Explanatory Memorandum
(Circulated by authority of the Minister for Housing and Assistant Treasurer, the Hon Michael Sukkar)Chapter 4 - Consumer Data Right-Deletion requests
Outline of chapter
4.1 The Treasury Laws Amendment (Consumer Data Right) Act 2019 commenced on 13 August 2019. The Act amended the Competition and Consumer Act 2010 to provide individuals and businesses with a right to efficiently and conveniently access information held by businesses about the transactions they enter into as consumers and to authorise secure access to this data by trusted and accredited third parties. The Consumer Data Right also requires businesses to provide public access to information on the products that they have on offer.
4.2 The Government has committed to applying the CDR to the banking, energy and telecommunications sectors, and eventually across the economy.
4.3 The ACCC has the power to make rules to determine how the CDR functions in each sector.
4.4 Schedule 4 to the Bill creates a requirement that consumer data rules include an obligation on accredited data recipients to delete CDR data in response to a request from a CDR consumer for that CDR data.
4.5 All legislative references in this Chapter are to the CCA unless otherwise stated.
Context of amendments
4.6 These amendments are consistent with the strong privacy and information security provisions in the CDR, and the ACCC's broad power to make consumer data rules that deal with when, and how, CDR data must be deleted.
Summary of new law
4.7 These amendments create a requirement that consumer data rules include an obligation on accredited data recipients to delete CDR data in response to a request from a CDR consumer for that CDR data.
Comparison of key features of new law and current law
| New law | Current law |
| Consumer data rules must include a requirement that an accredited data recipient delete CDR data in response to a valid request by a CDR consumer for that CDR data. | Consumer data rules may be made on all aspects of the CDR regime including when, and how, CDR data must be deleted. |
Detailed explanation of new law
4.8 An integral element of the CDR system is the protection of consumers' CDR data. These amendments support this by requiring the ACCC, when it makes consumer data rules, to include a requirement that accredited data recipients delete all or part of CDR data in response to a valid request by a CDR consumer for that CDR data. [Schedule 2, item 1 and 2, subsection 56BAA(1)]
4.9 To give effect to this obligation on accredited data recipients the consumer data rules may cover a range of matters including: how requests must be made; what constitutes a valid request; how CDR data is to be deleted; when an accredited data recipient may refuse to delete CDR data; and how a recipient is to notify a CDR consumer about the outcome of a deletion request. [Schedule 2, item 1, subsection 56BAA(3)]
4.10 The consumer data rules may also include matters that are incidental to the requirement to delete CDR data in response to a request from a CDR consumer.
4.11 The consumer data rules cannot require an accredited data recipient to delete CDR data where:
- •
- the accredited data recipient is required to keep the data under an Australian law, or as a result of an order of a court or tribunal; or
- •
- the CDR data relates to a current or anticipated legal proceeding or dispute resolution proceedings to which the accredited data recipient, or the CDR consumer, is a party.
- [Schedule 2, item 1 and 3, subsection 56BAA(2) and section 56BJ]
4.12 The requirement to include a deletion right in the consumer data rules applies despite other CDR provisions, and does not limit the ACCC's power to make rules dealing with the deletion of CDR data more broadly. [Schedule 2, item 1, subsections 56BAA(4) and (5)]
Application provisions
4.13 Schedule 4 to the Bill commences on the first day following the day of Royal Assent. [Subclause 2(1), table item x]