Treasury rejects privacy and ambiguity concerns over Consumer Data Right
The upcoming Consumer Data Right (CDR) will allow individuals to "own" their data by granting them open access to their banking, energy, phone, and internet transactions, as well as the right to control who can have it and who can use it.
The government is currently in the process of shaping the Treasury Laws Amendment (Consumer Data Right) Bill 2019, while the Senate Economics Legislation Committee simultaneously probes all involved parties on the progress of the legislation.
The inquiry saw a handful of submissions from interested parties, highlighting specific concerns over the adequacy of the privacy safeguards the CDR will contain, the rushed nature of the Bill, the distinct banking focus the Bill will have, and whether the outcome of the CDR will serve organisations more than it will consumers.
During the hearings held by the committee this week, Treasury took the opportunity to shut down concerns that were raised in its submission, and also during their time on the podium.
One such concern, held by many, has been that the legislation is being rushed through.
Treasury's head of structural reform Hamish McDonald said its passage is an important part of meeting the government's timeline.
"The passage of this legislation is pretty critical, especially to underpinning the consumer-level data availability in February next year," he said.
He rejected the idea the legislation is being rushed through when it comes to its content.
Pointing to the ambiguous nature of what the balance is between what's included in the law and what's included in the rules, McDonald said that in designing the framework, it was to be principles-based -- that is setting up the structures and principles -- but it would also have a rule-making power that's "flexible enough to adapt to changing business models and the changing digital economy, but with significant parliamentary oversight of that being a disallowable instrument".
"I think the rationale for that framework stands as it is now, so I'm not sure that there's an overarching reason to move away from it," he added.
According to his colleague Daniel McAuliffe, who is the senior advisor for structural reform at Treasury, part of the criticism around the privacy impact assessment (PIA) was that a misunderstanding arose regarding how risk was assessed.
"We have assessed, for a given consumer using the system over the course of a year, how likely is it that, say, a hacking event will occur?," he explained, noting the PIA focused on open banking.
"If you assume the open banking system is up and running, you assume there are a large number of people using the system and you ask yourself: what is the likelihood of a hacking event occurring sometime in the system? I think you have to admit it's almost certain that it will happen at some point."
Both representatives rejected the suggestion that a PIA should be conducted externally to Treasury.
"We took the decision to do it in house, in part because we saw the CDR regime as a privacy regime itself. It was something where the privacy considerations were so intrinsic to designing the policy. That needed to be integrated as far as possible into the policy design process," McDonald said.
"Given we were creating a bespoke standard of privacy for this bespoke scheme, an assessment that just assessed, 'Does this scheme meet the Australian privacy law standards?' wasn't going to be sufficient for what was needed, so we took a slightly different approach of looking at risks and threats to privacy more generally. I think we undertook a fairly comprehensive approach of looking at risks and threats."
Also appearing before the committee was the Attorney-General's Department, which frequently took the opportunity to highlight that something was the "responsibility of Treasury".
"From an Attorney-General's Department perspective, what we're interested in is that we've got safeguards in place that meet the standards within the Privacy Act. Certainly, it's our view that that's the case and that in some cases the privacy standards go beyond that," AGD assistant secretary Joanna Virtue said.
"The specifics of those privacy safeguards are really a matter for Treasury."
Expanding on the argument that there are essentially two streams of privacy laws applicable to the CDR legislation, thus the reason for ambiguity, Virtue said that in general, the privacy safeguards within the legislation are modeled on the Australian Privacy Principles.
"We certainly don't see any inconsistency there. I think the difference is that the Australian Privacy Principles are intended to be of general application across the economy to all entities covered by the Privacy Act, whereas the privacy safeguards in the Consumer Data Right Bill apply specifically to the transactions and the entities who are playing within this system," she explained.
"I think what we would say is that it's an acceptable approach to set up specific rules, as has been done in this case, but that the ultimate policy decision about the best safeguards to apply is a matter for the Treasury and for government.
According to Virtue, the protections are equivalent, if not stronger, than the ones in the Australian Privacy Principles. She also said a lot of the concerns over privacy would be addressed from the guidance and education provided to consumers and entities participating in the scheme as part of its implementation.
Senator Ketter proposed that the Bill be renamed to Consumer Data Portability Right as it is not be the introduction of a comprehensive set of consumer data rights like the European Union's GDPR, but rather it is a set of rules outlining how consumers can take their data elsewhere.
"The Bill applies to consumers being able to access their data and share it with accredited, safe third parties. It doesn't displace the broader Privacy Act that applies more generally in the economy," McDonald said.
Additionally, he said the framework legislation was designed not only to enable open banking but to enable other sectors.
"We don't exactly know what those sectors are going to look like when we get to them. So the legislation has been designed to allow for a broader sweep of data," he added.
Treasury also took the opportunity to rebut the assumption that the Australian model has much fewer privacy protections surrounding the collection, use, and sharing of consumer data in place compared to its United Kingdom counterpart.
"One of the key differences between what we are doing in CDR and what the UK did in open banking is that our regime is designed to be able to gradually become an economy-wide data right and an integrated economy-wide data right, so a right that would let you safely share both your energy data and your banking data, and there might be synergies that consumers could get by being able to access both of those in a machine-readable format," McDonald said.
"The UK system was more explicitly designed to be about banking."
With the execution of the CDR being pushed from its original July 1, 2019, commencement date, McDonald rejected the idea that it was to improve the Bill.
"I'm not sure that more time would improve the Bill," he specifically said. "The time for the start date of consumer data is useful in that it allows more time after the legislation, after the rules and after the data standards have been finalised. It allows more time for testing during that period."
READ MORE
- Privacy Foundation says privacy 'severely' underestimated in rushing through CDR
- Comms Alliance: Banking-focused CDR falls short of telco requirements
- Australia's Consumer Data Right rules to be shaped around banking
- Australian consumer energy data to be open in early 2020
- ACCC unsure how consumers will receive their data under impending mandate
- Researchers label Australian data-sharing legislation a 'significant misalignment'
- Australia's open data approach lands in a security and privacy minefield (TechRepublic)
- BT Security concerned open banking presents a 'conundrum' for mitigating risk