The Senate Economics Legislation Committee was charged with probing the contents of the guidelines wrapped around Australia's new Consumer Data Right (CDR).
After hearing concerns over the adequacy of the privacy safeguards the CDR will contain, the rushed nature of the Bill, the distinct banking focus the Bill will have, and whether the outcome of the CDR will serve organisations more than it will consumers, the committee recommended that the Treasury Laws Amendment (Consumer Data Right) Bill 2019 [Provisions] be passed.
In its report [PDF], the committee said following its investigation it notes the general support for the introduction of the CDR.
"At the very least, it will improve on current arrangements; and it has the potential to protect and empower consumers and drive competition and innovation," it wrote. "The committee particularly welcomes the endorsement of the bill from innovative high technology companies."
In justifying its reason for making the sole recommendation for the Bill be passed, the committee said provisions such as the rules-making facility under the Bill will offer the possibility to address problems as they arise.
The Australian Privacy Foundation (APF) believes the privacy safeguards within the Bill are not sufficient and said in a submission to the committee that the government has "severely" underestimated the need for more thought across the entire legislative change.
"We consider the framework as it currently stands unnecessarily exposes people to harm because the fundamental privacy safeguards are not in place and risks have been severely underestimated by the government," APF wrote.
"This inquiry is only considering the legislation and not the Rules. We argue this is a mistake. Both the Rules and the CDR Bill need to be read together and considered by Parliament to ensure the package works as a whole."
In response, the committee said the CDR is actually an enhanced privacy regime.
"The committee notes the concerns about the privacy arrangements in the Bill. However, it also notes the views of the Australian Privacy Commissioner and the Interim Chair of the Data Standards Body that the Bill at the very least is an expansion of current protections," it said.
The CDR will allow individuals to "own" their data by granting them open access to their banking, energy, phone, and internet transactions, as well as the right to control who can have it and who can use it.
Open Banking: NAB keeps its cool over Open Banking implementation | Westpac predicts Open Banking to cost AU$200m to implement | BT Security concerned open banking presents a 'conundrum' for mitigating risk
As banking is the first sector to which the CDR will apply, organisations such as the Telecommunications Alliance and the Telecommunications Industry Ombudsman are concerned the Bill will not be overly applicable to industries other than banking and that the rushed through process will result in a disjointed framework that is not well thought out.
"If the process to develop an Open Banking regime (as the first sector to adopt the CDR) is already rushed and raises a large number of concerns with stakeholders, as evidenced in numerous submissions, it appears almost impossible to ensure that the legislation and associated rules are appropriately considered for other sectors of the economy which follow later in the process," Comms Alliance wrote.
"This bears the very real risk that those later sectors will be forced to operate within a legislative and regulatory framework that has a distinct 'banking flavour' but lacks sufficient consideration of the particularities of other industry verticals."
The committee, however, trusts that the guidelines will be tailored to suit industries outside of banking as they are brought onto the CDR.
"It welcomes the assurances of the ACCC and the interim chair of the Data Standards Body that data standards and other requirements will be tailored to fit specific industries and data types," it wrote.
It also said it was comfortable with the degree of Ministerial discretion allowed by the Bill, and that it "welcomes the flexibility provided by the general structure of the arrangements".
The Australian government department responsible for the Consumer Data Right says there is sufficient consideration given to privacy and that the legislation isn't being rushed through.
The Consumer Data Right will initially apply explicitly to Australia's big four banks from July 1.
The ACCC is currently unsure, however, as to what energy-related information will be available under Australia's new data-sharing directive.
Australia is charging headlong into a privacy disaster as government open data initiatives come online without considering how to properly implement privacy safeguards and data anonymity.