieved
7
from complying with requirements in the consumer data rules
8
that would otherwise apply to them;
9
(c) a rule that depends on a person being satisfied of one or more
10
specified matters;
11
(d) rules for the making of applications for internal review, or of
12
applications to the Administrative Appeals Tribunal for
13
review, of decisions of a person under the consumer data
14
rules;
15
(e) rules about the manner or form in which persons or bodies:
16
(i) may exercise powers under the consumer data rules; or
17
(ii) must comply with requirements imposed by the
18
consumer data rules;
19
which could include requiring the use of a form approved by
20
the Commission or by the Information Commissioner;
21
(f) rules about the following matters:
22
(i) the manner in which CDR participants for CDR data
23
may charge (or cause to be charged) a fee for a matter
24
covered by the consumer data rules;
25
(ii) the time for paying such a fee;
26
(iii) giving notice of, or publicising, such a fee or matters
27
about such a fee;
28
(g) rules requiring CDR participants, or designated gateways, for
29
CDR data to have internal or external dispute resolution
30
processes:
31
(i) that relate to the operation of the consumer data rules or
32
this Part; and
33
(ii) that meet specified criteria;
34
(h) rules relating to an external dispute resolution scheme
35
recognised under Division 4, including about access to such a
36
scheme;
37
Schedule 1 Consumer data right
Part 1 Main amendments
30
Treasury Laws Amendment (Consumer Data Right) Bill 2019
No. , 2019
(i) transitional rules for the external resolution of disputes:
1
(i) described in subsection 56DA(1); and
2
(ii) not covered by a scheme recognised under that
3
subsection;
4
(j) rules about any other matters that the provisions of this Part
5
provide may be specified, or otherwise dealt with, in the
6
consumer data rules.
7
56BK Further limitations on the consumer data rules
8
(1) The consumer data rules cannot impose on a person a requirement
9
that has a retrospective commencement or application.
10
Example: The rules cannot require a data holder to disclose CDR data on a day
11
before the rules are registered, or on a day before the registration of a
12
variation to the rules that includes the requirement.
13
Note:
Other limitations on the consumer data rules are in sections 56BD,
14
56BF and 56BG.
15
(2) To avoid doubt, the consumer data rules may require a person to do
16
something on a particular day, in relation to CDR data generated or
17
collected on an earlier day, if the person:
18
(a) is a data holder of the CDR data; or
19
(b) is an accredited person; or
20
(c) is a person who has given a valid request under the consumer
21
data rules relating to the CDR data; or
22
(d) is a designated gateway for the CDR data.
23
Example: A data holder is given a valid request to disclose CDR data that was
24
generated before the rules are registered. The rules can require that
25
disclosure.
26
(3) The regulations may provide that the consumer data rules:
27
(a) have no effect to the extent that the consumer data rules deal
28
with specified matters, or impose specified requirements, in
29
relation to:
30
(i) specified classes of CDR data; or
31
(ii) specified classes of persons; or
32
(b) only have effect to the extent that the consumer data rules
33
deal with specified matters, or impose specified
34
requirements, in relation to:
35
(i) specified classes of CDR data; or
36
Consumer data right Schedule 1
Main amendments Part 1
No. , 2019
Treasury Laws Amendment (Consumer Data Right) Bill 2019
31
(ii) specified classes of persons.
1
The consumer data rules have effect (or no effect) accordingly.
2
(4) Subsections (1) and (3) apply despite any other provision of this
3
Division.
4
Subdivision B--Compliance with consumer data rules
5
56BL Obligation to comply with consumer data rules
6
The consumer data rules may provide that specified provisions of
7
the rules are civil penalty provisions (within the meaning of the
8
Regulatory Powers Act).
9
Note:
Sections 76 to 77 deal with enforcing the civil penalty provisions.
10
56BM Infringement notices
11
Object
12
(1) The object of this section is for Division 5 of Part XI to apply to a
13
civil penalty provision of the consumer data rules in a
14
corresponding way to the way that Division applies to a provision
15
of Part 2-2 of the Australian Consumer Law.
16
Note:
That Division is about infringement notices issued for alleged
17
contraventions of provisions of the Australian Consumer Law.
18
Extended application of Division 5 of Part XI etc.
19
(2) Division 5 of Part XI, and any other provision of this Act that
20
relates to that Division, also apply in relation to a civil penalty
21
provision of the consumer data rules as if the substitutions in the
22
following table were made.
23
24
Substitutions to be made
Item
For a reference in Division 5 of
Part XI to ...
... substitute a reference to ...
1
section 224 of the Australian
Consumer Law
section 76 of this Act.
2
Chapter 4 or Part 5-2 of the
Australian Consumer Law
Part VI of this Act.
Schedule 1 Consumer data right
Part 1 Main amendments
32
Treasury Laws Amendment (Consumer Data Right) Bill 2019
No. , 2019
Substitutions to be made
Item
For a reference in Division 5 of
Part XI to ...
... substitute a reference to ...
3
a provision of Part 2-2 of the
Australian Consumer Law
a civil penalty provision of the
consumer data rules.
(3) To avoid doubt, Division 2 of Part XI does not limit the application
1
of section 56GF (about constitutional basis) to the extended
2
application of Division 5 of Part XI as described in this section.
3
56BN Misleading or deceptive conduct--offence
4
(1) A person commits an offence if:
5
(a) the person engages in conduct; and
6
(b) the person does so knowing that the conduct:
7
(i) is misleading or deceptive; or
8
(ii) is likely to be misleading or deceptive; and
9
(c) the conduct misleads or deceives, or is likely to mislead or
10
deceive, another person (the second person) into believing
11
that:
12
(i) a person is a CDR consumer for CDR data; or
13
(ii) a person is making a valid request or consent, or has
14
satisfied other criteria, for the disclosure of CDR data
15
under the consumer data rules.
16
Note:
The person mentioned in subparagraph (c)(i) or (ii) could be the
17
first-mentioned person, the second person or a third person.
18
Defence
19
(2) Subsection (1) does not apply if the conduct is not misleading or
20
deceptive in a material particular.
21
Note:
A defendant bears an evidential burden in relation to the matter in this
22
subsection (see subsection 13.3(3) of the Criminal Code).
23
Penalty--body corporate
24
(3) An offence against subsection (1) committed by a body corporate
25
is punishable on conviction by a fine of not more than the greater
26
of the following:
27
(a) $10,000,000;
28
Consumer data right Schedule 1
Main amendments Part 1
No. , 2019
Treasury Laws Amendment (Consumer Data Right) Bill 2019
33
(b) if the court can determine the value of the benefit that the
1
body corporate, and any body corporate related to the body
2
corporate, have obtained directly or indirectly and that is
3
reasonably attributable to the commission of the offence--3
4
times the value of that benefit;
5
(c) if the court cannot determine the value of that benefit--10%
6
of the annual turnover of the body corporate during the
7
12-month period ending at the end of the month in which the
8
commission of the offence happened or began.
9
(4) For the purposes of paragraph (3)(c), annual turnover has the
10
same meaning as in Division 1 of Part IV.
11
Penalty--other persons
12
(5) An offence against subsection (1) committed by a person other
13
than a body corporate is punishable on conviction by imprisonment
14
for not more than 5 years, a fine of not more than $500,000, or
15
both.
16
56BO Misleading or deceptive conduct--civil penalty
17
(1) A person must not engage in conduct that misleads or deceives, or
18
is likely to mislead or deceive, another person (the second person)
19
into believing that:
20
(a) a person is a CDR consumer for CDR data; or
21
(b) a person is making a valid request or consent, or has satisfied
22
other criteria, for the disclosure of CDR data under the
23
consumer data rules.
24
Note 1:
The person mentioned in paragraph (a) or (b) could be the
25
first-mentioned person, the second person or a third person.
26
Note 2:
For enforcement, see Part VI (including section 76 for an order for
27
payment of a pecuniary penalty).
28
Defence
29
(2) Subsection (1) does not apply if the conduct is not misleading or
30
deceptive in a material particular.
31
(3) A person who wishes to rely on subsection (2) bears the burden of
32
adducing or pointing to evidence that suggests a reasonable
33
Schedule 1 Consumer data right
Part 1 Main amendments
34
Treasury Laws Amendment (Consumer Data Right) Bill 2019
No. , 2019
possibility that the conduct is not misleading or deceptive in a
1
material particular.
2
Subdivision C--Process for making consumer data rules etc.
3
56BP Matters to which Commission must have regard when making
4
the rules
5
Before making consumer data rules under subsection 56BA(1), the
6
Commission must consider the kinds of matters referred to in
7
paragraphs 56AD(1)(a) and (b).
8
56BQ Commission to consult before making the rules
9
(1) Before making consumer data rules under subsection 56BA(1), the
10
Commission must:
11
(a) consult the public about the making of the rules:
12
(i) for at least 28 days; and
13
(ii) in one or more ways that includes making information
14
available on the Commission's website, and inviting the
15
public to comment; and
16
(b) consult each of the following about the making of the rules:
17
(i) the Information Commissioner;
18
(ii) if the rules relate to a particular designated sector--the
19
person or body (if any) that the Commission believes to
20
be the primary regulator of that sector;
21
(iii) any person or body prescribed by the regulations; and
22
(c) wait at least 60 days after the day consultation of the public
23
begins under paragraph (a) about the making of the rules.
24
(2) A failure to comply with subsection (1) does not invalidate the
25
consumer data rules.
26
56BR Ministerial consent to rules required
27
The Commission must not make consumer data rules under
28
subsection 56BA(1) unless the Minister has consented, in writing,
29
to the making of the rules.
30
Note:
In an emergency, consent is not required (see section 56BS).
31
Consumer data right Schedule 1
Main amendments Part 1
No. , 2019
Treasury Laws Amendment (Consumer Data Right) Bill 2019
35
56BS Emergency rules: usual consultation and consent not required
1
(1) The Commission may make consumer data rules under
2
subsection 56BA(1):
3
(a) after consulting the Information Commissioner, but without
4
otherwise complying with section 56BQ; and
5
(b) without the consent of the Minister as required by
6
section 56BR;
7
if the Commission believes (whether or not that belief is
8
reasonable) that it is necessary to do so in order to avoid a risk of
9
serious harm to:
10
(c) the efficiency, integrity or stability of any aspect of the
11
Australian economy; or
12
(d) the interests of consumers.
13
Note:
The Commission still needs to comply with section 56BP.
14
(2) However, a failure to comply with paragraph (1)(a) does not
15
invalidate rules made as described in subsection (1).
16
Note:
Such rules may have a limited life (see subsection 56BT(3)).
17
56BT Emergency rules: consequences if made
18
(1) If the Commission makes consumer data rules as described in
19
subsection 56BS(1) (the emergency rules), the Commission must:
20
(a) on the following day, give the Minister a written explanation
21
of the need for the emergency rules; and
22
(b) vary or repeal the emergency rules in accordance with any
23
directions given under subsection (2).
24
(2) The Minister may, by writing, direct the Commission to vary or
25
repeal the emergency rules.
26
(3) If:
27
(a) the emergency rules are made without consulting the
28
Information Commissioner, but otherwise in accordance with
29
subsection 56BS(1); and
30
(b) the Minister does not give a direction under subsection (2)
31
about the emergency rules;
32
the emergency rules cease to be in force 6 months after the day
33
they are made.
34
Schedule 1 Consumer data right
Part 1 Main amendments
36
Treasury Laws Amendment (Consumer Data Right) Bill 2019
No. , 2019
Note:
If the emergency rules vary other consumer data rules, this subsection
1
causes only the emergency rules to cease to be in force.
2
(4) A direction given under subsection (2) is not a legislative
3
instrument.
4
(5) Despite subsections 33(3) and (3AA) of the Acts Interpretation Act
5
1901, the requirements of sections 56BP, 56BQ and 56BR of this
6
Act do not apply in relation to a variation or repeal of the
7
emergency rules pursuant to a direction given under subsection (2)
8
of this section.
9
Note:
This subsection alters the requirement in subsections 33(3) and (3AA)
10
of the Acts Interpretation Act 1901 that variations or repeals must be
11
made in a like manner and subject to like conditions.
12
Subdivision D--Fees for disclosing CDR data
13
56BU Charging a fee in inappropriate circumstances when required
14
to disclose CDR data
15
(1) A person contravenes this subsection if:
16
(a) the person is a CDR participant for CDR data; and
17
(b) the person is required under the consumer data rules to
18
disclose all or part of the CDR data; and
19
(c) the person charges (or causes to be charged) a fee for either
20
or both of the following matters:
21
(i) the disclosure (or a related disclosure by a designated
22
gateway or other CDR participant for the CDR data);
23
(ii) the use of the CDR data as the result of the disclosure
24
(or of that related disclosure); and
25
(d) subsection (2) or any of the following subparagraphs applies:
26
(i) the CDR data is fee-free CDR data;
27
(ii) to the extent that the fee is charged for the disclosure of
28
chargeable CDR data--the fee purports to cover a
29
disclosure in circumstances that are not chargeable
30
circumstances;
31
(iii) to the extent that the fee is charged for the use of
32
chargeable CDR data--the fee purports to cover use in
33
circumstances that are not chargeable circumstances.
34
Note:
For enforcement, see Part VI (including section 76 for an order for
35
payment of a pecuniary penalty).
36
Consumer data right Schedule 1
Main amendments Part 1
No. , 2019
Treasury Laws Amendment (Consumer Data Right) Bill 2019
37
(2) This subsection applies if:
1
(a) any fee (the reasonable fee):
2
(i) that has been determined under subsection 56BV(1) for
3
the person; or
4
(ii) that can be worked out from a method determined under
5
subsection 56BV(1) for the person;
6
covers either or both of the matters in paragraph (1)(c) of this
7
section; and
8
(b) the portion of the fee charged as described in that paragraph
9
for those matters exceeds the corresponding portion of the
10
reasonable fee.
11
56BV Commission may intervene if fee for disclosing or using
12
chargeable CDR data is unreasonable etc.
13
(1) The Commission may determine the following for a specified CDR
14
participant for specified chargeable CDR data:
15
(a) the amount of a fee, or a method for working out the amount
16
of a fee, that the CDR participant may charge (or cause to be
17
charged) for either or both of the following matters (the
18
chargeable matters):
19
(i) the disclosure of the chargeable CDR data in chargeable
20
circumstances because of a requirement under the
21
consumer data rules to do so;
22
(ii) the use of the chargeable CDR data in chargeable
23
circumstances as the result of such a disclosure;
24
(b) the specified persons who are liable to pay that fee;
25
if the Commission is satisfied that the fee that the CDR participant
26
would otherwise charge (or cause to be charged) is unreasonable
27
having regard to the criteria in subsection (3).
28
(2) When determining an amount or method under subsection (1), the
29
Commission must seek to ensure that the resulting fee:
30
(a) reflects the reasonable costs (including capital costs)
31
necessary for the CDR participant to comply with this Part
32
and the consumer data rules in relation to the chargeable
33
matters; and
34
(b) is reasonable having regard to the criteria in subsection (3).
35
Schedule 1 Consumer data right
Part 1 Main amendments
38
Treasury Laws Amendment (Consumer Data Right) Bill 2019
No. , 2019
(3) The criteria for the purposes of subsection (1) and paragraph (2)(b)
1
are:
2
(a) the matters in subparagraphs 56AD(1)(a)(i), (ii), (iv) to (vi)
3
and (c)(ii) and (iv); and
4
(b) whether a lower fee could result in an acquisition of property
5
(within the meaning of paragraph 51(xxxi) of the
6
Constitution); and
7
(c) whether a lower fee would reduce the incentive to generate,
8
collect, hold or maintain CDR data of that kind; and
9
(d) any other matters the Commission considers relevant.
10
(4) A determination under subsection (1) specifying a class of CDR
11
participants must be made by legislative instrument.
12
(5) A determination under subsection (1) specifying a particular CDR
13
participant:
14
(a) must be made by written notice given to the CDR participant;
15
and
16
(b) is not a legislative instrument.
17
(6) A fee determined under subsection (1) must not be such as to
18
amount to taxation.
