Treasury department officials have hit back at suggestions the government showed “complete disdain” for the consultation process while developing the Consumer Data Right.
Appearing before a senate committee inquiry into the Consumer Data Right (CDR) legislation, Treasury officials said that more time has been given to consulting on the scheme than most other bills, and defended the internal Privacy Impact Assessment, which had just been labelled “useless”.
The CDR legislation was introduced to Parliament last month and was quickly passed up to the senate and sent off for inquiry.
The senate inquiry in the CDR legislation held public hearings in Melbourne and Sydney last week as it prepares to table its report in a fortnight.
A number of submissions raised concerns that the bill is being rushed through parliament before the upcoming election without the necessary scrutiny, and that the Privacy Impact Assessment completed internally by Treasury was “inadequate”.
Appearing before the committee on Wednesday, Australian Privacy Foundation chair Kat Lane said the government had shown a “complete disdain” for the consultation process, that the CDR’s Privacy Impact Assessment (PIA) is “useless”, and that the legislation should be halted until rules for the scheme are finalised.
The draft PIA was released by the government for consultation on 21 December last year.
“That shows complete disdain for consultation. Then, interestingly enough, there was no further consultation at all. The foundation fervently hopes that this committee recognises the serious risks that flow from not getting the privacy safeguards in place,” Ms Lane told the committee.
“We urge the committee to recommend that this legislation does not proceed until we review the privacy laws to make sure that they are adequate and, as an absolute minimum, that we have a rigorous, credible, independent privacy impact assessment process put in place.”
But Treasury officials that addressed the hearing later in the day hit back at these suggestions and said that more consultations had been completed on the CDR than usual.
“It is unfortunate that she feels like there was a level of disdain. I can certainly assure you, and I would assure her if she were here, that we certainly don’t treat consultation with a level of disdain. We look to learn from it,” Treasury structural reform division head Hamish McDonald told the hearing.
“I think this bill has probably had more consultation than the average Treasury bill. There was a public consultation process on the open banking review and on the response to the open banking review. There have been two public consultation processes on the legislation underpinning open banking. All of those informed our approach on privacy and our thinking about privacy.”
Mr McDonald did admit that the current legislation does not meet the expectations of the Australian Privacy Foundation and other digital rights groups.
“I do accept that the bill as finalised doesn’t reflect all of the views of that organisation. That’s in part because it’s been designed to be a framework bill which sets a higher level of privacy standards than currently exist but then with a lot of further privacy protections contained through the rules,” he said.
Committee chair Jane Hume also accused those who are criticising the government for “rushing” the legislation as having a “vested interest in seeing the slowing down of the passage of this legislation”.
While Ms Lane had said that the PIA completed by Treasury was “useless” and “leaves people significantly exposed to harm”, Treasury CDR project lead Daniel McAuliffe said critics of the department’s PIA are “misunderstanding” how it assesses the risk associated with the new scheme.
“Many of the stakeholders have assisted on the whole of system: within the whole system, within a certain time period, how likely is this to occur? That is not how we’ve done the assessments. We have assessed: for a given consumer, using the system over the course of a year, how likely is it that, say, a hacking event will occur,” Mr McAuliffe told the hearing.
“If you assume the open banking system is up and running, you assume there are a large number of people using the system and you ask yourself, what is the likelihood of a hacking event occurring sometime in the system? I think you have to admit it’s almost certain it will happen at some point. We took a view very early on that a whole-of-system assessment just gives you meaningless assessments.”
Mr McDonald also defended Treasury for conducting the PIA internally, something which has been widely criticised by interested stakeholders.
This was done because Treasury sees the “CDR regime as a privacy regime itself”.
“It was something where the privacy considerations were so intrinsic to designing the policy,” he said.
The Opposition has called on the government to take things slowly and ensure it gets the CDR legislation right, but its attempt to extend the committee’s inquiry time was knocked back by the government.
Speaking at the hearing, Labor Senator Chris Ketter said he is concerned that the CDR has been a “rushed process”.
“There’s a real sense that this is a rushed process and that there’s a danger that there are suboptimal outcomes potentially happening here. The downsides of this whole CDR arrangement are manifest, and we want to make sure we get it right,” Senator Ketter said.