What does the new Australian privacy law mean for consumer data?
With a plethora of different laws being introduced in recent year its important businesses know which each new set of laws does and how it differs from previous, or different regulation.
We will take you through the differences and details of the CDR, how does it compare to other regulation of its kind.
Differences between the CDR and the GPDR
Martin Rudd, CTO at Telesoft, discusses the differences between how Europe and Australia react to data breaches and the descriptions of consent in terms of data collection and handling.
“Australian organisations that suffer a data breach have to notify the local data authority — the Office of the Australian Information Commissioner — as well as the affected individuals, if there is a potential for serious harm. However, instead of the short 72-hour notification window provided by GDPR, Australia’s Privacy Act gives firms 30 days to assess the gravity of the breach before reporting it,” he says.
The CDR gives businesses significantly longer to address, analysis and fix a security breach before reporting it in comparison with the GDPR.
Another marked difference, Rudd explains, is the CDR’s broader definition of consent.
He comments: “There are also differences between the two rulings around consent. The Privacy Act references two types, ‘express’ and ‘implied’, while GDPR only recognises the former. As such, businesses operating across both regions should look to standardise consent collection processes to ensure compliance with both regulations.”
Roy Horgan, director, global employment and compliance counsel at Qlik, explains that the CDR is also kinder to small business than the GDPR.
“Australia’s Privacy Act has similar principles to GDPR but small businesses (with annual turnover of AUS$3 Million or less) are generally exempt from many of its requirements. In contrast, all EU businesses (regardless of turnover) are subject to GDPR, though larger companies are expected to have more sophisticated measures in place.”
What to expect if the New York Privacy Act is enacted, following the privacy regulation boom of GDPR and CCPA
How does the CDR relate to banking?
Michael Magrath, director, global standards and regulations at OneSpan, explains how the CDR was rolled-out in Australia’s banking sector.
“The Consumer Data Right was planned in late 2017 with a goal to provide Australians with greater access to and control over their own data.
“CDR has served as the foundation for open banking in Australia, initially applying to Australia’s ‘Big 4’ banks (ANZ, Commonwealth Bank, NAB and Westpac). In the first phase the banks are mandated to share “product reference data” with ‘accredited data recipients’. The data shared would include fees, charges, interest rates, credit card and mortgage product eligibility criteria,” he says.
Magrath describes the next stages in the process, in terms of banking transparency.
“The Big 4 complied well ahead of schedule during the summer of 2019. The following phase would include the sharing of transactional data for debit and credits, savings and checking accounts and the last phase would encompass mortgages and personal loans.”
However, Magrath comments on his concern that security protocols such as the Strong Customer Authentication are not required, which could but consumer data at risk.
“The deadline has been pushed out due to security concerns, but a “head scratcher” for me is that open banking does not include the Strong Customer Authentication requirements that Europe has mandated for PSD2.”
Privacy regulators and the challenge of enforcement
More powers for regulation bodies
As the lead CDR regulator, the ACCC has been given a number of new roles including:
• monitoring compliance and taking enforcement action where necessary,
• recommending future sectors to which the CDR should apply,
• communicating with and educating consumers and other stakeholders about their rights and obligations under the CDR.
All of these new powers mean that the ACCC can continue to push for more regulated data in the future, potentially in other sectors.