19
56BW Review by the Tribunal of determinations specifying
20
particular CDR participants
21
(1) If the Commission makes a determination under
22
subsection 56BV(1) in the way described in subsection 56BV(5):
23
(a) the CDR participant specified in the determination; or
24
(b) a person whose interests are affected by the determination;
25
may apply in writing to the Tribunal for a review of the
26
determination.
27
(2) An application under this section for a review of a determination
28
must be made within 21 days after the day the Commission made
29
the determination.
30
(3) If the Tribunal receives an application under this section for a
31
review of a determination, the Tribunal must review the
32
determination.
33
Consumer data right Schedule 1
Main amendments Part 1
No. , 2019
Treasury Laws Amendment (Consumer Data Right) Bill 2019
39
56BX Functions and powers of Tribunal
1
(1) On a review of a determination made under subsection 56BV(1),
2
the Tribunal:
3
(a) may make a decision affirming, setting aside or varying the
4
determination; and
5
(b) for the purposes of the review, may perform all the functions
6
and exercise all the powers of the Commission.
7
(2) A decision by the Tribunal affirming, setting aside or varying such
8
a determination is taken for the purposes of this Act (other than
9
sections 56BW to 56BY)) to be a determination of the
10
Commission.
11
(3) For the purposes of a review by the Tribunal, the member of the
12
Tribunal presiding at the review may require the Commission to
13
give such information, make such reports and provide such other
14
assistance to the Tribunal as the member specifies.
15
(4) For the purposes of a review, the Tribunal may have regard to any
16
information given, documents produced or evidence given to the
17
Commission in connection with the making of the determination to
18
which the review relates.
19
Note:
Division 2 of Part IX applies to proceedings before the Tribunal.
20
56BY Provisions that do not apply in relation to a Tribunal review
21
Division 1 of Part IX does not apply in relation to a review by the
22
Tribunal of a determination made under subsection 56BV(1).
23
Division 3--Accreditation etc.
24
Subdivision A--Accreditation process
25
56CA Granting accreditations
26
(1) The Data Recipient Accreditor may, in writing, accredit a person if
27
the Data Recipient Accreditor is satisfied that the person meets the
28
criteria for accreditation specified in the consumer data rules.
29
(2) To avoid doubt, a person may be accredited even if the person:
30
Schedule 1 Consumer data right
Part 1 Main amendments
40
Treasury Laws Amendment (Consumer Data Right) Bill 2019
No. , 2019
(a) is not a body corporate established by or under a law of the
1
Commonwealth, of a State or of a Territory; and
2
(b) is neither an Australian citizen, nor a permanent resident
3
(within the meaning of the Australian Citizenship Act 2007).
4
(3) An accreditation is granted on the basis that no compensation is
5
payable if the accreditation is varied, transferred, suspended,
6
revoked or surrendered in any way.
7
56CB Review of decisions refusing to accredit
8
Applications may be made to the Administrative Appeals Tribunal
9
for review of decisions of the Data Recipient Accreditor under
10
subsection 56CA(1) refusing to accredit persons.
11
Note:
For AAT review of decisions to vary, suspend or revoke
12
accreditations, see subsection 56BH(4).
13
56CC Prohibition on holding out--offence
14
(1) A person commits an offence if the person holds out that the
15
person:
16
(a) is an accredited person; or
17
(b) is an accredited person holding an accreditation that has been
18
granted at a particular level (see paragraph 56BH(1)(d)); or
19
(c) is an accredited data recipient of CDR data;
20
if that is not the case.
21
Penalty--body corporate
22
(2) An offence against subsection (1) committed by a body corporate
23
is punishable on conviction by a fine of not more than the greater
24
of the following:
25
(a) $10,000,000;
26
(b) if the court can determine the value of the benefit that the
27
body corporate, and any body corporate related to the body
28
corporate, have obtained directly or indirectly and that is
29
reasonably attributable to the commission of the offence--3
30
times the value of that benefit;
31
(c) if the court cannot determine the value of that benefit--10%
32
of the annual turnover of the body corporate during the
33
Consumer data right Schedule 1
Main amendments Part 1
No. , 2019
Treasury Laws Amendment (Consumer Data Right) Bill 2019
41
12-month period ending at the end of the month in which the
1
commission of the offence happened or began.
2
(3) For the purposes of paragraph (2)(c), annual turnover has the
3
same meaning as in Division 1 of Part IV.
4
Penalty--other persons
5
(4) An offence against subsection (1) committed by a person other
6
than a body corporate is punishable on conviction by imprisonment
7
for not more than 5 years, a fine of not more than $500,000, or
8
both.
9
56CD Prohibition on holding out--civil penalty
10
A person must not hold out that the person:
11
(a) is an accredited person; or
12
(b) is an accredited person holding an accreditation that has been
13
granted at a particular level (see paragraph 56BH(1)(d)); or
14
(c) is an accredited data recipient of CDR data;
15
if that is not the case.
16
Note:
For enforcement, see Part VI (including section 76 for an order for
17
payment of a pecuniary penalty).
18
Subdivision B--Register of Accredited Persons
19
56CE Register of Accredited Persons
20
(1) The Accreditation Registrar must establish and maintain a register
21
for the purposes of this Part, to be known as the Register of
22
Accredited Persons.
23
(2) The Accreditation Registrar must maintain the register by
24
electronic means.
25
(3) The register is not a legislative instrument.
26
(4) The consumer data rules may make provision for or in relation to
27
the following:
28
(a) the inclusion in the register of entries for accredited persons;
29
(b) the correction of entries in the register;
30
Schedule 1 Consumer data right
Part 1 Main amendments
42
Treasury Laws Amendment (Consumer Data Right) Bill 2019
No. , 2019
(c) the publication or availability of all or part of the register, or
1
of specified information in the register;
2
(d) any other matter relating to the content, administration or
3
operation of the register.
4
56CF Evidentiary value of the register
5
(1) The register is admissible in any proceedings as prima facie
6
evidence of the matters in it.
7
(2) The Accreditation Registrar may issue a document containing the
8
details of a matter taken from the register.
9
(3) The document issued under subsection (2) is admissible in any
10
proceedings as prima facie evidence of the matter.
11
Subdivision C--Data Recipient Accreditor
12
56CG Appointment of the Data Recipient Accreditor
13
(1) The Minister may, by written instrument, appoint as the Data
14
Recipient Accreditor a person who:
15
(a) is the accountable authority of a Commonwealth entity
16
(within the meaning of the Public Governance, Performance
17
and Accountability Act 2013); or
18
(b) is a Commonwealth entity (within the meaning of that Act).
19
Note 1:
For variation, see subsection 33(3) of the Acts Interpretation Act 1901.
20
Note 2:
The Commission will be the Data Recipient Accreditor in the absence
21
of an appointment under this subsection (see the definition of Data
22
Recipient Accreditor in subsection 4(1)).
23
(2) The Minister may, at any time by written instrument, terminate an
24
appointment made under subsection (1).
25
56CH Functions, powers and annual report
26
(1) The functions of the Data Recipient Accreditor are:
27
(a) to accredit persons under subsection 56CA(1); and
28
(b) such other functions as are conferred by the consumer data
29
rules.
30
Consumer data right Schedule 1
Main amendments Part 1
No. , 2019
Treasury Laws Amendment (Consumer Data Right) Bill 2019
43
(2) The Data Recipient Accreditor has the power to do all other things
1
necessary or convenient to be done for or in connection with the
2
performance of the Data Recipient Accreditor's functions.
3
(3) To avoid doubt, for a person who is the Data Recipient Accreditor,
4
both:
5
(a) the person's functions and powers in their capacity other than
6
as the Data Recipient Accreditor (their primary capacity);
7
and
8
(b) if the person is not a body corporate--the functions that may
9
be performed, and the powers that may be exercised, by
10
anyone appointed under a Commonwealth law to act as the
11
person in that primary capacity;
12
are taken to include the functions and powers of the Data Recipient
13
Accreditor while the person is the Data Recipient Accreditor.
14
(4) If:
15
(a) a person is the Data Recipient Accreditor at any time during a
16
period; and
17
(b) an annual report for the period is prepared under section 46
18
of the Public Governance, Performance and Accountability
19
Act 2013:
20
(i) by the person in the person's primary capacity; or
21
(ii) about the person in the person's primary capacity;
22
the annual report must include information about the performance
23
of the Data Recipient Accreditor's functions, and the exercise of
24
the Data Recipient Accreditor's powers, at that time.
25
56CI Directions by Minister
26
(1) The Minister may, by legislative instrument, give written directions
27
to the Data Recipient Accreditor about the performance of its
28
functions and the exercise of its powers.
29
Note:
Section 42 (disallowance) and Part 4 of Chapter 3 (sunsetting) of the
30
Legislation Act 2003 do not apply to the directions (see regulations
31
made for the purposes of paragraphs 44(2)(b) and 54(2)(b) of that
32
Act).
33
(2) A direction under subsection (1) must be of a general nature only.
34
(3) The Data Recipient Accreditor must comply with a direction under
35
subsection (1).
36
Schedule 1 Consumer data right
Part 1 Main amendments
44
Treasury Laws Amendment (Consumer Data Right) Bill 2019
No. , 2019
56CJ Delegation
1
(1) The Data Recipient Accreditor may delegate any or all of the Data
2
Recipient Accreditor's functions or powers to:
3
(a) an SES employee, or an acting SES employee, in the
4
Department, in the Commission or in the Commonwealth
5
entity appointed under paragraph 56CG(1)(b) (if any); or
6
(b) an APS employee who is holding or performing the duties of
7
a specified office or position that:
8
(i) is in the Department, in the Commission or in the
9
Commonwealth entity appointed under
10
paragraph 56CG(1)(b) (if any); and
11
(ii) is an office or position that the Data Recipient
12
Accreditor is satisfied is sufficiently senior for the APS
13
employee to perform the function or exercise the power.
14
(2) In doing anything under a delegation under this section, the
15
delegate must comply with any directions of the Data Recipient
16
Accreditor.
17
Subdivision D--Accreditation Registrar
18
56CK Appointment of the Accreditation Registrar
19
(1) The Minister may, by written instrument, appoint as the
20
Accreditation Registrar a person who:
21
(a) is the accountable authority of a Commonwealth entity
22
(within the meaning of the Public Governance, Performance
23
and Accountability Act 2013); or
24
(b) is a Commonwealth entity (within the meaning of that Act).
25
Note 1:
For variation, see subsection 33(3) of the Acts Interpretation Act 1901.
26
Note 2:
The Commission will be the Accreditation Registrar in the absence of
27
an appointment under this subsection (see the definition of
28
Accreditation Registrar in subsection 4(1)).
29
(2) The Minister may, at any time by written instrument, terminate an
30
appointment made under subsection (1).
31
56CL Functions, powers and annual report
32
(1) The functions of the Accreditation Registrar are:
33
Consumer data right Schedule 1
Main amendments Part 1
No. , 2019
Treasury Laws Amendment (Consumer Data Right) Bill 2019
45
(a) those described in Subdivision B; and
1
(b) such other functions as are conferred by the consumer data
2
rules.
3
(2) The Accreditation Registrar has the power to do all other things
4
necessary or convenient to be done for or in connection with the
5
performance of the Accreditation Registrar's functions.
6
(3) To avoid doubt, for a person who is the Accreditation Registrar,
7
both:
8
(a) the person's functions and powers in their capacity other than
9
as the Accreditation Registrar (their primary capacity); and
10
(b) if the person is not a body corporate--the functions that may
11
be performed, and the powers that may be exercised, by
12
anyone appointed under a Commonwealth law to act as the
13
person in that primary capacity;
14
are taken to include the functions and powers of the Accreditation
15
Registrar while the person is the Accreditation Registrar.
16
(4) If:
17
(a) a person is the Accreditation Registrar at any time during a
18
period; and
19
(b) an annual report for the period is prepared under section 46
20
of the Public Governance, Performance and Accountability
21
Act 2013:
22
(i) by the person in the person's primary capacity; or
23
(ii) about the person in the person's primary capacity;
24
the annual report must include information about the performance
25
of the Accreditation Registrar's functions, and the exercise of the
26
Accreditation Registrar's powers, at that time.
27
56CM Directions by Minister
28
(1) The Minister may, by legislative instrument, give written directions
29
to the Accreditation Registrar about the performance of its
30
functions and the exercise of its powers.
31
Note:
Section 42 (disallowance) and Part 4 of Chapter 3 (sunsetting) of the
32
Legislation Act 2003 do not apply to the directions (see regulations
33
made for the purposes of paragraphs 44(2)(b) and 54(2)(b) of that
34
Act).
35
(2) A direction under subsection (1) must be of a general nature only.
36
Schedule 1 Consumer data right
Part 1 Main amendments
46
Treasury Laws Amendment (Consumer Data Right) Bill 2019
No. , 2019
(3) The Accreditation Registrar must comply with a direction under
1
subsection (1).
2
56CN Delegation
3
(1) The Accreditation Registrar may delegate any or all of the
4
Accreditation Registrar's functions or powers to:
5
(a) an SES employee, or an acting SES employee, in the
6
Department, in the Commission or in the Commonwealth
7
entity appointed under paragraph 56CK(1)(b) (if any); or
8
(b) an APS employee who is holding or performing the duties of
9
a specified office or position that:
10
(i) is in the Department, in the Commission or in the
11
Commonwealth entity appointed under
12
paragraph 56CK(1)(b) (if any); and
13
(ii) is an office or position that the Accreditation Registrar
14
is satisfied is sufficiently senior for the APS employee
15
to perform the function or exercise the power.
16
Note:
For the Registrar's functions and powers, see section 56CE.
17
(2) In doing anything under a delegation under this section, the
18
delegate must comply with any directions of the Accreditation
19
Registrar.
20
Division 4--External dispute resolution
21
56DA Commission may recognise external dispute resolution
22
schemes
23
Recognising an external dispute resolution scheme
24
(1) The Commission may, by notifiable instrument, recognise an
25
external dispute resolution scheme for the resolution of disputes:
26
(a) relating to the operation of the consumer data rules, or this
27
Part, in relation to one or more designated sectors; and
28
(b) involving one or more of the following:
29
(i) CDR participants for CDR data;
30
(ii) CDR consumers for CDR data;
31
(iii) designated gateways for CDR data;
32
(iv) other persons relating to any of those designated sectors.
33
Consumer data right Schedule 1
Main amendments Part 1
No. , 2019
Treasury Laws Amendment (Consumer Data Right) Bill 2019
47
Note 1:
The consumer data rules may require internal dispute resolution
1
schemes, see paragraph 56BJ(g).
2
Note 2:
For variation and repeal, see subsection 33(3) of the Acts
3
Interpretation Act 1901.
4
(2) The Commission may, in the instrument under subsection (1):
5
(a) specify a period for which the recognition of the external
6
dispute resolution scheme is in force; and
7
(b) make the recognition of the external dispute resolution
8
scheme subject to specified conditions, including conditions
9
relating to the conduct of an independent review of the
10
operation of the scheme.
11
Before recognising an external dispute resolution scheme
12
(3) Before recognising an external dispute resolution scheme under
13
subsection (1), the Commission must consider:
14
(a) the accessibility of the scheme; and
15
(b) the independence of the scheme; and
16
(c) the fairness of the scheme; and
17
(d) the accountability of the scheme; and
18
(e) the efficiency of the scheme; and
19
(f) the effectiveness of the scheme; and
20
(g) any other matters the Commission considers relevant.
21
(4) Before recognising an external dispute resolution scheme under
22
subsection (1), the Commission must consult the Information
23
Commissioner about the scheme.
24
(5) A failure to comply with subsection (4) does not invalidate an
25
instrument made under subsection (1).
26
Division 5--Privacy safeguards
27
Subdivision A--Preliminary
28
56EA Simplified outline
29
This Division sets out privacy safeguards that protect the privacy
30
or confidentiality of CDR consumers' CDR data, whether the CDR
31
consumers are individuals or bodies corporate.
32
Schedule 1 Consumer data right
Part 1 Main amendments
48
Treasury Laws Amendment (Consumer Data Right) Bill 2019
No. , 2019
The privacy safeguards apply mainly to accredited data recipients,
1
but also to data holders and designated gateways, in relation to
2
their handling of the CDR data.
