This article was written by Bryony Evans and James McGrath.
With the start of Open Banking, the first part of the Consumer Data Right (“CDR”), fast approaching from February 2020, it is time for businesses who will participate in the new regime to think about how they will comply with their privacy safeguard obligations under the CDR.
The privacy safeguards set out the standards, rights and obligations to protect the privacy and confidentiality of data handled through the new CDR regime.
The CDR privacy safeguards impose different obligations on businesses to those which apply under Australian privacy laws. Just because a business has processes in place to comply with its obligations under Australian privacy laws does not mean that the business will be compliant with the CDR privacy safeguards. Businesses who will participate in the CDR regime need to start thinking about how they might implement the CDR privacy safeguards.
To help businesses to understand the CDR privacy safeguards and how they apply alongside the Australian Privacy Act, the Office of the Australian Information Commissioner (“OAIC”) has now released for consultation draft guidelines on the application of the privacy safeguards (“Draft Guidelines”).
In this alert we answer:
- what are the privacy safeguards and who do they apply to?
- what are the Draft Guidelines?
- what questions should you be asking?
What are the privacy safeguards?
The privacy safeguards are made up of 13 principles which set out standards, rights and obligations on the collection, use, disclosure and correction of CDR data. CDR data can relate to individuals or to organisations. The privacy safeguards were inserted into Division 5 of Part IVD of the Competition and Consumer Act 2010 (Cth) when the CDR regime came into force on 12 August 2019.
The privacy safeguards apply differently depending on the participant in the CDR regime - they mainly apply to accredited data recipients, but also to data holders and designated gateways, in relation to their handling of the CDR data.
The privacy safeguards cover similar areas as the Australian Privacy Principles (“APPs”) do for personal information under the Privacy Act 1988 (Cth) (“Privacy Act”) but apply differently and in some cases introduce broader protections in relation to CDR data.
Generally, the privacy safeguards apply to an entity’s handling of CDR data instead of the Privacy Act and APPs (but each privacy safeguard should be considered on a case by case basis).
This means that the interaction between the APPs and the privacy safeguards will need to be considered by any business participating in the CDR regime.
What are the Draft Guidelines?
The Draft Guidelines are intended to enable CDR participants to avoid acts or practices that may breach the privacy safeguards. They set out:
- the OAIC’s interpretation of the privacy safeguards and the ACCC’s proposed Competition and Consumer (Consumer Data Right) Rules 2019 (CDR Rules) published on 2 September;
- commentary on good privacy practice for minimum compliance with the privacy safeguards; and
- examples that explain how the privacy safeguards and CDR rules may apply.
For each privacy safeguard, the Draft Guidelines provide details such as the types of entities to which it applies, how it interacts with the Privacy Act and APPs, how the privacy safeguard could be implemented, exceptions to compliance and how the privacy safeguards interact with each other.
The Draft Guidelines were released by the OAIC on 16 October 2019 as part of a broader consultation process. The closing date for comments is Wednesday 20 November 2019. See the OAIC website for further information in relation to making a submission and contact us for further information.
When finalised, the Draft Guidelines will not be legally binding.
What questions should you be asking?
Although the CDR Rules and Draft Guidelines are not yet finalised, the CDR is now part of Australian law. With the start date for the first part of CDR fast approaching, businesses should be thinking about how they can engage with customers differently and what they need to do to use and disclose customer data in a way that complies with their obligations under the CDR privacy safeguards.
As you are preparing your business for the disclosure of CDR data, you should be asking:
- is your business subject to the CDR privacy safeguards? If so, which ones?
- what types of CDR data will your business receive or hold?
- do you understand your CDR privacy safeguard obligations for the CDR data you hold (or will hold)?
- how will your data processes and policies need to change to comply with the CDR privacy safeguards? Where are the gaps?
- if you will be accredited to receive data under the CDR regime, how will you demonstrate that you are only requesting and receiving the customer data you need under CDR to provide your goods and services to your customers?
KWM is dedicated to helping our clients navigate this emerging area of law. As the start date for disclosure of CDR data draws closer, we will be producing a series of articles exploring the issues it raises, including discussion of several hypothetical business scenarios. Please get in touch if you have any questions you would like us to consider.