CDR privacy risk underestimated
Consumer Data: Privacy groups unhappy with the unseemly rush to get legislation through
The federal government had “severely underestimated” the privacy risks of the Consumer Data Right, even as it pushes to complete an inquiry process and pass the legislation before the election, according to the Australian Privacy Foundation.
The Consumer Data Right (CDR) legislation, which lays the groundwork for open banking and other data access schemes across other sectors, was introduced to Parliament last month. It was quickly passed up to the Senate, and immediately referred to the Economics Legislation Committee for inquiry.
But the committee was tasked with reporting back by 18 March, with submissions closing on 28 February, leaving just two weeks for stakeholders to have their say.
Several of these submissions have now been made public, with many criticising the government for seemingly trying to rush through the legislation without addressing complex issues.
Legal and digital rights groups are concerned with associated privacy risks and a “substandard” Privacy Impact Assessment (PIA) completed by the government, while FinTech groups are urging the government to get on with it and not delay the open banking scheme again.
In a submission, Australian Privacy Foundation (APF) vice-chair Kat Lane said the current CDR legislation “unnecessarily exposes people to harm because the fundamental privacy safeguards are not in place and risks have been severely underestimated by the government”.
The PIA completed by the government did not meet the “standards required of competency, transparency and fairness”, Ms Lane said, and as a first step, another assessment should be conducted by an independent party.
“The PIA is inadequate and leaves people significantly exposed to harm. A failed PIA process means we do not even know what is missing,” she said.
“A rigorous, credible and external PIA process gives a wide range of stakeholders the ability to identify risks, realistically assess those risks and introduce protections.”
While the government’s PIA said the risk of third parties’ misusing the data they receive is “unlikely”, the Australian Privacy Foundation said it is actually “highly likely”.
“An enormous risk for consumers is that small third party companies will appear to offer deals and get data and then simply disappear and sell or move the data."
The PIA and the current rules and legislation framework has not properly planned for a likely risk. That is a serious oversight,” the submission said.
The CDR process is moving “simply too fast”, the APF said, and the committee needs more time to consider the submissions and potential amendments to the legislation.
“The consultations and the sheer amount of information to look at has meant that the consultation process is not working effectively. It is unclear why there is a rush,” Ms Lane said.
“We strongly recommend that the committee have further time to consider the complex issues in this matter so a detailed list of issues to be considered can be made,” she said.
But in its own submission, FinTech Australia said any attempts to delay the legislation over privacy concerns are “misguided”.
“Australian FinTech businesses are aligned to the needs of the customer, and thus privacy and security are core operating principles.”
“Therefore, as previously submitted, we broadly support the PIA and the privacy and security measures contemplated in the Data61 consultation; however, the bill must pass for additional pilots and consultation to occur,” it said in the submission.
“In that way, delaying the bill on the basis of privacy concerns is misguided; it actually undermines the delivery of certainty required to alleviate the privacy concerns shared by all parties.”
The APF argued that Australia’s privacy laws need to be strengthened and brought in line with Europe’s General Data Protection Regulation in order to offer proper protection under the CDR scheme.
The APF said that the Office of the Australian Information Commissioner (OAIC), which will oversee the scheme, needs to be provided adequate funding and resourcing.
“Unfortunately, the OAIC is not a very active regulator and appears to be severely under-resourced,” Ms Lane said. “The culture of the OAIC seems to be ‘soft’ and it has sent a clear signal to industry that there is very little chance they will ever be fined or sanctioned over data breaches.
“The government must ensure that the OAIC is adequately funded, has greater powers and is tough on privacy breaches.”
A number of submissions also raised concerns about the potential for the third party recipients to misuse the personal information that they receive.
“We remain concerned that data collected could, without appropriate safeguards in place, be used for unintended purposes. The data would be much sought after by those looking to market or cross-sell products. The commercialisation of consumers’ data would be contrary to the intention of the bill,” Maurice Blackburn Lawyers said in its submission.
“Given the Royal Commission’s findings in relation to the forces which inform financial institutions’ decision making, they have not proven themselves incapable of profiting from access to data which was intended for other purposes,” it said.
“As media commentators have correctly stated, it is important that the move to an open data regime, and its administration, does not become the basis for a future Royal Commission.”