3
A person's failure to comply with any of these safeguards may lead
4
to consequences, including liability to a civil penalty (see
5
Subdivision G) or the suspension or revocation of the person's
6
accreditation (see subsection 56BH(3)).
7
56EB Kinds of CDR data to which the privacy safeguards apply
8
(1) The privacy safeguards only apply to CDR data for which there are
9
one or more CDR consumers.
10
Note:
One requirement for CDR data to have a CDR consumer is that there
11
needs to be at least one person who is identifiable, or reasonably
12
identifiable, from the CDR data or from related information (see
13
paragraph 56AI(3)(c)).
14
(2) The privacy safeguards apply to CDR data whether the CDR data
15
is true or not.
16
56EC Relationship with other laws
17
Relationship with the consumer data rules
18
(1) If there is an inconsistency between the privacy safeguards and the
19
consumer data rules, those safeguards prevail over those rules to
20
the extent of the inconsistency.
21
(2) However, the consumer data rules are taken to be consistent with
22
the privacy safeguards to the extent that they are capable of
23
operating concurrently.
24
Note:
This means that the privacy safeguards do not cover the field that they
25
deal with.
26
Relationship with the Privacy Act 1988
27
(3) This Division does not limit Part IIIA (about credit reporting) of
28
the Privacy Act 1988. However, the regulations may declare that in
29
specified circumstances that Part applies in relation to CDR data as
30
if specified provisions of that Part were omitted, modified or varied
31
as specified in the declaration.
32
Consumer data right Schedule 1
Main amendments Part 1
No. , 2019
Treasury Laws Amendment (Consumer Data Right) Bill 2019
49
(4) Despite the Privacy Act 1988:
1
(a) the Australian Privacy Principles do not apply to an
2
accredited data recipient of CDR data in relation to the CDR
3
data; and
4
(b) if subsection 56EN(1) applies to a disclosure of CDR data by
5
a data holder of the CDR data--Australian Privacy
6
Principle 10 does not apply to the data holder in relation to
7
that disclosure of the CDR data; and
8
(c) if subsection 56EP(1) applies to CDR data and a data holder
9
of the CDR data--Australian Privacy Principle 13 does not
10
apply to the data holder in relation to the CDR data; and
11
(d) Australian Privacy Principles 6, 7 and 11 do not apply to a
12
designated gateway for CDR data in relation to the CDR
13
data.
14
Note 1:
For the accredited data recipient, the privacy safeguards will apply
15
instead.
16
Note 2:
Section 56EN (or privacy safeguard 11) is about the quality of CDR
17
data. Section 56EP (or privacy safeguard 13) is about correcting CDR
18
data.
19
(5) Apart from paragraphs (4)(b) to (d), this Division does not affect
20
how the Australian Privacy Principles apply to:
21
(a) a data holder of CDR data in relation to the CDR data; or
22
(b) a designated gateway for CDR data in relation to the CDR
23
data.
24
Note 1:
Privacy safeguard 1 will apply to a data holder or designated gateway
25
in parallel to Australian Privacy Principle 1.
26
Note 2:
The consumer data rules (which are made under Division 2) will affect
27
how the Australian Privacy Principles apply. Requirements and
28
authorisations under those rules will be requirements or authorisations
29
under an Australian law for the purposes of the Australian Privacy
30
Principles.
31
Schedule 1 Consumer data right
Part 1 Main amendments
50
Treasury Laws Amendment (Consumer Data Right) Bill 2019
No. , 2019
Subdivision B--Consideration of CDR data privacy
1
56ED Privacy safeguard 1--open and transparent management of
2
CDR data
3
Object
4
(1) The object of this section is to ensure that each person (a CDR
5
entity) who is:
6
(a) a data holder of CDR data; or
7
(b) an accredited data recipient of CDR data; or
8
(c) a designated gateway for CDR data;
9
manages the CDR data in an open and transparent way.
10
Compliance with this Part etc.
11
(2) The CDR entity must take such steps as are reasonable in the
12
circumstances to implement practices, procedures and systems that:
13
(a) will ensure that the CDR entity complies with this Part and
14
the consumer data rules; and
15
(b) will enable the CDR entity to deal with inquiries or
16
complaints from a CDR consumer for the CDR data about
17
the CDR entity's compliance with this Part or the consumer
18
data rules.
19
Policy about the management of CDR data
20
(3) The CDR entity must have and maintain a clearly expressed and
21
up-to-date policy that:
22
(a) is about the CDR entity's management of CDR data; and
23
(b) is in a form approved in accordance with the consumer data
24
rules; and
25
(c) contains the information required by subsections (4), (5) and
26
(6) (as applicable).
27
Note:
This subsection is a civil penalty provision (see section 56EU).
28
(4) If the CDR entity is a data holder of any CDR data, the CDR
29
entity's policy must contain the following information:
30
(a) how a CDR consumer for the CDR data may access the CDR
31
data and seek the correction of the CDR data;
32
Consumer data right Schedule 1
Main amendments Part 1
No. , 2019
Treasury Laws Amendment (Consumer Data Right) Bill 2019
51
(b) how a CDR consumer for the CDR data may complain about
1
a failure of the CDR entity to comply with this Part or the
2
consumer data rules, and how the CDR entity will deal with
3
such a complaint.
4
(5) If the CDR entity is an accredited data recipient of any CDR data,
5
the CDR entity's policy must contain the following information:
6
(a) the classes of CDR data held by (or on behalf of) the CDR
7
entity as an accredited data recipient, and how such CDR
8
data is held;
9
(b) the purposes for which the CDR entity may collect, hold, use
10
or disclose such CDR data with the consent of a CDR
11
consumer for the CDR data;
12
(c) how a CDR consumer for such CDR data may access the
13
CDR data and seek the correction of the CDR data;
14
(d) how a CDR consumer for such CDR data may complain
15
about a failure of the CDR entity to comply with this Part or
16
the consumer data rules, and how the CDR entity will deal
17
with such a complaint;
18
(e) whether the CDR entity is likely to disclose such CDR data
19
to accredited persons who are based overseas;
20
(f) if the CDR entity is likely to disclose such CDR data to
21
accredited persons who are based overseas--the countries in
22
which such persons are likely to be based if it is practicable
23
to specify those countries in the policy;
24
(g) the circumstances in which the CDR entity may disclose such
25
CDR data to a person who is not an accredited person;
26
(h) the events about which the CDR entity will notify the CDR
27
consumers of such CDR data;
28
(i) the circumstances in which the CDR entity must delete or
29
de-identify such CDR data in accordance with a request
30
given by a CDR consumer for the CDR data under the
31
consumer data rules.
32
(6) If the CDR entity is a designated gateway for any CDR data, the
33
CDR entity's policy must contain the following information:
34
(a) an explanation of how the CDR entity, as a designated
35
gateway, will act between persons to facilitate:
36
(i) the disclosure of CDR data; or
37
(ii) the accuracy of CDR data; or
38
Schedule 1 Consumer data right
Part 1 Main amendments
52
Treasury Laws Amendment (Consumer Data Right) Bill 2019
No. , 2019
(iii) other matters;
1
under the consumer data rules;
2
(b) how a CDR consumer for such CDR data may complain
3
about a failure of the CDR entity to comply with this Part or
4
the consumer data rules, and how the CDR entity will deal
5
with such a complaint.
6
Availability of policy etc.
7
(7) The CDR entity must make the CDR entity's policy available:
8
(a) free of charge; and
9
(b) in accordance with the consumer data rules.
10
Note:
One way the consumer data rules could require the policy to be made
11
available is to require the policy to be made available in accordance
12
with a data standard.
13
(8) If a copy of the CDR entity's policy is requested by a CDR
14
consumer for the CDR data, the CDR entity must give the CDR
15
consumer a copy in accordance with the consumer data rules.
16
56EE Privacy safeguard 2--anonymity and pseudonymity
17
(1) An accredited data recipient of CDR data must give each CDR
18
consumer for the CDR data the option of using a pseudonym, or
19
not identifying themselves, when dealing with the accredited data
20
recipient in relation to the CDR data.
21
Note:
The CDR participant from whom the accredited data recipient
22
acquired the CDR data may be subject to a similar obligation under
23
Australian Privacy Principle 2.
24
(2) That option may be given to a CDR consumer for the CDR data
25
through a designated gateway for the CDR data.
26
(3) Subsection (1) does not apply in the circumstances specified in the
27
consumer data rules.
28
Consumer data right Schedule 1
Main amendments Part 1
No. , 2019
Treasury Laws Amendment (Consumer Data Right) Bill 2019
53
Subdivision C--Collecting CDR data
1
56EF Privacy safeguard 3--soliciting CDR data from CDR
2
participants
3
(1) An accredited person must not seek to collect CDR data under the
4
consumer data rules from a CDR participant for the CDR data
5
unless:
6
(a) a CDR consumer for the CDR data has requested this by
7
giving a valid request under the consumer data rules; and
8
(b) the person complies with all other requirements in the
9
consumer data rules for the collection of the CDR data from
10
the CDR participant.
11
Note:
This subsection is a civil penalty provision (see section 56EU).
12
(2) Subsection (1) applies whether the collection is directly from the
13
CDR participant or indirectly from the CDR participant through a
14
designated gateway for the CDR data.
15
Note:
The valid request referred to in paragraph (1)(a) could be given
16
through a designated gateway (see section 56BG).
17
56EG Privacy safeguard 4--dealing with unsolicited CDR data from
18
CDR participants
19
(1) If a person:
20
(a) while the person is an accredited person, collects CDR data
21
from a CDR participant for the CDR data:
22
(i) purportedly under the consumer data rules; but
23
(ii) not as the result of seeking to collect that CDR data
24
under the consumer data rules; and
25
(b) is not required to retain that CDR data by or under an
26
Australian law or a court/tribunal order;
27
the person must destroy that CDR data as soon as practicable.
28
Note:
This subsection is a civil penalty provision (see section 56EU).
29
(2) Subsection (1) applies whether the collection is directly from the
30
CDR participant or indirectly from the CDR participant through a
31
designated gateway for the CDR data.
32
Schedule 1 Consumer data right
Part 1 Main amendments
54
Treasury Laws Amendment (Consumer Data Right) Bill 2019
No. , 2019
56EH Privacy safeguard 5--notifying of the collection of CDR data
1
If a person collects CDR data in accordance with section 56EF, the
2
person must:
3
(a) take the steps specified in the consumer data rules to notify
4
CDR consumers for the CDR data of the collection; and
5
(b) ensure that this notification:
6
(i) is given to those of the CDR consumers (if there are
7
more than one) that the consumer data rules require to
8
be notified; and
9
(ii) covers the matters specified in those rules; and
10
(iii) is given at or before the time specified in those rules.
11
Note:
This section is a civil penalty provision (see section 56EU).
12
Subdivision D--Dealing with CDR data
13
56EI Privacy safeguard 6--use or disclosure of CDR data by
14
accredited data recipients or designated gateways
15
(1) An accredited data recipient of CDR data must not use or disclose
16
it unless:
17
(a) in the case of a disclosure--the disclosure is required under
18
the consumer data rules in response to a valid request from a
19
CDR consumer for the CDR data; or
20
(b) the use or disclosure is otherwise required, or authorised,
21
under the consumer data rules; or
22
(c) the use or disclosure is required or authorised by or under:
23
(i) another Australian law; or
24
(ii) a court/tribunal order;
25
and the accredited data recipient makes a written note of the
26
use or disclosure.
27
Note 1:
This subsection is a civil penalty provision (see section 56EU).
28
Note 2:
The valid request referred to in paragraph (a) could be given through a
29
designated gateway (see section 56BG).
30
Note 3:
The Australian Privacy Principles will not apply for
31
subparagraph (c)(i) (see paragraph 56EC(4)(a)).
32
(2) A designated gateway for CDR data must not use or disclose it
33
unless:
34
Consumer data right Schedule 1
Main amendments Part 1
No. , 2019
Treasury Laws Amendment (Consumer Data Right) Bill 2019
55
(a) in the case of a disclosure--the disclosure is required under
1
the consumer data rules; or
2
(b) the use or disclosure is authorised under the consumer data
3
rules; or
4
(c) the use or disclosure is required or authorised by or under:
5
(i) another Australian law; or
6
(ii) a court/tribunal order;
7
and the designated gateway makes a written note of the use
8
or disclosure in accordance with the consumer data rules.
9
Note 1:
This subsection is a civil penalty provision (see section 56EU).
10
Note 2:
Australian Privacy Principle 6 will not apply for subparagraph (c)(i)
11
(see paragraph 56EC(4)(d)).
12
(3) Neither subsection (1) nor (2) applies to the use or disclosure of
13
CDR data for the purposes of direct marketing.
14
Note:
Section 56EJ deals with the use or disclosure of CDR data for the
15
purposes of direct marketing.
16
56EJ Privacy safeguard 7--use or disclosure of CDR data for direct
17
marketing by accredited data recipients or designated
18
gateways
19
(1) An accredited data recipient of CDR data must not use or disclose
20
it for direct marketing unless:
21
(a) in the case of a disclosure--the disclosure is required under
22
the consumer data rules in response to a valid request from a
23
CDR consumer for the CDR data; or
24
(b) the use or disclosure is authorised under the consumer data
25
rules in accordance with a valid consent of a CDR consumer
26
for the CDR data.
27
Note 1:
This subsection is a civil penalty provision (see section 56EU).
28
Note 2:
The valid request referred to in paragraph (a), or the valid consent
29
referred to in paragraph (b), could be given through a designated
30
gateway (see section 56BG).
31
(2) A designated gateway for CDR data must not use or disclose it for
32
direct marketing unless:
33
(a) in the case of a disclosure--the disclosure is required under
34
the consumer data rules; or
35
Schedule 1 Consumer data right
Part 1 Main amendments
56
Treasury Laws Amendment (Consumer Data Right) Bill 2019
No. , 2019
(b) the use or disclosure is authorised under the consumer data
1
rules.
2
Note:
This subsection is a civil penalty provision (see section 56EU).
3
56EK Privacy safeguard 8--overseas disclosure of CDR data by
4
accredited data recipients
5
(1) If:
6
(a) an accredited data recipient of CDR data proposes to disclose
7
the CDR data; and
8
(b) the recipient (the new recipient) of the proposed disclosure:
9
(i) is not in Australia or an external Territory; and
10
(ii) is not a CDR consumer for the CDR data;
11
the accredited data recipient must not make the disclosure unless:
12
(c) the new recipient is an accredited person; or
13
(d) the accredited data recipient takes reasonable steps to ensure
14
that any act or omission by (or on behalf of) the new
15
recipient will not, after taking into account subsection (3),
16
contravene:
17
(i) subsection 56ED(3); or
18
(ii) another privacy safeguard penalty provision in relation
19
to the CDR data; or
20
(e) the accredited data recipient reasonably believes:
21
(i) that the new recipient is subject to a law, or binding
22
scheme, that provides substantially similar protection
23
for the CDR data as the privacy safeguards provide in
24
relation to accredited data recipients; and
25
(ii) that a CDR consumer for the CDR data will be able to
26
enforce those protections provided by that law or
27
binding scheme; or
28
(f) the conditions specified in the consumer data rules are met.
29
Note 1:
This subsection is a civil penalty provision (see section 56EU).
30
Note 2:
This subsection applies in addition to the disclosure restrictions in
31
sections 56EI, 56EJ and 56EL.
32
Note 3:
A similar disclosure by a data holder of the CDR data that is required
33
under the consumer data rules will be covered by Australian Privacy
34
Principle 8 if the CDR data is personal information about an
35
individual.
36
Consumer data right Schedule 1
Main amendments Part 1
No. , 2019
Treasury Laws Amendment (Consumer Data Right) Bill 2019
57
(2) If:
1
(a) the accredited data recipient of the CDR data makes the
2
disclosure to the new recipient; and
3
(b) none of paragraphs (1)(c), (e) and (f) apply in relation to the
4
disclosure to the new recipient; and
5
(c) an act or omission by (or on behalf of) the new recipient,
6
after taking into account subsection (3), contravenes:
7
(i) subsection 56ED(3); or
8
(ii) another privacy safeguard penalty provision in relation
9
to the CDR data;
10
then the act or omission is taken to also be an act or omission by
11
the accredited data recipient.
