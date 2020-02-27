The Office of the Australian Information Commissioner (‘OAIC’) released, on 24 February 2020, the (‘CDR’) privacy safeguard guidelines (‘the Guidelines’). In particular, the Guidelines aim to assist businesses participating in the CDR system with understanding their privacy obligations by outlining mandatory CDR requirements, the OAIC’s interpretation of privacy safeguards and the CDR rules, as well as providing examples and good practice guidance. The OAIC had noted that the CDR will be implemented in the banking sector from July 2020 and will then be extended to other sectors of the economy, starting with energy and telecommunications.

Best practices and key takeaways

The Guidelines consist of several best practice recommendations. For example, the OAIC recommends accredited data recipients (‘ADRs’) to consider conducting a security risk assessment before establishing a formal governance framework, and foster a security and privacy-aware culture that values and protects which supports the integration of privacy practices, procedures and systems for oversight and accountability into broader organisational frameworks. Angela Flannery, Partner at Holding Redlich, told OneTrust DataGuidance, “There was extensive public consultation, including with industry stakeholders and the Australian Competition and Consumer Commission (‘ACCC’), in relation to the draft Guidelines, so it is likely there is nothing in the Guidelines that will be a surprise for businesses.”

In particular, the OAIC outlines that entities should take a holistic Privacy by Design approach when handling CDR data across and within their organisation, and that entities who implement the requirements of the privacy safeguards and the CDR rules in isolation risk incurring unnecessary costs and/or implementing inadequate solutions that fail to address the full compliance picture. Flannery further commented, “Businesses should bear in mind that the regulatory framework for CDR is complex. In addition to taking the Guidelines into consideration, businesses must comply with the ACCC’s CDR Rules and the technical standards for transmitting consumer data, as released by Data61, which performs the role of the under the CDR.”

Privacy safeguards vs the Privacy Act

The Guidelines outline how each of the privacy safeguards interacts with the Australian Privacy Principles (‘APPs’) in the Privacy Act 1998 (No. 119, 1988) (as amended) (‘the Privacy Act’), particularly as some APPs and privacy safeguards apply concurrently to ensure that there are no gaps in the protection of data. To work out when the privacy safeguards apply, an entity needs to consider whether they are acting in the capacity of a data holder, accredited person/ADR, or a designated gateway. Flannery highlighted that, “The CDR provides a new policy framework for thinking about personal information and privacy. The policy intent behind the Privacy Act reflects the right to privacy as a human right. The Privacy Act is therefore intended to empower individuals to protect their privacy and to limit who may access and deal with their personal information. This is in stark contrast to the CDR, which is intended to allow individuals to, in effect, ‘commercialise’ their personal information. For example, if an individual agrees to provide their banking data to another bank or a FinTech, that individual will receive (at least in theory) a direct benefit from providing that data […] The CDR is really the first recognition from an Australian regulatory perspective that personal information has a value.”

Regulatory cooperation

Flannery noted that the OAIC and the ACCC have “clear-cut responsibilities in relation to the CDR […]The ACCC is the lead regulator with the bulk of responsibilities in relation to the development of the CDR Rules, accreditation, and making recommendations to the Government on future CDR roll-out.” The Guidelines highlight that the OAIC has a range of enforcement powers, as well as powers to investigate possible breaches of the privacy safeguards, either following a complaint by a consumer who is an individual or a small business, or on its own initiative. However, the ACCC will also have a strategic enforcement role where there are repeated or serious breaches. Flannery stated, “Ultimately regulatory issues may arise under the CDR for which the OAIC and the ACCC both have responsibility, each of the regulators has publicly committed to working closely to ensure there is no inconsistency in approaches.”

What’s next for privacy in Australia?

Flannery commented, “Notwithstanding that the CDR roll-out is only in its infancy, in January 2020, the Australian Treasurer announced a new review of the CDR to determine how the CDR can further support innovation and competition. It seems very likely that the recommendations from that review will result in enhancements to the regime. For example, one of the tasks of that review is to look at how CDR may be used to overcome behavioural and regulatory barriers to allow consumers to switch between products and providers. Although undertaking such a further review in 2020 may be considered to be premature, it indicates the importance the Government places on the CDR and the benefits it may bring to Australians and the Australian economy. Even businesses in sectors which are outside those targeted for CDR in the short-term should already be considering how they may benefit (and help their customers benefit) from the CDR.”

Finally, with regard to the wider impact of the CDR regime on the privacy regulatory environment in Australia, Flannery noted that it would “no doubt have longer-term ramifications.” She added, “In responding to the recommendations of the ACCC’s Digital Platforms Inquiry, the Government agreed to conduct a review over 2020/21 of the Privacy Act and related laws to consider whether broader reform of the Australian privacy framework is necessary in the medium to long term to It is likely that this review will be influenced by the CDR policy thinking.”

