House of Representatives

Treasury Laws Amendment (Consumer Data Right) Bill 2019

Explanatory Memorandum

(Circulated by authority of the Treasurer, the Hon Josh Frydenberg MP)

Chapter 2 - Statement of Compatibility with Human Rights

Prepared in accordance with Part 3 of the Human Rights (Parliamentary Scrutiny) Act 2011

Treasury Laws Amendment (Consumer Data Right) Bill 2011

2.1 The Bill is compatible with the human rights and freedoms recognised or declared in the international instruments listed in section 3 of the Human Rights (Parliamentary Scrutiny) Act 2011.

Overview

2.2 The Consumer Data Right (CDR) will provide individuals and businesses with a right to efficiently and conveniently access specified data in relation to them held by businesses and to authorise secure access to this data by trusted and accredited third parties.

2.3 The CDR will also require businesses to provide public access to information on specified products they have on offer. CDR is designed to give customers more control over their information. It is expected to provide benefits to consumers such as more choice in where they take their business or more convenience in managing their money and services.

2.4 A person may commit an offence or contravene a civil penalty provision if they fail to comply with certain obligations in the CDR regime.

Human rights implications

2.5 The Bill engages the following human rights:

the right to protection from arbitrary or unlawful interference with privacy;
the right to a fair trial and public hearing; and
the right to be presumed innocent until proved guilty according to law.

Protection from arbitrary or unlawful interference with privacy

2.6 The Bill engages the right to protection from unlawful or arbitrary interference with privacy under Article 17 of the International Covenant on Civil and Political Rights (ICCPR) because it enables a person to direct another person or entity to transfer personal information about themselves to another person or entity.

2.7 In order for an interference with the right to privacy to be permissible, the interference must be authorised by law, be for a reason consistent with the ICCPR and be reasonable in the particular circumstances. The UN Human Rights Committee has interpreted the requirement of 'reasonableness' to imply that any interference with privacy must be proportional to the end sought and be necessary in the circumstances of any given case.

2.8 The CDR regime meets the legitimate purposes of enabling consumers to access the inherent value of their data. The CDR is a right for consumers to authorise data sharing and use. The consumer data right will provide individuals and businesses with a right to access data relating to them; and to authorise secure access to their data by persons who have been 'licensed' to receive the data - 'accredited data recipients'.

2.9 Underpinning the CDR regime is a requirement that the disclosure between entities of personal information is only permitted with the express consent of the individual. The consumer data right does not allow businesses who hold or receive data to transfer or use data without the customer's consent.

2.10 It is intended that the CDR, by giving consumers improved access to data, will support better comparison services by taking into account Australians' actual circumstances and promoting more convenient switching between products and providers. The CDR is expected to enhance consumer welfare more broadly.

2.11 The Bill protects against arbitrary interference with privacy by establishing a set of CDR specific privacy safeguards, modelled off the existing Australian Privacy Principles (APPs) but with additional obligations.

2.12 The privacy safeguards included in the CDR are:

restrictions on the use, collection and disclosure of information received through the consumer data rules, including information derived from this information, to circumstances where the consumer has given express consent;
requirements to have privacy policies in place which are easily accessible and clearly explain the complaints handling process;
obligations on data holders and accredited data recipients to correct information;
obligations on data holders and accredited data recipients to notify the consumer when information is disclosed;
requirements to destroy information that is purported to have been shared under the consumer data rules but has been disclosed in error;
strong powers and significant funding for regulators, including the Office of the Australian Information Commissioner (OAIC);
only allowing direct marketing with the express consent of the consumer; and
remedies for breaches, including through external dispute resolution arrangements.

2.13 Though the Bill gives the ACCC broad rule-making powers in respect of privacy, these powers are limited by the Privacy Safeguards. The Privacy Safeguards prevail over the rules to the extent of an inconsistency. Where the rules may provide clarity regarding how to implement a Privacy Safeguard, that Privacy Safeguard clarifies in what respect it may be informed by the rules.

2.14 The OAIC will advise on and enforce privacy protections, and provide complaint handling for breaches of the Privacy Safeguards. Consumers will have a range of avenues to seek remedies for breaches of their privacy or confidentiality including access to internal and external dispute resolution and direct rights of action.