12
(3) For the purposes of paragraphs (1)(d) and (2)(c), assume that the
13
privacy safeguards apply to the new recipient as if the new
14
recipient were an accredited data recipient for the CDR data.
15
56EL Privacy safeguard 9--adoption or disclosure of government
16
related identifiers by accredited data recipients
17
(1) If:
18
(a) a person is an accredited data recipient of CDR data; and
19
(b) the CDR data includes a government related identifier
20
(within the meaning of the Privacy Act 1988) of a CDR
21
consumer for the CDR data who is an individual;
22
the person must not adopt the government related identifier as the
23
person's own identifier of the CDR consumer, or otherwise use the
24
government related identifier, unless:
25
(c) the adoption or use is required or authorised by or under:
26
(i) an Australian law other than the consumer data rules; or
27
(ii) a court/tribunal order; or
28
(d) subclause 9.3 of Australian Privacy Principle 9 applies in
29
relation to the adoption or use.
30
Note:
This subsection is a civil penalty provision (see section 56EU).
31
(2) If:
32
(a) a person who is an accredited data recipient of CDR data
33
proposes to disclose the CDR data; and
34
Schedule 1 Consumer data right
Part 1 Main amendments
58
Treasury Laws Amendment (Consumer Data Right) Bill 2019
No. , 2019
(b) the CDR data includes a government related identifier
1
(within the meaning of the Privacy Act 1988) of a CDR
2
consumer for the CDR data who is an individual;
3
the person must not include the government related identifier in the
4
disclosure unless:
5
(c) this is required or authorised by or under:
6
(i) an Australian law other than the consumer data rules; or
7
(ii) a court/tribunal order; or
8
(d) subclause 9.3 of Australian Privacy Principle 9 applies in
9
relation to the disclosure.
10
Note 1:
This subsection is a civil penalty provision (see section 56EU).
11
Note 2:
This subsection applies in addition to the disclosure restrictions in
12
sections 56EI, 56EJ and 56EK.
13
(3) For the purposes of paragraph (1)(d) or (2)(d), disregard
14
paragraph 56EC(4)(a) (about the APPs not applying).
15
56EM Privacy safeguard 10--notifying of the disclosure of CDR
16
data
17
(1) If a data holder of CDR data is required or authorised under the
18
consumer data rules to disclose the CDR data to a person, the data
19
holder must:
20
(a) take the steps specified in the consumer data rules to notify
21
CDR consumers for the CDR data of the disclosure; and
22
(b) ensure that this notification:
23
(i) is given to those of the CDR consumers (if there are
24
more than one) that the consumer data rules require to
25
be notified; and
26
(ii) covers the matters specified in those rules; and
27
(iii) is given at or before the time specified in those rules.
28
Note:
This subsection is a civil penalty provision (see section 56EU).
29
(2) If an accredited data recipient of CDR data discloses the CDR data,
30
the accredited data recipient must:
31
(a) take the steps specified in the consumer data rules to notify
32
CDR consumers for the CDR data of the disclosure; and
33
(b) ensure that this notification:
34
Consumer data right Schedule 1
Main amendments Part 1
No. , 2019
Treasury Laws Amendment (Consumer Data Right) Bill 2019
59
(i) is given to those of the CDR consumers (if there are
1
more than one) that the consumer data rules require to
2
be notified; and
3
(ii) covers the matters specified in those rules; and
4
(iii) is given at or before the time specified in those rules.
5
Note:
This subsection is a civil penalty provision (see section 56EU).
6
(3) To avoid doubt, subsection (1) or (2) applies even if the disclosure
7
of the CDR data is to a designated gateway for the CDR data as
8
required or authorised under the consumer data rules.
9
Note:
The designated gateway may be subject to a similar notification
10
requirement under the consumer data rules (see
11
paragraph 56BG(1)(c)).
12
Subdivision E--Integrity of CDR data
13
56EN Privacy safeguard 11--quality of CDR data
14
Disclosures by data holders
15
(1) If a data holder of CDR data is required or authorised under the
16
consumer data rules to disclose the CDR data, the data holder must
17
take reasonable steps to ensure that the CDR data is, having regard
18
to the purpose for which it is held, accurate, up to date and
19
complete.
20
Note:
This subsection is a civil penalty provision (see section 56EU).
21
Disclosures by accredited data recipients
22
(2) If an accredited data recipient of CDR data is disclosing the CDR
23
data when:
24
(a) required under the consumer data rules to do so in response
25
to a valid request from a CDR consumer for the CDR data; or
26
(b) otherwise required, or authorised, under the consumer data
27
rules to do so;
28
the accredited data recipient must take reasonable steps to ensure
29
that the CDR data is, having regard to the purpose for which it is
30
held, accurate, up to date and complete.
31
Note 1:
This subsection is a civil penalty provision (see section 56EU).
32
Schedule 1 Consumer data right
Part 1 Main amendments
60
Treasury Laws Amendment (Consumer Data Right) Bill 2019
No. , 2019
Note 2:
The valid request referred to in paragraph (a) could be given through a
1
designated gateway (see section 56BG).
2
(3) If a CDR participant for CDR data:
3
(a) makes a disclosure referred to in subsection (1) or (2) for a
4
CDR consumer; and
5
(b) later becomes aware that some or all of the CDR data was
6
incorrect when it was disclosed because, having regard to the
7
purpose for which it was held, it was inaccurate, out of date
8
or incomplete;
9
the CDR participant must advise the CDR consumer accordingly in
10
accordance with the consumer data rules.
11
Note:
This subsection is a civil penalty provision (see section 56EU).
12
Disclosing corrected CDR data
13
(4) If:
14
(a) a CDR consumer for CDR data is advised under
15
subsection (3) by a CDR participant for the CDR data that
16
some or all of the CDR data was incorrect when the CDR
17
participant had earlier disclosed it; and
18
(b) the CDR consumer requests the CDR participant to fix this
19
by disclosing the corrected CDR data;
20
the CDR participant must comply with the request by disclosing
21
the corrected CDR data to the recipient of that earlier disclosure.
22
Note:
This subsection is a civil penalty provision (see section 56EU).
23
Purpose for which the CDR data was held
24
(5) When working out the purpose for which the CDR data is or was
25
held, disregard the purpose of holding the CDR data so that it can
26
be disclosed as required under the consumer data rules.
27
Note:
This subsection is relevant for subsections (1) and (2) and
28
paragraph (3)(b).
29
56EO Privacy safeguard 12--security of CDR data, and destruction
30
or de-identification of redundant CDR data
31
(1) Each person (a CDR entity) who is:
32
(a) an accredited data recipient of CDR data; or
33
(b) a designated gateway for CDR data;
34
Consumer data right Schedule 1
Main amendments Part 1
No. , 2019
Treasury Laws Amendment (Consumer Data Right) Bill 2019
61
must take the steps specified in the consumer data rules to protect
1
the CDR data from:
2
(c) misuse, interference and loss; and
3
(d) unauthorised access, modification or disclosure.
4
Note:
This subsection is a civil penalty provision (see section 56EU).
5
(2) If:
6
(a) the CDR entity no longer needs any of that CDR data for
7
either of the following purposes (the redundant data):
8
(i) a purpose permitted under the consumer data rules;
9
(ii) a purpose for which the person is able to use or disclose
10
it in accordance with this Division; and
11
(b) the CDR entity is not required to retain the redundant data by
12
or under an Australian law or a court/tribunal order; and
13
(c) the redundant data does not relate to any current or
14
anticipated:
15
(i) legal proceedings; or
16
(ii) dispute resolution proceedings;
17
to which the CDR entity is a party;
18
the CDR entity must take the steps specified in the consumer data
19
rules to destroy the redundant data or to ensure that the redundant
20
data is de-identified.
21
Note 1:
This subsection is a civil penalty provision (see section 56EU).
22
Note 2:
Australian Privacy Principle 11 will not apply for paragraph (b) (see
23
paragraph 56EC(4)(a) or (d)).
24
Subdivision F--Correction of CDR data
25
56EP Privacy safeguard 13--correction of CDR data
26
Obligation on data holders
27
(1) If:
28
(a) a CDR consumer for CDR data gives a request to a data
29
holder of the CDR data (including a request given through a
30
designated gateway for the CDR data); and
31
(b) the request is for the data holder to correct the CDR data; and
32
(c) the data holder was earlier required or authorised under the
33
consumer data rules to disclose the CDR data;
34
Schedule 1 Consumer data right
Part 1 Main amendments
62
Treasury Laws Amendment (Consumer Data Right) Bill 2019
No. , 2019
the data holder must respond to the request to correct the CDR data
1
by taking such steps as are specified in the consumer data rules to
2
deal with each of the matters in subsection (3).
3
Note:
This subsection is a civil penalty provision (see section 56EU).
4
Obligation on accredited data recipients
5
(2) If:
6
(a) a CDR consumer for CDR data gives a request to an
7
accredited data recipient of the CDR data (including a request
8
given through a designated gateway for the CDR data); and
9
(b) the request is for the accredited data recipient to correct the
10
CDR data;
11
the accredited data recipient must respond to the request by taking
12
such steps as are specified in the consumer data rules to deal with
13
each of the matters in subsection (3).
14
Note:
This subsection is a civil penalty provision (see section 56EU).
15
Relevant matters when responding to correction requests
16
(3) The matters are as follows:
17
(a) either:
18
(i) to correct the CDR data; or
19
(ii) to include a statement with the CDR data, to ensure that,
20
having regard to the purpose for which the CDR data is
21
held, the CDR data is accurate, up to date, complete and
22
not misleading;
23
(b) to give notice of any correction or statement, or notice of
24
why a correction or statement is unnecessary or
25
inappropriate.
26
(4) When working out the purpose for which the CDR data is held (see
27
subparagraph (3)(a)(ii)), disregard the purpose of holding the CDR
28
data so that it can be disclosed as required under the consumer data
29
rules.
30
Subdivision G--Compliance with the privacy safeguards
31
56EQ Information Commissioner to promote compliance etc.
32
(1) The Information Commissioner has the following functions:
33
Consumer data right Schedule 1
Main amendments Part 1
No. , 2019
Treasury Laws Amendment (Consumer Data Right) Bill 2019
63
(a) making guidelines for the avoidance of acts or practices that
1
may breach the privacy safeguards;
2
(b) promoting an understanding and acceptance of the privacy
3
safeguards;
4
(c) undertaking educational programs for the purposes of
5
promoting the protection of CDR data.
6
Note:
The Information Commissioner also has functions that relate to this
7
Part more broadly (see section 56GA).
8
Extra matters about guidelines under paragraph (1)(a)
9
(2) Before making guidelines under paragraph (1)(a), the Information
10
Commissioner must consult the Minister and the Commission
11
about the proposed guidelines.
12
(3) The Information Commissioner may publish guidelines made
13
under paragraph (1)(a) in such manner as the Information
14
Commissioner considers appropriate.
15
(4) If there is an inconsistency between the guidelines made under
16
paragraph (1)(a) and the consumer data rules, those rules prevail
17
over the guidelines to the extent of the inconsistency.
18
(5) Guidelines made under paragraph (1)(a) are not a legislative
19
instrument.
20
Extra matters about educational programs under paragraph (1)(c)
21
(6) The educational programs referred to in paragraph (1)(c) may be
22
undertaken by:
23
(a) the Information Commissioner; or
24
(b) a person or authority acting on behalf of the Information
25
Commissioner.
26
56ER Information Commissioner may conduct an assessment
27
relating to the management and handling of CDR data
28
(1) The Information Commissioner may assess whether a CDR
29
participant, or designated gateway, for CDR data is maintaining
30
and handling the CDR data in accordance with:
31
(a) the privacy safeguards; or
32
(b) the consumer data rules to the extent that those rules relate to:
33
Schedule 1 Consumer data right
Part 1 Main amendments
64
Treasury Laws Amendment (Consumer Data Right) Bill 2019
No. , 2019
(i) the privacy safeguards; or
1
(ii) the privacy or confidentiality of the CDR data.
2
(2) The Information Commissioner may conduct the assessment in
3
such manner as the Information Commissioner considers fit.
4
(3) The Information Commissioner may report to the Minister, the
5
Commission or the Data Standards Chair about the assessment.
6
56ES Notification of CDR data security breaches
7
Object
8
(1) The object of this section is for Part IIIC of the Privacy Act 1988 to
9
apply to an accredited data recipient, or designated gateway, that
10
holds a CDR consumer's CDR data in a corresponding way to the
11
way that Part applies to an entity that holds an individual's
12
personal information.
13
Note:
That Part is about notification of eligible data breaches.
14
Extended application of Part IIIC of the Privacy Act 1988
15
(2) Part IIIC of the Privacy Act 1988, and any other provision of that
16
Act that relates to that Part, also apply in relation to:
17
(a) an accredited data recipient of CDR data; or
18
(b) a designated gateway for CDR data;
19
as if the substitutions in the following table, and the modifications
20
in subsection (3), were made.
21
22
Substitutions to be made
Item
For a reference in Part IIIC to ...
... substitute a reference to ...
1
any of the following:
(a) personal information;
(b) information
CDR data.
2
any of the following:
(a) entity;
(b) APP entity;
(c) APP entity, credit reporting
body, credit provider or file
number recipient, as the case
each of the following:
(a) accredited data recipient;
(b) designated gateway.
Consumer data right Schedule 1
Main amendments Part 1
No. , 2019
Treasury Laws Amendment (Consumer Data Right) Bill 2019
65
Substitutions to be made
Item
For a reference in Part IIIC to ...
... substitute a reference to ...
may be
3
any of the following:
(a) individual to whom information
relates;
(b) individual
CDR consumer for CDR data.
Note:
When CDR data and the other terms in the last column of the table
1
appear in this notional version of Part IIIC, they have the same
2
meanings as in this Act.
3
(3) For the purposes of subsection (2), assume that:
4
(a) sections 26WB to 26WD of the Privacy Act 1988 were not
5
enacted; and
6
(b) subsection 26WE(1) of that Act were replaced with the
7
following:
8
"Scope
9
(1) This section applies if:
10
(a) CDR data of one or more CDR consumers is held by (or on
11
behalf of) either of the following entities (the CDR entity):
12
(i) an accredited data recipient of the CDR data;
13
(ii) a designated gateway for the CDR data; and
14
(b) section 56EO (about privacy safeguard 12) of the
15
Competition and Consumer Act 2010 applies to the CDR
16
entity in relation to the CDR data.".
17
56ET Investigating breaches of the privacy safeguards etc.
18
Breaches to which this section applies
19
(1) This section applies to a breach (a privacy safeguard breach) of
20
any of the following:
21
(a) one or more of the privacy safeguards;
22
(b) the consumer data rules to the extent that those rules relate:
23
(i) to one or more of the privacy safeguards; or
24
(ii) to the privacy or confidentiality of CDR data;
25
Schedule 1 Consumer data right
Part 1 Main amendments
66
Treasury Laws Amendment (Consumer Data Right) Bill 2019
No. , 2019
(c) section 26WH, 26WK or 26WL or subsection 26WR(10) of
1
the Privacy Act 1988, as they apply because of section 56ES
2
of this Act;
3
in relation to the CDR data of:
4
(d) a CDR consumer who is an individual; or
5
(e) a small business (within the meaning of the Privacy Act
6
1988) carried on by a CDR consumer for the CDR data.
7
(2) This section also applies to a breach of section 56ED (privacy
8
safeguard 1).
9
Object
10
(3) The object of this section is for Part V of the Privacy Act 1988 to
11
apply to an act or practice:
12
(a) of a CDR participant or designated gateway; and
13
(b) that may be:
14
(i) a privacy safeguard breach relating to CDR data
15
covered by subsection (1); or
16
(ii) a breach of section 56ED (privacy safeguard 1);
17
in a corresponding way to the way that Part applies to an act of
18
practice of an organisation, person or entity that may be an
19
interference with the privacy of an individual or a breach of
20
Australian Privacy Principle 1.
