Privacy Foundation says privacy 'severely' underestimated in rushing through CDR

The Consumer Data Right is being rushed through too quickly and without adequate privacy protections, the Australian Privacy Foundation has said.
Written by Asha Barbaschow, Contributor

The Australian Privacy Foundation (APF) believes the privacy safeguards currently in place for the impending Consumer Data Right (CDR) are not sufficient, and that the government has "severely" underestimated the need for more thought across the entire legislative change.

"We consider the framework as it currently stands unnecessarily exposes people to harm because the fundamental privacy safeguards are not in place and risks have been severely underestimated by the government," the APF wrote in its submission [PDF] in response to the Treasury Laws Amendment (Consumer Data Right) Bill 2019.

The APF suggested that such issues could be rectified through conducting, and then implementing recommendations, from a "rigorous and independent" external privacy impact assessment.

"This is a first necessary step and as new risks become apparent there needs to be a process to ensure those risks are managed. If the legislation is enacted without this process, Australians are left at a higher risk of harm," the submission continued.

"This inquiry is only considering the legislation and not the Rules. We argue this is a mistake. Both the Rules and the CDR Bill need to be read together and considered by Parliament to ensure the package works as a whole."

The CDR will allow individuals to "own" their data by granting them open access to their banking, energy, phone, and internet transactions, as well as the right to control who can have it and who can use it.

Australia's major banks will be forced to make banking data available from July 1, under an Open Banking regime.

See also: NAB keeps its cool over Open Banking implementation | Westpac predicts Open Banking to cost AU$200m to implement | BT Security concerned open banking presents a 'conundrum' for mitigating risk

The APF believes the CDR has been rushed through, having flagged the eight days it was given to prepare a submission as being inadequate, especially when considering the severity of the consequences.

"We remain concerned that the move to introduce CDR is simply too fast. The consultations and the sheer amount of information to look at has meant that the consultation process is not working effectively," it wrote.

"It is unclear why there is a rush. The equivalent system in the United Kingdom has had a very slow take up and has not delivered any competition or financial revolution to date.

"The introduction of the CDR Bill into Parliament is yet another rushed process."

Of concern to the APF is that the Australian system has much fewer privacy protections surrounding the collection, use, and sharing of consumer data in place compared to its UK counterpart.

As a result, the APF has asked the government to benchmark -- or exceed -- the privacy protections that exist within the General Data Protection Regulation (GDPR); consider the Human Rights Act; and "adequately" fund a tough privacy regulator, labelling the Office of the Australian Information Commissioner (OAIC) as being "severely under resourced" and "not very active" when it comes to regulation.

"The culture of the OAIC seems to be 'soft' and it has sent a clear signal to industry that there is very little chance they will ever be fined or sanctioned over data breaches," the APF wrote.

Read more: OAIC under fire for long review wait times following Notifiable Data Breaches scheme

Additionally, the APF wants the government to consider the findings tabled from the Banking Royal Commission -- specifically, how enforceable undertakings do not seem to stop "poor behaviour" from finance players.

Where access to justice is concerned, the APF said that while the CDR Bill does contain a section on accrediting External Dispute Resolution Schemes (EDR), there is no section that contains clear rights for consumers to access orders and compensation in EDR, through the OAIC, and in court.

"In summary, the current process for raising a dispute about a privacy breach with the OAIC is inadequate. The OAIC makes very few decisions, awards very little compensation, has a short time limit of 12 months, and discontinues investigation of the majority of complaints made. All of these problems must be rectified," it wrote.

The protections inside the CDR, according to the APF, are not strong enough to stop the practice of consumers being forced to sign consent forms. In the social media age, the APF said consumers are used to doing this, and may unknowingly hand their data over to additional parties.


Australian consumer energy data to be open in early 2020

The ACCC is currently unsure, however, as to what energy-related information will be available under Australia's new data-sharing directive.

ACCC unsure how consumers will receive their data under impending mandate

The Consumer Data Right will initially apply explicitly to Australia's big four banks from July 1.

Researchers label Australian data-sharing legislation a 'significant misalignment'

The proposed legislation has been called out for prioritising the perceived greater good instead of respecting minimal rights of the individual.

Australia's open data approach lands in a security and privacy minefield (TechRepublic)

Australia is charging headlong into a privacy disaster as government open data initiatives come online without considering how to properly implement privacy safeguards and data anonymity.

Editorial standards