2.15 The accreditation process is a key protection against arbitrary or unlawful interference with privacy. Only trusted and accredited third parties will be able to access data from data holders at the customer's direction. The ACCC will initially be responsible for accrediting entities. The requirements that need to be met will be set out in a legislative instrument and will address matters such as:

having systems, resources and procedures in place which enable the entity to comply with their CDR obligations including the security of information; and
having internal dispute resolution procedures in place and being a member of a recognised external dispute resolution body.

2.16 These limitations are consistent with the prohibition on arbitrary interference with privacy as they are directed at legitimate objectives and are reasonable and proportionate to those objectives.

Penalty provisions

Assessment of civil penalties

2.17 Civil penalty provisions may engage criminal process rights under Articles 14 and 15 of the ICCPR regardless of the distinction between criminal and civil penalties in domestic law. This is because the word 'criminal' has an autonomous meaning in international human rights law. When a provision imposes a civil penalty, an assessment is therefore required as to whether it amounts to a 'criminal' penalty for the purposes of Articles 14 and 15 of the ICCPR.

2.18 The civil penalty provisions in the Bill should not be considered 'criminal' for the purposes of international human rights law. While the civil penalty provisions included in the Bill are intended to deter people from not complying with their obligations under the CDR regime, none of the civil penalty provisions included in the Bill carry a penalty of imprisonment for non-payment of a penalty.

New criminal offences

2.19 The Bill includes two new criminal offence provisions for misleading conduct and holding out that you are 'licensed' to receive data under the CDR when you are not.

2.20 It is considered appropriate to apply criminal penalties for these offences as this type of conduct directly undermines the protections put in place in the CDR regime.

2.21 These criminal offences do not amend any of the criminal process or procedural rights that currently exist and are upheld in accordance with article 14 of the ICCPR.

Evidentiary burden

2.22 An offence provision which requires a defendant to carry an evidential burden may be considered to engage the right to the presumption of innocence. Section 56GC of the Bill engages the right to the presumption of innocence because a defendant bears an evidential burden.

2.23 Section 56GC of the Bill protects a person from liability if the person (the first person) provided information to another person (the second person) or allowed the second person access to information in good faith and complying with the requirements of the CDR regime.

2.24 Section 56GC of the Bill protects the first person from liability so that the person will not be able to have an action taken against them, whether civil or criminal, about the provision of the CDR information.

2.25 However, a person who wants to rely on a protection from liability bears an evidential burden. This is appropriate as the person will know whether or not they received evidence of a valid consent or request and otherwise met the obligations in the CDR regime.

2.26 The effect of the limitation is that the defendant must merely provide evidence that suggests a reasonable possibility that the person disclosed the information in good faith and in accordance with the CDR requirements. Once this has occurred the prosecution must refute this beyond reasonable doubt to obtain a conviction (see section 13.3 of the Criminal Code).

2.27 This material will be within the person's knowledge. A person disclosing information will need to meet certain record keeping requirements, and would, for example be able to demonstrate that the correct consent documents had been received and that the recipient was listed on the accreditation register. Being able to produce this material should place no additional burden on the person.

2.28 To the extent this provision might be considered to limit the presumption of innocence, the limitation is reasonable in all circumstances.

Right to a fair and public hearing

2.29 Article 14 of the ICCPR ensures that everyone shall be entitled to a fair and public hearing by a competent, independent and impartial tribunal established by law.

2.30 The Bill may be considered to engage the right to a fair and public hearing as it extends the existing infringement notice provisions in the CC Act so that an infringement notice may be given where a person has contravened a civil penalty provision.

2.31 However, the right to a fair and public hearing by a competent, independent and impartial hearing is not limited by the Bill because the person may still elect to have the matter heard by a court rather than pay the amount specified in the infringement notice. This right will be stated in any infringement notice.

2.32 For these reasons the Bill is not considered to limit the right to a fair and public hearing.

Conclusion

2.33 The Bill is compatible with human rights because to the extent that the Bill may limit human rights, those limitations are reasonable, necessary and proportionate.


View full documentView full documentBack to top