Close Menu Phone
ABL
Menu

New consumer data regime in Australia

Corporate and M&A
Cyber attack A01
Australia’s privacy laws are already considered among world’s best practice. However, the Government has decided current laws do not go far enough in protecting consumers and looks set to impose more stringent privacy obligations on entities holding consumer data (for example, customer names, contact information and transaction history).

The Treasury Laws Amendment (Consumer Data Right) Bill 2019 (Bill) currently before Parliament seeks to close this gap in consumer protection and allow consumers greater access to information about themselves and services they obtain.

This in turn aims to increase competition between service providers, enabling consumers to share their information between competing service providers to compare offerings and easily identify the services best suited to their needs.

What additional obligations will be imposed on entities holding consumer data?

The Bill proposes to impose “privacy safeguards” on entities holding consumer data, which go further in protecting information than current obligations under the Privacy Act 1988 (Cth) (Privacy Act).  

  Current position under the Privacy Act Proposed new position under the privacy safeguards
Applies to All private sector and not-for-profit organisations with an annual turnover of more than $3 million, all private health service providers and some small businesses. As a general rule, entities in specified sectors that hold or receive consumer data. The Bill also extends the Privacy Act to apply to certain small businesses with turnover under $3 million.
Information covered Personal information about identifiable (or reasonably identifiable) individuals. 

Certain consumer data that relates to identifiable (or reasonably identifiable) individuals or businesses and has an “Australian link”.  

An “Australian link” is satisfied by two of the following three factors being met: data is collected in Australia; data collector is Australian; and / or consumer is Australian.

Consumer data may include information derived from consumer information, meta-data and consumer usage records. It may also extend to information collected or generated in the past.

Unsolicited information Entities can generally use unsolicited personal information. Entities must generally destroy unsolicited consumer data.
Direct marketing Personal information can generally be used for direct marketing provided individuals are given an opportunity to “opt out” of receiving the communications. Consumer data generally cannot be used for direct marketing.
Protecting information Entities must take reasonable steps to protect personal information. Entities must ensure that consumer data is protected. 
Disclosing information Entities can disclose personal information in accordance with the law and their privacy policy. The consumer does not need to be notified and their consent to the disclosure can be implied. Entities can only disclose consumer data to consumers and accredited third parties. The consumer must be notified, and their consent to the disclosure must generally be express.  
Data breach Entities must take action where personal information is lost, or accessed or disclosed without authorisation. The Bill extends the Privacy Act obligation in the event of a data breach to consumer data more broadly (not just personal information).
Quality of information Entities must generally take reasonable steps to ensure personal information is correct and up to date. Entities must take certain steps where consumer data is incorrect or outdated and must pass the updated information on to third parties if requested.

How will consumers be given greater access to information?

A proposed new initiative under the Bill will make it easier for consumers to ‘shop around’ for the best service or product offering on the market.

Firstly, the Bill proposes to require entities to make information about their services and products publicly available (for example, eligibility criteria for each product or service, terms and conditions of supply and the price payable).

Then, not only will consumers have greater access to their own consumer data, they will also be able to direct service providers to pass on this data to other entities with alternative or competing offerings to seek quotes for and obtain other products and services. 

What are the penalties for breaching the new regime?

Breach of the new regime will attract civil penalties of up to $10 million for a body corporate, and up to $500,000 for an individual.  Consumers will additionally be able to sue for any loss and damage they sustain as a result of a breach. 

What should you do to prepare for the new regime?

Regardless of the result of the upcoming Federal election, the Bill is expected to pass into law given it is supported by both major political parties.

If it is passed, it will be rolled out on a sector-by-sector basis, commencing with the banking sector as part of the new “Open Banking” regime. The Treasurer has indicated that the regime will then be implemented in the telecommunications, energy and insurance industries.

All entities that provide products or services to consumers (regardless of the industry in which they operate) should review their current data handling policies, practices and systems, and adjust them to ensure compliance with the new requirements under the Bill.  Additionally, entities will need to consider the way in which they will comply with the data sharing obligation under the regime once the form in which data is to be transferred between service providers is designated.

Read next