21
Note:
That Part is about investigations of interferences with privacy etc.
22
Extended application of Part V of the Privacy Act 1988
23
(4) Part V of the Privacy Act 1988, and any other provision of that Act
24
that relates to that Part, also apply in relation to:
25
(a) a CDR participant for CDR data; or
26
(b) a designated gateway for CDR data;
27
as if the substitutions in the following table, and the modifications
28
in subsection (5), were made.
29
30
Substitutions to be made
Item
For a reference in Part V to ...
... substitute a reference to ...
1
interference with the privacy of
an individual
a privacy safeguard breach relating to
the CDR data of:
Consumer data right Schedule 1
Main amendments Part 1
No. , 2019
Treasury Laws Amendment (Consumer Data Right) Bill 2019
67
Substitutions to be made
Item
For a reference in Part V to ...
... substitute a reference to ...
(a) a CDR consumer who is an
individual; or
(b) a small business (within the
meaning of the Privacy Act 1988)
carried on by a CDR consumer for
the CDR data.
2
Australian Privacy Principle 1
section 56ED (privacy safeguard 1) of
this Act.
3
individual
a person who:
(a) is a CDR consumer for the CDR
data to which the privacy safeguard
breach (or possible privacy
safeguard breach) relates; and
(b) is an individual, or is carrying on a
small business (within the meaning
of the Privacy Act 1988) to which
the CDR data relates.
4
recognised external dispute
resolution scheme
an external dispute resolution scheme
for which an instrument is in force
under subsection 56DA(1) of this Act.
5
occupied by an agency, an
organisation, a file number
recipient, a credit reporting body
or a credit provider
occupied by (or on behalf of):
(a) a CDR participant for CDR data; or
(b) a designated gateway for CDR data.
Note 1:
When CDR data and the other terms in the last column of the table
1
appear in this notional version of Part V, they have the same meanings
2
as in this Act.
3
Note 2:
Table item 5 relates to subsection 68(1) of that Act.
4
(5) For the purposes of subsection (4), assume that:
5
(a) subsection 5B(4) of the Privacy Act 1988 were not enacted;
6
and
7
(b) section 36 of that Act also stated that:
8
(i) in the case of a complaint about an act or practice of a
9
CDR participant--the CDR participant is the
10
respondent; or
11
Schedule 1 Consumer data right
Part 1 Main amendments
68
Treasury Laws Amendment (Consumer Data Right) Bill 2019
No. , 2019
(ii) in the case of a complaint about an act or practice of a
1
designated gateway--the designated gateway is the
2
respondent; and
3
(c) subsections 36(6) to (8), section 37, subsections 40(1B),
4
43(1A), (8), (8A) and (9) and 48(2), section 50A,
5
sub-subparagraph 52(1)(b)(i)(A) and sections 53A and 53B
6
of that Act were not enacted; and
7
(d) the paragraphs in each of subsections 55B(1) and (3) of that
8
Act were replaced by:
9
(i) a paragraph that states that an act or practice of a
10
specified CDR participant for CDR data has breached a
11
privacy safeguard; and
12
(ii) a paragraph that states that an act or practice of a
13
specified designated gateway for CDR data has
14
breached a privacy safeguard; and
15
(e) Division 4 of Part V, and subsection 63(2A), of that Act were
16
not enacted.
17
56EU Civil penalty provisions
18
The provisions of this Division that are civil penalty provisions
19
(1) For the purposes of subparagraph 79(2)(a)(ii) of the Regulatory
20
Powers Act, each of the following provisions of this Division (the
21
privacy safeguard penalty provisions) is a civil penalty provision:
22
(a) subsection 56ED(3);
23
(b) subsection 56EF(1);
24
(c) subsection 56EG(1);
25
(d) section 56EH;
26
(e) subsection 56EI(1) or (2);
27
(f) subsection 56EJ(1) or (2);
28
(g) subsection 56EK(1);
29
(h) subsection 56EL(1) or (2);
30
(i) subsection 56EM(1) or (2);
31
(j) subsection 56EN(1), (2), (3) or (4);
32
(k) subsection 56EO(1) or (2);
33
(l) subsection 56EP(1) or (2).
34
Consumer data right Schedule 1
Main amendments Part 1
No. , 2019
Treasury Laws Amendment (Consumer Data Right) Bill 2019
69
Enforceable civil penalty provisions
1
(2) Each privacy safeguard penalty provision is enforceable under
2
Part 4 of the Regulatory Powers Act.
3
Note:
Part 4 of the Regulatory Powers Act allows a civil penalty provision to
4
be enforced by obtaining an order for a person to pay a pecuniary
5
penalty for the contravention of the provision.
6
Authorised applicant
7
(3) For the purposes of Part 4 of the Regulatory Powers Act, the
8
Information Commissioner is an authorised applicant in relation to
9
each privacy safeguard penalty provision.
10
Relevant court
11
(4) For the purposes of Part 4 of the Regulatory Powers Act, each of
12
the following courts is a relevant court in relation to each privacy
13
safeguard penalty provision:
14
(a) the Federal Court;
15
(b) the Federal Circuit Court;
16
(c) a court of a State or Territory that has jurisdiction in relation
17
to the matter.
18
Act or omission also contravening a civil penalty provision of the
19
consumer data rules
20
(5) If an act or omission constitutes:
21
(a) a contravention of one or more of the privacy safeguard
22
penalty provisions; and
23
(b) a contravention of one or more civil penalty provisions of the
24
consumer data rules;
25
proceedings may be instituted against a person in relation to the
26
contravention of any one or more of those provisions.
27
Note 1:
The proceedings for a contravention referred to in paragraph (a) would
28
be instituted under Part 4 of the Regulatory Powers Act.
29
Note 2:
The proceedings for a contravention referred to in paragraph (b)
30
would be instituted under Part VI of this Act.
31
(6) However, the person is not liable to more than one pecuniary
32
penalty under:
33
Schedule 1 Consumer data right
Part 1 Main amendments
70
Treasury Laws Amendment (Consumer Data Right) Bill 2019
No. , 2019
(a) Part 4 of the Regulatory Powers Act for a contravention
1
referred to in paragraph (5)(a) of this section; and
2
(b) Part VI of this Act for a contravention referred to in
3
paragraph (5)(b) of this section;
4
in relation to the same act or omission.
5
Note:
This means the person cannot be liable for a pecuniary penalty for a
6
contravention of the privacy safeguards, and for a pecuniary penalty
7
for a contravention of the consumer data rules, in relation to the same
8
act or omission.
9
56EV Civil penalty provisions--maximum amount of penalty
10
(1) Despite subsection 82(5) of the Regulatory Powers Act, the
11
pecuniary penalty payable:
12
(a) by a person; and
13
(b) under a civil penalty order under Part 4 of that Act (as that
14
Part applies because of section 56EU of this Act);
15
must not be more than the maximum penalty amount worked out
16
under this section for a contravention by the person.
17
Maximum amount of civil penalty for a body corporate
18
(2) For the purposes of subsection (1), the maximum penalty amount
19
for a contravention by a body corporate of a privacy safeguard
20
penalty provision is the greater of the following:
21
(a) $10,000,000;
22
(b) if the relevant court (see subsection 56EU(4)) can determine
23
the value of the benefit that the body corporate, and any body
24
corporate related to the body corporate, have obtained
25
directly or indirectly and that is reasonably attributable to the
26
contravention--3 times the value of that benefit;
27
(c) if that court cannot determine the value of that benefit--10%
28
of the annual turnover of the body corporate during the
29
12-month period ending at the end of the month in which the
30
contravention happened or began.
31
(3) For the purposes of paragraph (2)(c), annual turnover has the
32
same meaning as in Division 1 of Part IV.
33
Consumer data right Schedule 1
Main amendments Part 1
No. , 2019
Treasury Laws Amendment (Consumer Data Right) Bill 2019
71
Maximum amount of civil penalty for other persons
1
(4) For the purposes of subsection (1), the maximum penalty amount
2
for a contravention by a person other than a body corporate of a
3
privacy safeguard penalty provision is $500,000.
4
56EW Enforceable undertakings
5
Enforceable provisions
6
(1) Each provision of the privacy safeguards is enforceable under
7
Part 6 of the Regulatory Powers Act.
8
Note:
Part 6 of the Regulatory Powers Act creates a framework for accepting
9
and enforcing undertakings relating to compliance with provisions.
10
Authorised person
11
(2) For the purposes of Part 6 of the Regulatory Powers Act, the
12
Information Commissioner is an authorised person in relation to
13
each provision referred to in subsection (1).
14
Relevant court
15
(3) For the purposes of Part 6 of the Regulatory Powers Act, each of
16
the following courts is a relevant court in relation to each provision
17
referred to in subsection (1):
18
(a) the Federal Court;
19
(b) the Federal Circuit Court;
20
(c) a court of a State or Territory that has jurisdiction in relation
21
to the matter.
22
56EX Injunctions
23
Enforceable provisions
24
(1) Each provision of the privacy safeguards is enforceable under
25
Part 7 of the Regulatory Powers Act.
26
Note:
Part 7 of the Regulatory Powers Act creates a framework for using
27
injunctions to enforce provisions.
28
Schedule 1 Consumer data right
Part 1 Main amendments
72
Treasury Laws Amendment (Consumer Data Right) Bill 2019
No. , 2019
Authorised person
1
(2) For the purposes of Part 7 of the Regulatory Powers Act, the
2
Information Commissioner is an authorised person in relation to
3
each provision referred to in subsection (1).
4
Relevant court
5
(3) For the purposes of Part 7 of the Regulatory Powers Act, each of
6
the following courts is a relevant court in relation to each provision
7
referred to in subsection (1):
8
(a) the Federal Court;
9
(b) the Federal Circuit Court;
10
(c) a court of a State or Territory that has jurisdiction in relation
11
to the matter.
12
56EY Actions for damages
13
Right to bring an action for damages
14
(1) A person who suffers loss or damage (within the meaning of
15
subsection 25(1) of the Privacy Act 1988) by an act or omission:
16
(a) of another person; and
17
(b) that was in contravention of:
18
(i) a provision of the privacy safeguards; or
19
(ii) the consumer data rules to the extent that those rules
20
relate to the privacy safeguards or to the privacy or
21
confidentiality of CDR data;
22
may recover the amount of the loss or damage by action against
23
that other person or against any person involved in the
24
contravention.
25
Note:
Subsections 84(2) and (4) (about attributing conduct engaged in on
26
behalf of a person) apply for the purposes of this section.
27
(2) An action under subsection (1) may be commenced at any time
28
within 6 years after the day on which the contravention happened
29
or began.
30
Findings in related proceedings to be prima facie evidence
31
(3) If a finding of any fact is made by a court in relation to a person, or
32
an admission of any fact is made by a person, in proceedings:
33
Consumer data right Schedule 1
Main amendments Part 1
No. , 2019
Treasury Laws Amendment (Consumer Data Right) Bill 2019
73
(a) under the Regulatory Powers Act (as that Act applies because
1
of this Subdivision) in which the person is found to have
2
contravened a provision of the privacy safeguards; or
3
(b) under Part VI of this Act in which the person is found to:
4
(i) have contravened; or
5
(ii) have been involved in a contravention;
6
of the consumer data rules to the extent that those rules relate
7
to the privacy safeguards or to the privacy or confidentiality
8
of CDR data;
9
the finding or admission is prima facie evidence of that fact in any
10
proceeding under subsection (1) against the person.
11
(4) The finding or admission may be proved by production of:
12
(a) in any case--a document under the seal of the court from
13
which the finding or admission appears; or
14
(b) in the case of an admission--a document from which the
15
admission appears that is filed in the court.
16
Jurisdiction etc.
17
(5) The following are conferred with jurisdiction to hear and determine
18
actions under subsection (1):
19
(a) the Federal Circuit Court;
20
(b) subject to the Constitution, the several courts of the
21
Territories.
22
This subsection does not enable an inferior court of a Territory to
23
grant a remedy of a kind that the court is unable to grant under the
24
law of that Territory.
25
Note:
State courts and the Federal Court also have jurisdiction for these
26
actions (see subsection 39(2) and paragraph 39B(1A)(c) of the
27
Judiciary Act 1903).
28
(6) Section 86AA (about limits on jurisdiction) applies to proceedings
29
under subsection (1) of this section in a corresponding way to the
30
way that section applies to proceedings under section 82.
31
(7) Section 86A (about transfer of matters) applies in relation to a
32
proceeding under subsection (1) of this section as if
33
paragraph 86A(1)(b) also referred to a matter for determination
34
arising under:
35
(a) a provision of the privacy safeguards; or
36
Schedule 1 Consumer data right
Part 1 Main amendments
74
Treasury Laws Amendment (Consumer Data Right) Bill 2019
No. , 2019
(b) the consumer data rules to the extent that those rules relate to
1
the privacy safeguards or to the privacy or confidentiality of
2
CDR data.
3
Involved in a contravention
4
(8) Subsection 75B(1) applies to a reference that:
5
(a) is in this section; and
6
(b) is to a person involved in a contravention covered by
7
paragraph (1)(b) of this section;
8
in a corresponding way to the way that subsection 75B(1) applies
9
to a reference in Part VI to a person involved in a contravention of
10
section 56CD.
11
56EZ Delegation to the Commission etc.
12
(1) This section applies in relation to the following functions or
13
powers (the safeguard enforcement functions or powers):
14
(a) the Information Commissioner's functions or powers under
15
section 56ER;
16
(b) the Information Commissioner's functions or powers under
17
Part IIIC or V of the Privacy Act 1988, as those Parts apply
18
because of sections 56ES and 56ET of this Act;
19
(c) the Information Commissioner's functions or powers under
20
Part 4, 6 or 7 of the Regulatory Powers Act, that are
21
conferred because of this Subdivision.
22
(2) The Information Commissioner may delegate, in writing, any of
23
the safeguard enforcement functions or powers to:
24
(a) the Commission; or
25
(b) a member of the Commission; or
26
(c) a member of the staff of the Commission referred to in
27
section 27 of this Act.
28
(3) However, the Information Commissioner must not delegate a
29
safeguard enforcement function or power under subsection (2)
30
unless:
31
(a) the Commission has agreed to the delegation in writing; and
32
(b) in the case of a delegation to a staff member referred to in
33
paragraph (2)(c)--the Commission is satisfied that the staff
34
member:
35
Consumer data right Schedule 1
Main amendments Part 1
No. , 2019
Treasury Laws Amendment (Consumer Data Right) Bill 2019
75
(i) is an SES employee or acting SES employee; or
1
(ii) is holding or performing the duties of a sufficiently
2
senior office or position for the function or power.
3
Division 6--Data standards etc.
4
Subdivision A--Data standards
5
56FA Making data standards
6
(1) The Data Standards Chair may, by writing, make one or more data
7
standards about each of the following matters:
8
(a) the format and description of CDR data;
9
(b) the disclosure of CDR data;
10
(c) the collection, use, accuracy, storage, security and deletion of
11
CDR data;
12
(d) de-identifying CDR data, including so that it no longer
13
relates to:
14
(i) an identifiable person; or
15
(ii) a person who is reasonably identifiable;
16
(e) other matters prescribed by the regulations.
17
Note:
For variation and repeal, see subsection 33(3) of the Acts
18
Interpretation Act 1901.
19
Complying with consumer data rules when making standards etc.
20
(2) The Data Standards Chair must comply with the consumer data
21
rules when:
22
(a) making a data standard; or
23
(b) varying or revoking a data standard;
24
including complying with any related requirements specified in
25
those rules about approval, consultation and the formation of
26
committees, advisory panels and consultative groups.
27
Note:
The rules could, for example, require a proposed data standard to be
28
approved by the Commission before it is made.
29
(3) Without limiting subsection (2), the Data Standards Chair must:
30
(a) make, under subsection (1), a data standard about a particular
31
matter mentioned in subsection (1) if the consumer data rules
32
so requires; and
33
Schedule 1 Consumer data right
Part 1 Main amendments
76
Treasury Laws Amendment (Consumer Data Right) Bill 2019
No. , 2019
(b) specify in that data standard that it is binding if the consumer
1
data rules so requires.
