Consumer Data Right Rules – Draft Privacy Impact Assessment
The submission to the Treasury in relation to the Privacy Impact Assessment (the PIA) for the Consumer Data Right Rules was prepared by the Law Council.
The Law Council’s primary concerns, and suggested recommendations, are summarised as follows:
- Further clarity is required regarding the consent framework. The Law Council recommends legislating for a definition of ‘valid consent’. As a minimum, the Law Council recommends enhancing Recommendation 3 of the PIA as outlined in this submission.
- Many of the mitigation strategies applied in the risk assessment are legal and regulatory measures, leaving the assessment of risk open to the flawed assumption that laws will always be complied with. The risk should be comprehensively evaluated.
- Clarification is needed as to whether the finding regarding credit reporting agencies is accurately summarised.
- The Law Council recommends changing ‘should’ to ‘must’ in Recommendation 9, to read that ‘All significant changes to the CDR legislation or Rules must be accompanied by further PIAs …’.
- The Law Council remains concerned that the Bill is overly broad and unnecessarily complex. The Law Council recommends the Bill be amended to Consumer Data Right Rules – Draft Privacy Impact Assessment Page 2 narrow the scope and simplify the provisions to improve accessibility of the proposed regime.
You can read the full submission below.