The Consumer Data Right laws are “very complex and messy” and plans to amend them later in the year may lead to further problems, digital rights advocates have said.
The Consumer Data Right (CDR) legislation, which paves the way for open banking and other data sharing regimes, was passed unamended by the Senate with bipartisan support last Thursday night, after Labor decided to vote for it despite having “deep concerns”.
Labor agreed to pass the bill, despite a series of MPs raising concerns, after receiving a promise from the government that an amendment introducing a right to delete would be moved during the next sitting period in September.
The legislation was introduced to Parliament earlier this year but the government failed to pass it before the May election. It was re-introduced by Treasurer Josh Frydenberg last month, and the Labor caucus agreed to support it early last week.
This is despite a Senate inquiry revealing concerns about privacy, data security, consumer protection and sectoral coverage, and participating Labor senators pledging to move amendments in the Senate to address these.
The development of the CDR has been rushed and risks going down the same path as the highly controversial encryption legislation, which was passed at the end of last year, Electronic Frontiers Australia (EFA) chair Lyndsey Jackson said.
“It feels similar to other legislation where it has been quite rushed, and the consultation where people are urging restraint seems to be mostly for show. It feels like it’s going the way of other legislation,” Ms Jackson told InnovationAus.com.
“That’s the problem with policy on the run and the short consultation timeframes that don’t actively get the right people and complexity in the room,” she said.
“It’s also the problem with Labor letting stuff through, but leaving holes that maybe they’ll plug up later. It’s really unhelpful in a lot of ways.”
The Opposition did move an amendment in the lower house calling on the Parliament to note the need to uphold privacy and security around the CDR. But when this was shot down by the government, Labor supported the bill’s passage through both houses unamended.
It provided a big win for the Coalition, which had been running against time to pass the legislation before the winter break, and for the local FinTech sector, which will soon be able to get its hands on the lucrative data held by major financial institutions.
“This is a broader win for consumers. While FinTech will be one of the first industries to benefit from this reform, we see it having a lasting impact on competition in Australia,” FinTech Australia general manager Rebecca Schot-Guppy said.
“However, it will take time and continued effort from the government for its full impact to be realised,” she said.
The CDR legislation is “very complex and messy” and will add a lot of compliance costs for companies and consumers, EFA board member Justin Warren said.
“The CDR has happened quite quickly, so we simply haven’t spent the time needed to work through the flaws to try to remove them before the legislation is passed,” Mr Warren told InnovationAus.com.
“It’s been a bit of a trend by Australian governments in the last decade – passing rushed legislation that has lots of flaws and unintended consequences that we have then to sort out.”
“It’s much more disruptive to the businesses who need to comply with this legislation, and it’s become rather damaging to our international reputation as well, unfortunately.”
Before voting for the legislation, a number of Labor MPs spoke on their concerns with the CDR legislation, focusing on the government’s rushed process, the security of the data that will be transferred and the impact of the new scheme on vulnerable consumers.
The Opposition also said it had received a pledge from the government that it will introduce an amendment to ensure a right for consumers to request their data be deleted.
“We have secured a commitment from the government that consumers will be given the right to have their data deleted. An amendment to this legislation will be moved by the government after the winter break to give effect to this commitment,” Labor Senator Jenny McAllister said.
Assistant Minister for Financial Technology Jane Hume confirmed that the government had committed to this, and tabled a draft version of the amendment in the senate.
“In order to further strengthen the privacy provisions in the bill, the government has agreed with the opposition to make a further change to ensure that rules under the scheme contain a requirement for an accredited data recipient to delete a consumer’s data if requested,” Senator Hume said.
The amendment states that the data cannot be deleted if it is required to be kept under law or a court order, what must be included in a request, the circumstances this can be refused, rules about how it must be deleted and the notification process for this.
While a right to delete has the support of digital rights groups, adding it in after the fact could prove to be problematic, Ms Jackson said.
“It doesn’t give certainty for developers building these applications, because retrofitting this stuff in later is technically more difficult if it’s something you have to do later because the legislation changes,” she said.
“The right to be forgotten is an important one but it is a difficult thing to build into tech systems. It takes a lot of thinking about the data you should keep or need to keep, it’s not quite as simple as pressing a button and deleting someone entirely. A lot of processes and tech issues go into it, and implementing it will take a long time.”
The CDR laws take too much of a “commercial-centric view” of the use of personal data, Mr Warren said.
“Personal data is treated as a tradeable commodity, but people have much more complex feelings about when they’re comfortable sharing certain information about themselves and when they aren’t,” he said.
“There are moral hazards that aren’t present with other commodities, and if these subtleties aren’t taken into account, people get unpleasantly surprised when the laws don’t work the way they believe they do, which creates a backlash.”
There’s also a potential issue around how the new laws interact with different groups looking to access the data, and similar state government schemes, Ms Jackon said.
“There is a lot of difference in how the different groups are coming at the data, especially the data they’re involved in and the data they need to handle. There’s not a very good marrying up of this and that’s why it makes it difficult for a one-size fits all approach,” she said.
“It seems like there’s more progress in the state data sharing programs and they have been putting things in place for many years, and then the government has clumsily put something in over the top of it. They’re late to the party on this yet again.”