2
A data standard is a binding data standard if it is made under
3
subsection (1) in accordance with paragraph (b) of this subsection.
4
Data standards are not legislative instruments
5
(4) A data standard made under subsection (1) is not a legislative
6
instrument.
7
56FB What data standards can set out etc.
8
(1) Without limiting subsection 56FA(1), a single data standard may
9
set out:
10
(a) different provisions for different designated sectors; or
11
(b) different provisions for different classes of CDR data; or
12
(c) different provisions for different classes of persons specified,
13
as described in paragraph 56AC(2)(b), in an instrument
14
designating a sector under subsection 56AC(2); or
15
(d) different provisions for different classes of accredited
16
persons.
17
(2) Without limiting subsection 56FA(1), a separate data standard
18
could deal with:
19
(a) each of the different designated sectors referred to in
20
paragraph (1)(a) of this section; or
21
(b) each of the different classes referred to in paragraph (1)(b),
22
(c) or (d) of this section.
23
56FC Data standards must be published
24
The Data Standards Chair must publish on the internet a copy of
25
each data standard made under subsection 56FA(1).
26
Note:
Once published, the data standards will be available for free.
27
56FD Legal effect of data standards
28
(1) A contract is taken to be in force between:
29
(a) a data holder of CDR data to which a binding data standard
30
applies; and
31
(b) each accredited person;
32
Consumer data right Schedule 1
Main amendments Part 1
No. , 2019
Treasury Laws Amendment (Consumer Data Right) Bill 2019
77
under which each of those persons:
1
(c) agrees to observe the standard to the extent that the standard
2
applies to the person; and
3
(d) agrees to engage in conduct that the person is required by the
4
standard to engage in.
5
Note:
This means the data holder will be taken to have a separate contract
6
with each accredited person.
7
(2) If there is a designated gateway for CDR data to which a binding
8
data standard applies, a contract is taken to be in force between:
9
(a) a data holder of the CDR data; and
10
(b) the designated gateway for the CDR data; and
11
(c) each accredited person;
12
under which each of those persons:
13
(d) agrees to observe the standard to the extent that the standard
14
applies to the person; and
15
(e) agrees to engage in conduct that the person is required by the
16
standard to engage in.
17
Note:
This means the data holder will be taken to have a separate 3-party
18
contract with the designated gateway and each accredited person.
19
(3) However, if there is an inconsistency between a data standard, and
20
the consumer data rules, those rules prevail over the standard to the
21
extent of the inconsistency.
22
56FE Enforcement of binding data standards
23
(1) If a person who is under an obligation to comply with a binding
24
data standard fails to meet that obligation, an application to the
25
Court may be made by:
26
(a) the Commission; or
27
(b) a person aggrieved by the failure.
28
(2) After giving an opportunity to be heard to the applicant and the
29
person against whom the order is sought, the Court may make an
30
order giving directions to:
31
(a) the person against whom the order is sought; or
32
(b) if that person is a body corporate--the directors of the body
33
corporate;
34
Schedule 1 Consumer data right
Part 1 Main amendments
78
Treasury Laws Amendment (Consumer Data Right) Bill 2019
No. , 2019
about compliance with, or enforcement of, the binding data
1
standard.
2
(3) Without limiting subsection (1), an obligation to comply with a
3
binding data standard includes an obligation arising under a
4
contract referred to in section 56FD.
5
Subdivision B--Data Standards Chair
6
56FF Data Standards Chair
7
There is to be a Data Standards Chair.
8
56FG Appointment of the Data Standards Chair
9
(1) The Data Standards Chair is to be appointed, on a full-time basis or
10
a part-time basis, by the Minister by written instrument.
11
(2) The Data Standards Chair holds office for the period specified in
12
the instrument of appointment. The period must not exceed 3 years.
13
Note 1:
The Minister will be the Data Standards Chair in the absence of an
14
appointment under this section (see the definition of Data Standards
15
Chair in subsection 4(1)).
16
Note 2:
The Data Standards Chair may be reappointed (see section 33AA of
17
the Acts Interpretation Act 1901).
18
56FH Functions and powers of the Data Standards Chair
19
(1) The functions of the Data Standards Chair are:
20
(a) to make standards under Subdivision A; and
21
(b) to review those standards regularly; and
22
(c) such other functions as are prescribed by the regulations.
23
(2) The Data Standards Chair has the following powers:
24
(a) the power to establish committees, advisory panels and
25
consultative groups;
26
(b) the power to do all other things necessary or convenient to be
27
done for or in connection with the performance of the Chair's
28
functions.
29
Consumer data right Schedule 1
Main amendments Part 1
No. , 2019
Treasury Laws Amendment (Consumer Data Right) Bill 2019
79
56FI Directions by Minister
1
(1) The Minister may, by legislative instrument, give written directions
2
to the Data Standards Chair about the performance of the Chair's
3
functions and the exercise of the Chair's powers.
4
Note:
Section 42 (disallowance) and Part 4 of Chapter 3 (sunsetting) of the
5
Legislation Act 2003 do not apply to the directions (see regulations
6
made for the purposes of paragraphs 44(2)(b) and 54(2)(b) of that
7
Act).
8
(2) A direction under subsection (1) must be of a general nature only.
9
(3) The Data Standards Chair must comply with a direction under
10
subsection (1).
11
Subdivision C--Data Standards Body
12
56FJ Appointment of the Data Standards Body
13
(1) The Minister may, by written instrument, appoint as the Data
14
Standards Body:
15
(a) the Department; or
16
(b) another Commonwealth entity (within the meaning of the
17
Public Governance, Performance and Accountability Act
18
2013).
19
Note:
For variation, see subsection 33(3) of the Acts Interpretation Act 1901.
20
(2) The Minister may, at any time by written instrument, terminate an
21
appointment made under subsection (1).
22
56FK Function and powers of the Data Standards Body
23
(1) The function of the Data Standards Body is to assist the Data
24
Standards Chair.
25
(2) The Data Standards Body has the power to do all other things
26
necessary or convenient to be done for or in connection with the
27
performance of the Data Standards Body's function.
28
(3) The Data Standards Body must comply with the consumer data
29
rules when assisting the Data Standards Chair, including
30
complying with any requirements specified in those rules about:
31
(a) the Body's composition; or
32
Schedule 1 Consumer data right
Part 1 Main amendments
80
Treasury Laws Amendment (Consumer Data Right) Bill 2019
No. , 2019
(b) the Body's governance or processes.
1
(4) To avoid doubt, for a body that is the Data Standards Body, the
2
body's functions and powers in its capacity other than as the Data
3
Standards Body are taken to include the function and powers of the
4
Data Standards Body while it is the Data Standards Body.
5
Subdivision D--Administrative provisions
6
56FL Acting appointments
7
The Minister may, by written instrument, appoint a person to act as
8
the Data Standards Chair:
9
(a) during a vacancy in the office of Data Standards Chair
10
(whether or not an appointment has previously been made to
11
the office); or
12
(b) during any period, or during all periods, when the Data
13
Standards Chair:
14
(i) is absent from duty or from Australia; or
15
(ii) is, for any reason, unable to perform the duties of the
16
office.
17
Note:
For rules that apply to acting appointments, see sections 33AB and
18
33A of the Acts Interpretation Act 1901.
19
56FM Terms and conditions
20
(1) The Data Standards Chair holds office on the terms and conditions
21
(if any) in relation to matters not covered by this Division that are
22
determined by the Minister.
23
(2) Subsection (1) does not apply while the Data Standards Chair is the
24
Minister.
25
56FN Remuneration
26
(1) The Data Standards Chair is to be paid the remuneration that is
27
determined by the Remuneration Tribunal. If no determination of
28
that remuneration by the Tribunal is in operation, the Data
29
Standards Chair is to be paid the remuneration that is prescribed by
30
the regulations.
31
Consumer data right Schedule 1
Main amendments Part 1
No. , 2019
Treasury Laws Amendment (Consumer Data Right) Bill 2019
81
(2) The Data Standards Chair is to be paid the allowances that are
1
prescribed by the regulations.
2
(3) This section has effect subject to the Remuneration Tribunal Act
3
1973.
4
(4) Subsections (1) and (2) do not apply while the Data Standards
5
Chair is the Minister.
6
56FO Leave
7
(1) If the Data Standards Chair is appointed on a full-time basis, the
8
Data Standards Chair has the recreation leave entitlements that are
9
determined by the Remuneration Tribunal.
10
(2) If the Data Standards Chair is appointed on a full-time basis, the
11
Minister may grant the Data Standards Chair leave of absence,
12
other than recreation leave, on the terms and conditions as to
13
remuneration or otherwise that the Minister determines.
14
(3) If the Data Standards Chair is appointed on a part-time basis, the
15
Secretary of the Department may grant leave of absence to the
16
Data Standards Chair on the terms and conditions that the
17
Secretary determines.
18
56FP Application of the finance law etc.
19
(1) For the purposes of the finance law (within the meaning of the
20
Public Governance, Performance and Accountability Act 2013),
21
the Data Standards Chair is taken to be an official of the
22
Department.
23
Note:
A consequence of this subsection is that the Secretary of the
24
Department will be the accountable authority (within the meaning of
25
that Act) applicable to the Data Standards Chair.
26
(2) The Secretary of the Department, when preparing the Department's
27
annual report under section 46 of the Public Governance,
28
Performance and Accountability Act 2013 for a period, must
29
include information in that report about:
30
(a) the performance of the Data Standards Chair's functions; and
31
(b) the exercise of the Data Standards Chair's powers;
32
during the period.
33
Schedule 1 Consumer data right
Part 1 Main amendments
82
Treasury Laws Amendment (Consumer Data Right) Bill 2019
No. , 2019
(3) If at any time the Data Standards Chair is the Minister then:
1
(a) subsections (1) and (2) do not apply; and
2
(b) the Department's annual report under section 46 of that Act
3
for the period that includes that time must include
4
information about the performance of the Data Standards
5
Chair's functions, and the exercise of the Data Standards
6
Chair's powers, at that time.
7
56FQ Resignation
8
(1) The Data Standards Chair may resign the Data Standards Chair's
9
appointment by giving the Minister a written resignation.
10
(2) The resignation takes effect on the day it is received by the
11
Minister or, if a later day is specified in the resignation, on that
12
later day.
13
56FR Termination of appointment
14
(1) The Minister may terminate the appointment of the Data Standards
15
Chair:
16
(a) for misbehaviour; or
17
(b) if the Data Standards Chair is unable to perform the duties of
18
the Data Standards Chair's office because of physical or
19
mental incapacity.
20
(2) The Minister may terminate the appointment of the Data Standards
21
Chair if:
22
(a) the Data Standards Chair:
23
(i) becomes bankrupt; or
24
(ii) applies to take the benefit of any law for the relief of
25
bankrupt or insolvent debtors; or
26
(iii) compounds with the Data Standards Chair's creditors;
27
or
28
(iv) makes an assignment of the Data Standards Chair's
29
remuneration for the benefit of the Data Standards
30
Chair's creditors; or
31
(b) if the Data Standards Chair is appointed on a full-time
32
basis--the Data Standards Chair is absent, except on leave of
33
absence, for 14 consecutive days or for 28 days in any
34
12-month period; or
35
Consumer data right Schedule 1
Main amendments Part 1
No. , 2019
Treasury Laws Amendment (Consumer Data Right) Bill 2019
83
(c) the Data Standards Chair fails, without reasonable excuse, to
1
comply with section 29 of the Public Governance,
2
Performance and Accountability Act 2013 (which deals with
3
the duty to disclose interests) or rules made for the purposes
4
of that section.
5
56FS Delegation
6
(1) The Data Standards Chair may delegate, in writing, any or all of
7
the Chair's functions or powers to:
8
(a) an SES employee, or an acting SES employee, in the Data
9
Standards Body, in the Department or in the Commission; or
10
(b) an APS employee who is holding or performing the duties of
11
a specified office or position that:
12
(i) is in the Data Standards Body, in the Department or in
13
the Commission; and
14
(ii) is an office or position that the Chair is satisfied is
15
sufficiently senior for the APS employee to perform the
16
function or exercise the power; or
17
(c) if there are no APS employees (including SES employees) in
18
the Data Standards Body--a person:
19
(i) who holds an office or position in the Data Standards
20
Body that the Chair considers is sufficiently senior for
21
the person to perform the function; and
22
(ii) who the Chair considers has appropriate qualifications
23
or expertise to perform the function.
24
(2) Subsection (1) does not apply to the function referred to in
25
paragraph 56FH(1)(a) (about making standards).
26
Note:
This subsection does not prevent a person who is acting as the Data
27
Standards Chair from making a standard.
28
(3) In performing a delegated function or exercising a delegated
29
power, the delegate under subsection (1) must comply with any
30
directions of the Data Standards Chair.
31
Division 7--Other matters
32
56GA CDR functions of the Information Commissioner
33
(1) The Information Commissioner has the following functions:
34
Schedule 1 Consumer data right
Part 1 Main amendments
84
Treasury Laws Amendment (Consumer Data Right) Bill 2019
No. , 2019
(a) the functions conferred on the Information Commissioner by
1
another provision of this Part, or by an instrument made
2
under this Part;
3
(b) to consult with or advise the Minister, Commission or Data
4
Standards Chair about any matter relevant to the operation of
5
this Part (or the operation of instruments made under this
6
Part).
7
Note:
The Commission may also delegate to the Information Commissioner
8
any of the Commission's functions relating to this Part (see
9
subsection 26(3)).
10
(2) The functions referred to in subsection (1) may be performed by
11
the Information Commissioner on request or on the Information
12
Commissioner's own initiative.
13
56GB Referring to instruments as in force from time to time
14
(1) This section applies to the following instruments:
15
(a) designations under section 56AC (about designated sectors);
16
(b) regulations made for the purposes of a provision of this Part;
17
(c) the consumer data rules;
18
(d) data standards.
19
(2) An instrument to which this section applies may make provision in
20
relation to a matter by applying, adopting or incorporating (with or
21
without modification) any matter contained in any other instrument
22
or writing:
23
(a) as in force or existing at a particular time; or
24
(b) as in force or existing from time to time.
25
(3) Subsection (2) has effect despite subsection 14(2) of the
26
Legislation Act 2003.
27
56GC Complying with requirements to provide CDR data:
28
protection from liability
29
(1) If:
30
(a) a CDR participant, or designated gateway, for CDR data (the
31
CDR entity):
32
(i) provides the CDR data to another person; or
33
Consumer data right Schedule 1
Main amendments Part 1
No. , 2019
Treasury Laws Amendment (Consumer Data Right) Bill 2019
85
(ii) otherwise allows another person access to the CDR
1
data; and
2
(b) the CDR entity does so, in good faith, in compliance with:
3
(i) this Part; and
4
(ii) regulations made for the purposes of this Part; and
5
(iii) the consumer data rules;
6
the CDR entity is not liable to an action or other proceeding,
7
whether civil or criminal, for or in relation to the matter in
8
paragraph (a).
9
Note:
A defendant bears an evidential burden in relation to the matter in
10
subsection (1) for a criminal action or criminal proceeding (see
11
subsection 13.3(3) of the Criminal Code).
12
(2) A person who wishes to rely on subsection (1) in relation to a civil
13
action or civil proceeding bears an evidential burden in relation to
14
that matter.
15
(3) In this section:
16
evidential burden, in relation to a matter, means the burden of
17
adducing or pointing to evidence that suggests a reasonable
18
possibility that the matter exists or does not exist.
19
56GD Exemptions by the Commission
20
(1) The provisions covered by this section are:
21
(a) the following provisions:
22
(i) the provisions of this Part;
23
(ii) the provisions of regulations made for the purposes of
24
the provisions of this Part;
25
(iii) the provisions of the consumer data rules; and
26
(b) definitions in this Act, or in the regulations or consumer data
27
rules, as they apply to references in provisions referred to in
28
paragraph (a).
29
(2) The Commission may, by written notice given to a person, exempt
30
the person, in relation to particular CDR data or one or more
31
classes of CDR data, from all or specified provisions covered by
32
this section.
33
(3) An exemption under subsection (2):
34
Schedule 1 Consumer data right
Part 1 Main amendments
86
Treasury Laws Amendment (Consumer Data Right) Bill 2019
No. , 2019
(a) may or may not be limited to a specified period; and
1
(b) may apply unconditionally or subject to specified conditions.
2
(4) The Commission must publish on its website the details of each
3
exemption under subsection (2).
4
(5) Applications may be made to the Administrative Appeals Tribunal
5
for review of a decision of the Commission exempting, or refusing
6
to exempt, a person under subsection (2).
7
56GE Exemptions and modifications by regulations
8
(1) The provisions covered by this section are:
9
(a) the following provisions:
10
(i) the provisions of this Part;
11
(ii) the provisions of regulations made for the purposes of
12
the provisions of this Part;
13
(iii) the provisions of the consumer data rules; and
14
(b) definitions in this Act, or in the regulations or consumer data
15
rules, as they apply to references in provisions referred to in
16
paragraph (a).
17
(2) The regulations may:
18
(a) exempt a particular person, in relation to particular CDR data
19
or one or more classes of CDR data, from all or specified
20
provisions covered by this section; or
21
(b) exempt a class of persons, in relation to particular CDR data
22
or one or more classes of CDR data, from all or specified
23
provisions covered by this section; or
24
(c) declare that provisions covered by this section apply in
25
relation to:
26
(i) a particular person in relation to particular CDR data or
27
one or more classes of CDR data; or
28
(ii) a class of persons in relation to particular CDR data or
29
one or more classes of CDR data;
30
as if specified provisions were omitted, modified or varied as
31
specified in the declaration.
32
(3) An exemption under paragraph (2)(a) or (b), or a declaration under
33
paragraph (2)(c):
34
(a) may or may not be limited to a specified period; and
35
Consumer data right Schedule 1
Main amendments Part 1
No. , 2019
Treasury Laws Amendment (Consumer Data Right) Bill 2019
87
(b) may apply unconditionally or subject to specified conditions.
1
56GF Constitutional basis
2
Main constitutional basis
3
(1) The CDR provisions have the effect they would have if their
4
operation were expressly confined to CDR entities that are
5
corporations.
6
Note:
For the meaning of corporation, see subsection 4(1).
7
Other constitutional bases
8
(2) Independently of subsection (1), the CDR provisions also have
9
effect as provided by subsections (3), (4), (5) and (6).
10
(3) The CDR provisions also have the effect they would have if their
11
operation were expressly confined to CDR entities acting in the
12
course of, or in relation to, the carrying on of:
13
(a) a postal, telegraphic, telephonic or other like service (within
14
the meaning of paragraph 51(v) of the Constitution); or
15
(b) the business of banking, other than State banking (within the
16
meaning of paragraph 51(xiii) of the Constitution) not
17
extending beyond the limits of the State concerned; or
18
(c) the business of insurance, other than State insurance (within
19
the meaning of paragraph 51(xiv) of the Constitution) not
20
extending beyond the limits of the State concerned.
21
(4) The CDR provisions also have the effect they would have if their
22
operation were expressly confined to CDR entities:
23
(a) making a supply or communication; or
24
(b) conducting an activity or otherwise doing something;
25
using a postal, telegraphic, telephonic or other like service (within
26
the meaning of paragraph 51(v) of the Constitution).
27
(5) The CDR provisions also have the effect they would have if their
28
operation were expressly confined to CDR entities acting in the
29
course of, or in relation to, any of the following:
30
(a) trade or commerce between Australia and places outside
31
Australia;
32
(b) trade or commerce among the States;
33
Schedule 1 Consumer data right
Part 1 Main amendments
88
Treasury Laws Amendment (Consumer Data Right) Bill 2019
No. , 2019
(c) trade or commerce within a Territory, between a State or
1
Territory or between 2 Territories.
2
(6) The CDR provisions also have the effect they would have if their
3
operation were expressly confined to:
4
(a) protecting CDR entities against interference, or attacks, of
5
the kind described in paragraph 1 of Article 17 of the ICCPR;
6
or
7
(b) protecting against interference, or attacks, of the kind
8
described in paragraph 1 of Article 17 of the ICCPR by CDR
9
entities.
10
Related matters
11
(7) Section 6 (about the application of this Act to persons who are not
12
corporations) does not apply in relation to the CDR provisions.
13
(8) In this section:
14
CDR entity means any of the following:
15
(a) a data holder of CDR data;
16
(b) an accredited person;
17
(c) a designated gateway for CDR data.
18
ICCPR means the International Covenant on Civil and Political
19
Rights, done at New York on 16 December 1966, as amended and
20
in force for Australia from time to time.
21
Note:
The text of the International Covenant is set out in Australian Treaty
22
Series 1980 No. 23 ([1980] ATS 23). In 2019, the text of a Covenant
23
in the Australian Treaty Series was accessible through the Australian
24
Treaties Library on the AustLII website (www.austlii.edu.au).
25
56GG Compensation for acquisition of property
26
(1) This section applies if the operation of the CDR provisions would
27
result in an acquisition of property (within the meaning of
28
paragraph 51(xxxi) of the Constitution) from a person otherwise
29
than on just terms (within the meaning of that paragraph).
30
(2) The person who acquires the property is liable to pay a reasonable
31
amount of compensation to the first-mentioned person.
32
Consumer data right Schedule 1
Main amendments Part 1
No. , 2019
Treasury Laws Amendment (Consumer Data Right) Bill 2019
89
(3) If the 2 persons do not agree on the amount of the compensation,
1
the person to whom compensation is payable may institute
2
proceedings in:
3
(a) the Federal Court; or
4
(b) the Supreme Court of a State or Territory;
5
for the recovery from the other person of such reasonable amount
6
of compensation as the Court determines.
7
56GH Review of the operation of this Part
8
(1) The Minister must cause an independent review to be conducted of
9
the operation of this Part.
10
(2) The persons who conduct the review must complete it, and give the
11
Minister a written report of the review, before 1 July 2022.
12
(3) The Minister must cause copies of the report to be tabled in each
13
House of the Parliament within 15 sitting days of that House after
14
the report is given to the Minister.
15
2 Transitional
--banking sector
16
Designating the banking sector
17
(1)
Subsections 56AD(2) and (3) and sections 56AE and 56AF of the
18
Competition and Consumer Act 2010 do not apply in relation to an
19
instrument under subsection 56AC(2) of that Act that:
20
(a) is to specify matters including:
21
(i) one or more authorised deposit-taking institutions
22
(within the meaning of the Banking Act 1959); or
23
(ii) one or more classes of authorised deposit-taking
24
institutions (within the meaning of the Banking Act
25
1959);
26
as holding one or more classes of information (or on whose
27
behalf such information is held); and
28
(b) is to be made before the later of:
29
(i) 1 July 2020; and
30
(ii) the end of the 3-month period starting on the day this
31
Part commences.
32
Schedule 1 Consumer data right
Part 1 Main amendments
90
Treasury Laws Amendment (Consumer Data Right) Bill 2019
No. , 2019
Consumer data rules for the banking sector
1
(2)
Section 56BQ of the Competition and Consumer Act 2010 does not
2
apply in relation to consumer data rules to be made under
3
subsection 56BA(1) of that Act to the extent that those rules:
4
(a) relate to matters covered by an instrument under
5
subsection 56AC(2) of that Act that is to be made as
6
described in subitem (1); and
7
(b) are made before the later of:
8
(i) 1 July 2020; and
9
(ii) the end of the 3-month period starting on the day this
10
Part commences.
11
3 Transitional
--energy sector
12
(1)
Subsections 56AD(2) and (3) and sections 56AE and 56AF of the
13
Competition and Consumer Act 2010 do not apply in relation to an
14
instrument under subsection 56AC(2) of that Act that:
15
(a) is to specify matters including one or more of the following:
16
(i) one or more, or one or more classes of, Registered
17
participants (within the meaning of the National
18
Electricity Law);
19
(ii) the Australian Energy Regulator;
20
(iii) Australian Energy Market Operator Limited (ACN
21
072 010 327);
22
(iv) all or a part of the Department of State administered by
23
the Minister of Victoria administering the National
24
Electricity (Victoria) Act 2005 (Vic.);
25
as holding one or more classes of information (or on whose
26
behalf such information is held); and
27
(b) is to be made before the later of:
28
(i) 1 July 2020; and
29
(ii) the end of the 3-month period starting on the day this
30
Part commences.
31
(2)
In this item:
32
National Electricity Law means the National Electricity Law set out in
33
the Schedule to the National Electricity (South Australia) Act 1996
34
(SA).
35
Consumer data right Schedule 1
Other amendments Part 2
No. , 2019
Treasury Laws Amendment (Consumer Data Right) Bill 2019
91
Part 2--Other amendments
1
Australian Information Commissioner Act 2010
2
4 Section 3
3
Insert:
4
consumer data right matters has the meaning given by
5
section 32A.
6
5 Section 4
7
After "the privacy functions, which are", insert "mainly".
8
6 Subsection 9(1)
9
Repeal the subsection, substitute:
10
(1) The privacy functions are functions conferred on the Information
11
Commissioner by an Act (or an instrument under an Act), if:
12
(a) the functions:
13
(i) relate to the privacy of an individual; and
14
(ii) are not freedom of information functions; or
15
(b) the functions are conferred by:
16
(i) Part IVD (about the consumer data right) of the
17
Competition and Consumer Act 2010; or
18
(ii) an instrument made under that Part; or
19
(iii) another Act because of that Part.
20
7 After paragraph 29(2)(a)
21
Insert:
22
(aa) for information covered by subsection (5)--the person
23
records, discloses or otherwise uses the information in the
24
course of any of the following:
25
(i) performing a function described in paragraph 9(1)(b), or
26
exercising a related power;
27
(ii) providing information to the Minister or the
28
Department;
29
Schedule 1 Consumer data right
Part 2 Other amendments
92
Treasury Laws Amendment (Consumer Data Right) Bill 2019
No. , 2019
(iii) providing information to the Minister administering
1
Part IVD of the Competition and Consumer Act 2010 or
2
the Department administered by that Minister;
3
(iv) providing information to the Australian Competition
4
and Consumer Commission or the Data Recipient
5
Accreditor (within the meaning of that Act); or
6
8 At the end of section 29
7
Add:
8
(5) This subsection covers information that:
9
(a) was acquired in the course of performing a function
10
described in paragraph 9(1)(b) (about the consumer data
11
right), or exercising a related power; or
12
(b) could be relevant to either of the following decisions:
13
(i) a decision under subsection 56CA(1) (about
14
accreditation for the consumer data right) of the
15
Competition and Consumer Act 2010;
16
(ii) a decision under the consumer data rules (within the
17
meaning of that Act) relating to a person's accreditation
18
under subsection 56CA(1) of that Act.
19
9 At the end of section 30
20
Add:
21
; and (c) the consumer data right matters (see section 32A).
22
10 After section 32
23
Insert:
24
32A Definition of the consumer data right matters
25
The consumer data right matters are a statement of the
26
performance of the functions conferred as described in
27
paragraph 9(1)(b).
28
Competition and Consumer Act 2010
29
11 Subsection 4(1)
30
Insert:
31
Consumer data right Schedule 1
Other amendments Part 2
No. , 2019
Treasury Laws Amendment (Consumer Data Right) Bill 2019
93
accountable authority has the same meaning as in the Public
1
Governance, Performance and Accountability Act 2013.
2
Accreditation Registrar means:
3
(a) if a person holds an appointment under
4
subsection 56CK(1)--that person; or
5
(b) otherwise--the Commission.
6
accredited data recipient has the meaning given by section 56AK.
7
accredited person means a person who holds an accreditation
8
under subsection 56CA(1).
9
Australian law has the same meaning as in the Privacy Act 1988.
10
binding data standard has the meaning given by
11
subsection 56FA(3).
12
CDR consumer has the meaning given by subsection 56AI(3).
13
CDR data has the meaning given by subsection 56AI(1).
14
CDR participant has the meaning given by subsection 56AL(1).
15
CDR provisions has the meaning given by section 56AN.
16
chargeable CDR data has the meaning given by
17
subsection 56AM(1).
18
chargeable circumstances:
19
(a) in relation to the disclosure of chargeable CDR data--has the
20
meaning given by subsection 56AM(2); or
21
(b) in relation to the use of chargeable CDR data--has the
22
meaning given by subsection 56AM(3).
23
civil penalty provision of the consumer data rules means a
24
provision of the consumer data rules that is a civil penalty
25
provision (within the meaning of the Regulatory Powers Act).
26
collects: a person collects information only if the person collects
27
the information for inclusion in:
28
(a) a record (within the meaning of the Privacy Act 1988); or
29
(b) a generally available publication (within the meaning of that
30
Act).
31
Schedule 1 Consumer data right
Part 2 Other amendments
94
Treasury Laws Amendment (Consumer Data Right) Bill 2019
No. , 2019
consumer data rules means rules in force under section 56BA.
1
court/tribunal order has the same meaning as in the Privacy Act
2
1988.
3
data holder has the meaning given by subsection 56AJ(1).
4
Data Recipient Accreditor means:
5
(a) if a person holds an appointment under
6
subsection 56CG(1)--that person; or
7
(b) otherwise--the Commission.
8
data standard means a data standard made under section 56FA.
9
Data Standards Body means the body holding an appointment
10
under subsection 56FJ(1).
11
Data Standards Chair means:
12
(a) if a person holds an appointment under section 56FG--that
13
person; or
14
(b) otherwise--the Minister.
15
designated gateway has the meaning given by subsection 56AL(2).
16
designated sector has the meaning given by subsection 56AC(1).
17
directly or indirectly derived has the meaning given by
18
subsection 56AI(2).
19
earliest holding day has the meaning given by
20
paragraph 56AC(2)(c).
21
fee-free CDR data has the meaning given by subsection 56AM(4).
22
holds: a person holds information if the person has possession or
23
control of a record (within the meaning of the Privacy Act 1988)
24
that contains the information.
25
personal information has the same meaning as in the Privacy Act
26
1988.
27
privacy safeguard penalty provision has the meaning given by
28
subsection 56EU(1).
29
Consumer data right Schedule 1
Other amendments Part 2
No. , 2019
Treasury Laws Amendment (Consumer Data Right) Bill 2019
95
privacy safeguards means the provisions in Subdivisions B to F of
1
Division 5 of Part IVD (about the consumer data right).
2
Regulatory Powers Act means the Regulatory Powers (Standard
3
Provisions) Act 2014.
4
12 Subsection 8A(4)
5
After "under this Act", insert ", or the consumer data rules,".
6
13 Subsections 19(1) and (7)
7
After "this Act", insert ", or the consumer data rules,".
8
14 Subsection 25(1)
9
After "152ELA),", insert "the consumer data rules,".
10
15 Before subsection 26(1)
11
Insert:
12
Delegation to staff members of ASIC
13
16 At the end of section 26
14
Add:
15
Delegations relating to Part IVD or the consumer data rules
16
(3) The Commission may, by resolution and in accordance with
17
subsection (5), delegate any of its functions and powers under:
18
(a) Part VI; or
19
(b) Division 5 of Part XI; or
20
(c) section 155;
21
to the extent that the functions or powers relate to Part IVD or the
22
consumer data rules.
23
Note:
Division 5 of Part XI relates to the consumer data rules in the way
24
described in section 56BM.
25
(4) A member of the Commission may, by writing and in accordance
26
with subsection (5), delegate any of the member's functions and
27
powers under section 155 to the extent that the functions or powers
28
relate to Part IVD or the consumer data rules.
29
Schedule 1 Consumer data right
Part 2 Other amendments
96
Treasury Laws Amendment (Consumer Data Right) Bill 2019
No. , 2019
(5) A delegation under subsection (3) or (4) of a function or power
1
may be:
2
(a) to the Information Commissioner; or
3
(b) to a member of the staff of the Office of the Australian
4
Information Commissioner referred to in section 23 of the
5
Australian Information Commissioner Act 2010;
6
if:
7
(c) the Information Commissioner agrees to the delegation in
8
writing; and
9
(d) in the case of a delegation to a staff member referred to in
10
paragraph (b)--the Information Commissioner is satisfied
11
that the staff member:
12
(i) is an SES employee or acting SES employee; or
13
(ii) is holding or performing the duties of a sufficiently
14
senior office or position for the function or power.
15
17 Subsection 75B(1)
16
Omit "section 55B, 60C, 60K or 92", substitute "section 55B,
17
subsection 56BN(1), 56BO(1), 56BU(1) or 56CC(1), section 56CD,
18
60C, 60K or 92 or a civil penalty provision of the consumer data rules".
19
18 After subparagraph 76(1)(a)(ia)
20
Insert:
21
(ib) subsection 56BO(1) or 56BU(1), section 56CD or a
22
civil penalty provision of the consumer data rules;
23
19 Paragraph 76(1A)(b)
24
After "Part IV", insert ", or that relates to subsection 56BO(1) or
25
56BU(1), section 56CD or a civil penalty provision of the consumer
26
data rules not covered by paragraph (cb) of this subsection".
27
20 After paragraph 76(1A)(ca)
28
Insert:
29
(cb) for each act or omission to which this section applies that
30
relates to a civil penalty provision of the consumer data rules
31
that sets out at its foot a pecuniary penalty for a body
32
corporate indicated by the words "Civil penalty"--the
33
amount of that pecuniary penalty; and
34
Consumer data right Schedule 1
Other amendments Part 2
No. , 2019
Treasury Laws Amendment (Consumer Data Right) Bill 2019
97
21 After paragraph 76(1B)(aa)
1
Insert:
2
(ab) for each act or omission to which this section applies that
3
relates to subsection 56BO(1) or 56BU(1), section 56CD or a
4
civil penalty provision of the consumer data rules not covered
5
by paragraph (aab) of this subsection--$500,000; and
6
22 After paragraph 76(1B)(aaa)
7
Insert:
8
(aab) for each act or omission to which this section applies that
9
relates to a civil penalty provision of the consumer data rules
10
that sets out at its foot a pecuniary penalty for a person other
11
than a body corporate indicated by the words "Civil
12
penalty"--the amount of that pecuniary penalty; and
13
23 Section 76B (heading)
14
Repeal the heading, substitute:
15
76B Consequences in some cases if substantially the same conduct
16
contravenes a provision of this Act and is an offence
17
24 Subsections 76B(2), (3) and (4)
18
Omit "or section 92", substitute ", subsection 56BO(1) or section 56CD
19
or 92".
20
25 Paragraph 76B(5)(a)
21
Omit "or section 92", substitute ", subsection 56BO(1) or section 56CD
22
or 92".
23
26 Subparagraph 79A(1)(a)(i)
24
Omit ", 45AG, 154Q or 155", substitute "or 45AG, subsection 56BN(1)
25
or 56CC(1) or section 154Q or 155".
26
27 Subparagraph 79B(a)(ii)
27
After "45AG", insert "or subsection 56BN(1) or 56CC(1)".
28
28 Paragraph 79B(a)
29
After "this Act", insert "or the consumer data rules".
30
Schedule 1 Consumer data right
Part 2 Other amendments
98
Treasury Laws Amendment (Consumer Data Right) Bill 2019
No. , 2019
29 After subparagraph 80(1)(a)(iia)
1
Insert:
2
(iib) subsection 56BN(1), 56BO(1), 56BU(1) or 56CC(1),
3
section 56CD or a civil penalty provision of the
4
consumer data rules;
5
30 Paragraphs 80(9)(a) and (b)
6
After "45AG", insert "or subsection 56BN(1) or 56CC(1)".
7
31 Subsection 82(1)
8
Repeal the subsection, substitute:
9
(1) A person who suffers loss or damage by conduct of another person
10
that was done in contravention of:
11
(a) a provision of Part IV or IVB; or
12
(b) section 55B, 60C or 60K; or
13
(c) subsection 56BN(1), 56BO(1), 56BU(1) or 56CC(1) or
14
section 56CD; or
15
(d) a civil penalty provision of the consumer data rules;
16
may recover the amount of the loss or damage by action against
17
that other person or against any person involved in the
18
contravention.
19
Note:
Any legal proceeding in progress under subsection 82(1) of the Competition and
20
Consumer Act 2010 when that subsection is so repealed will continue as if the repeal
21
had not happened (see subsection 7(2) of the Acts Interpretation Act 1901).
22
32 Subparagraph 83(1)(a)(ii)
23
After "45AG", insert "or subsection 56BN(1) or 56CC(1)".
24
33 Paragraph 83(1)(b)
25
Repeal the paragraph, substitute:
26
(b) in which that person has been found to have contravened, or
27
to have been involved in a contravention of:
28
(i) a provision of Part IV or IVB; or
29
(ii) section 55B, 60C or 60K; or
30
(iii) subsection 56BO(1) or 56BU(1), section 56CD or a
31
civil penalty provision of the consumer data rules.
32
Consumer data right Schedule 1
Other amendments Part 2
No. , 2019
Treasury Laws Amendment (Consumer Data Right) Bill 2019
99
34 Paragraph 84(1)(a)
1
After "45AG", insert "or subsection 56BN(1) or 56CC(1)".
2
35 Paragraph 84(1)(b)
3
Omit "or Part V", substitute ", Part V, subsection 56BN(1), 56BO(1),
4
56BU(1) or 56CC(1), section 56CD or a civil penalty provision of the
5
consumer data rules".
6
36 Subsection 84(2)
7
After "this Act", insert "and the consumer data rules".
8
37 Paragraph 84(3)(a)
9
After "45AG", insert "or subsection 56BN(1) or 56CC(1)".
10
38 Paragraph 84(3)(b)
11
Omit "or Part V", substitute ", Part V, subsection 56BN(1), 56BO(1),
12
56BU(1) or 56CC(1), section 56CD or a civil penalty provision of the
13
consumer data rules".
14
39 Subsection 84(4)
15
After "this Act", insert "and the consumer data rules".
16
40 Subsection 86(1)
17
After "this Act", insert "or the consumer data rules".
18
41 Subsections 86(1A) and (2)
19
Omit "or section 55B", substitute ", section 55B, subsection 56BO(1) or
20
56BU(1), section 56CD or a civil penalty provision of the consumer
21
data rules".
22
42 Paragraph 86A(1)(b)
23
Omit "or section 55B", substitute ", section 55B, subsection 56BO(1) or
24
56BU(1), section 56CD or a civil penalty provision of the consumer
25
data rules".
26
43 Subsection 86C(4) (paragraph (a) of the definition of
27
contravening conduct)
28
Repeal the paragraph, substitute:
29
Schedule 1 Consumer data right
Part 2 Other amendments
100
Treasury Laws Amendment (Consumer Data Right) Bill 2019
No. , 2019
(a) contravenes Part IV or IVB, section 55B,
1
subsection 56BN(1), 56BO(1), 56BU(1) or 56CC(1),
2
section 56CD, section 60C, 60K or 92 or a civil penalty
3
provision of the consumer data rules; or
4
44 Paragraph 86D(1)(b)
5
After "or 45AG", insert "or subsection 56BN(1) or 56CC(1)".
6
45 Subsection 86D(1A)
7
After "or 45AG", insert "or subsection 56BN(1) or 56CC(1)".
8
46 Paragraph 86E(1)(a)
9
After "Part IV", insert ", subsection 56BN(1), 56BO(1), 56BU(1) or
10
56CC(1), section 56CD or a civil penalty provision of the consumer
11
data rules".
12
47 Paragraph 86E(1A)(a)
13
After "45AG", insert "or subsection 56BN(1) or 56CC(1)".
14
48 Subsection 86F(1)
15
After "this Act", insert "or the consumer data rules".
16
49 Subsection 86F(3)
17
After "this Act", insert "or the consumer data rules".
18
50 Subsection 87(1)
19
After "offence against section 45AF or 45AG", insert "or
20
subsection 56BN(1) or 56CC(1)".
21
51 Subsection 87(1)
22
Omit "section 55B, 60C or 60K", substitute "section 55B,
23
subsection 56BO(1) or 56BU(1), section 56CD, 60C or 60K or a civil
24
penalty provision of the consumer data rules".
25
52 Paragraphs 87(1A)(a) and (b)
26
Omit "or section 60C or 60K", substitute ", subsection 56BN(1),
27
56BO(1), 56BU(1) or 56CC(1), section 56CD, 60C or 60K or a civil
28
penalty provision of the consumer data rules".
29
Consumer data right Schedule 1
Other amendments Part 2
No. , 2019
Treasury Laws Amendment (Consumer Data Right) Bill 2019
101
53 Paragraph 87(1A)(baa)
1
After "section 55B", insert ", subsection 56BN(1), 56BO(1), 56BU(1)
2
or 56CC(1), section 56CD or a civil penalty provision of the consumer
3
data rules".
4
54 Paragraph 87(1A)(ba)
5
After "45AG", insert "or subsection 56BN(1) or 56CC(1)".
6
55 Paragraph 87(1B)(a)
7
Omit "Part IV (other than section 45D or 45E), Division 2 of Part IVB
8
or section 60C or 60K", substitute "a provision referred to in that
9
paragraph".
10
56 Subsection 87(1BAA)
11
Omit "(1A)(b)", substitute "(1A)(baa)".
12
57 Subsection 87(1BAA)
13
Omit "section 55B", substitute "a provision referred to in that
14
paragraph".
15
58 Paragraph 87(1BA)(a)
16
Omit "section 45AF or 45AG", substitute "a provision referred to in
17
that paragraph".
18
59 Subsection 87(1C)
19
Omit "or section 60C or 60K", substitute ", subsection 56BN(1),
20
56BO(1), 56BU(1) or 56CC(1), section 56CD, 60C or 60K or a civil
21
penalty provision of the consumer data rules".
22
60 Subsection 87B(1)
23
After "this Act (other than Part X)", insert "or the consumer data rules".
24
61 Section 154
25
After "contravention of this Act", insert "or the consumer data rules".
26
62 Section 154A (paragraph (a) of the definition of evidential
27
material)
28
After "contravention of this Act", insert "or the consumer data rules".
29
Schedule 1 Consumer data right
Part 2 Other amendments
102
Treasury Laws Amendment (Consumer Data Right) Bill 2019
No. , 2019
63 Paragraph 154V(2)(a)
1
After "contravention of this Act", insert "or the consumer data rules".
2
64 At the end of paragraph 155(2)(a)
3
Add:
4
(iv) the consumer data rules; or
5
65 After subparagraph 155(2)(b)(i)
6
Insert:
7
(ia) a designated consumer data right matter (as defined by
8
subsection (9AA) of this section); or
9
66 After subsection 155(9)
10
Insert:
11
(9AA) A reference in this section to a designated consumer data right
12
matter is a reference to the performance of a function, or the
13
exercise of a power, conferred on the Commission by or under:
14
(a) Part IVD (other than Division 5); or
15
(b) regulations made under this Act for the purposes of that Part;
16
or
17
(c) the consumer data rules.
18
67 Subsection 155AAA(21) (paragraph (a) of the definition of
19
core statutory provision)
20
After "IV,", insert "IVD (other than Division 5),".
21
68 Subsection 155AAA(21) (paragraph (a) of the definition of
22
core statutory provision)
23
Before "; or", insert "or of the consumer data rules".
24
69 Section 157A (heading)
25
Repeal the heading, substitute:
26
157A Disclosure of energy-related information by Commission
27
70 After section 157A
28
Insert:
29
Consumer data right Schedule 1
Other amendments Part 2
No. , 2019
Treasury Laws Amendment (Consumer Data Right) Bill 2019
103
157AA Disclosure of CDR-related information by Commission
1
Disclosure to the Information Commissioner
2
(1) The Commission or a Commission official may disclose to:
3
(a) the Information Commissioner; or
4
(b) any staff or consultant assisting the Information
5
Commissioner in performing that Commissioner's functions,
6
or exercising that Commissioner's powers, relating to
7
Part IVD or the consumer data rules;
8
any information that the Commission obtains under this Act, or the
9
consumer data rules, that is relevant or likely to be relevant to the
10
functions or powers referred to in paragraph (b).
11
Note:
The Privacy Act 1988 also contains provisions relevant to the use and
12
disclosure of information.
13
(2) The Information Commissioner or a person mentioned in
14
paragraph (1)(b) must only use the information:
15
(a) for a purpose connected with the performance of the
16
functions, or the exercise of the powers, referred to in
17
paragraph (1)(b); and
18
(b) in accordance with any conditions imposed under
19
subsection (4).
20
Disclosure to a foreign agency
21
(3) The Commission or a Commission official may disclose to:
22
(a) an agency having the function in a foreign country of
23
supervising or regulating the disclosure of similar
24
information to that covered by an instrument designating a
25
sector under subsection 56AC(2); or
26
(b) an agency, that is prescribed by the regulations, of a foreign
27
country;
28
any information that the Commission obtains:
29
(c) under this Act in relation to Part IVD or the consumer data
30
rules; or
31
(d) under the consumer data rules.
32
Schedule 1 Consumer data right
Part 2 Other amendments
104
Treasury Laws Amendment (Consumer Data Right) Bill 2019
No. , 2019
Conditions
1
(4) The Commission or a Commission official may impose conditions
2
to be complied with in relation to information disclosed under
3
subsection (1) or (3).
4
Definitions
5
(5) In this section:
6
Commission official means:
7
(a) a member, or associate member, of the Commission; or
8
(b) a person referred to in subsection 27(1); or
9
(c) a person engaged under section 27A.
10
foreign country includes a region where:
11
(a) the region is a colony, territory or protectorate of a foreign
12
country; or
13
(b) the region is part of a foreign country; or
14
(c) the region is under the protection of a foreign country; or
15
(d) a foreign country exercises jurisdiction or control over the
16
region; or
17
(e) a foreign country is responsible for the region's international
18
relations.
19
71 Paragraph 163(2)(a)
20
After "45AG", insert "or subsection 56BN(1) or 56CC(1)".
21
72 Subsection 163A(1)
22
After "this Act" (wherever occurring), insert "or the consumer data
23
rules".
24
73 Subsection 163A(3)
25
After "this Act", insert "or the consumer data rules".
26
74 Paragraph 163A(4)(a)
27
After "this Act", insert "or the consumer data rules".
28
75 Subsection 163A(4B)
29
After "45AG", insert "or subsection 56BN(1) or 56CC(1)".
30
Consumer data right Schedule 1
Other amendments Part 2
No. , 2019
Treasury Laws Amendment (Consumer Data Right) Bill 2019
105
76 Paragraph 163A(4C)(a)
1
After "45AG", insert "or subsection 56BN(1) or 56CC(1)".
2
77 Subsection 163A(4D)
3
After "45AG", insert "or subsection 56BN(1) or 56CC(1)".
4
Privacy Act 1988
5
78 Subsection 6(1)
6
Insert:
7
consumer data rules has the same meaning as in the Competition
8
and Consumer Act 2010.
9
79 After subsection 6E(1C)
10
Insert:
11
Small business operator that is accredited for the consumer data
12
right regime
13
(1D) If a small business operator holds an accreditation under
14
subsection 56CA(1) of the Competition and Consumer Act 2010,
15
this Act applies, with the prescribed modifications (if any), in
16
relation to information that:
17
(a) is personal information; but
18
(b) is not CDR data (within the meaning of that Act);
19
as if the small business operator were an organisation.
20
Note:
The regulations may prescribe different modifications of the Act for
21
different small business operators. See subsection 33(3A) of the Acts
22
Interpretation Act 1901.
23
80 Paragraphs 20E(2)(b) and (3)(e)
24
After "Australian law", insert "(other than the consumer data rules)".
25
81 Paragraphs 21G(2)(d) and (3)(f)
26
After "Australian law", insert "(other than the consumer data rules)".
27
82 Paragraphs 22E(2)(b) and (3)(b)
28
After "Australian law", insert "(other than the consumer data rules)".
29