27 Apr Navigating an approach to the Consumer Data Right and security of critical infrastructure

This article is intended to assist public and private sector organisations to understand how the Consumer Data Right (CDR) and changes to critical infrastructure law affect them.

Participants in the CDR eco-system such as Data Holders, Accredited Data Recipients and Gateways need to comply with the Competition and Consumer Act 2010 (Cth) (CCA) and the Security Legislation Amendment (Critical Infrastructure) Bill 2020 (SLACIB), when promulgated.

Because the operation of the CDR under the CCA includes an exchange of data between critical infrastructure sector entities, the two laws are mutually symbiotic and must be implemented in a cohesive manner. Further requirements for state owned entities must be considered where applicable.

Stringent penalties apply where the requirements are not properly understood or implemented. Ultimately, compliance and risk management will depend upon information management and classification under law.

1. 1. Competition and Consumer Act 2010

The CDR gives consumers (individuals and businesses) greater control over their own data, including the ability to access specified data about them held by businesses and to authorise the disclosure of that data to third parties, or to themselves. The CDR is an economy-wide reform that applies sector-by-sector, starting with the banking sector, followed by energy and telecommunications. Further information on the reforms can be found here: https://www.ictlegalconsulting.com/2021/03/26/the-consumer-data-right-and-pending-legal-reform/?lang=en

The operation of the CDR is supplemented by the CDR Rules, and privacy safeguards and involves the following steps:

• The consumer consents to the accredited data recipient obtaining their data;
• The accredited data recipient seeks to access consumer’s data and their identity and accreditation status is authenticated by the data holder;
• The data holder authenticates the identity of the consumer;
• The consumer authorises the data holder to disclose their data to the accredited data recipient; and
• The consumer’s data is shared between the data holder and the accredited data recipient

While the CDR is expected to create opportunities for business, it includes stringent requirements. Breaches of the CDR Rules and privacy safeguards can attract civil penalties up to $500,000 for individuals. For corporations, penalties are the greater of $10,000,000; three times the total value of benefits that have been obtained; or 10% of the annual turnover of the entity committing the breach.

1. 2. Security Legislation Amendment (Critical Infrastructure) Bill 2020

The SLACIB (currently before the House of Representatives) amends the Security of Critical Infrastructure Act 2018 to enhance the existing framework for managing risks relating to critical infrastructure by introducing:

• Additional positive security obligations for critical infrastructure assets, including a risk management program, to be delivered through sector-specific requirements and mandatory cyber incident reporting;
• Enhanced cyber security obligations for assets of national significance; and
• Government assistance to relevant entities for critical infrastructure sector assets in response to significant cyber attacks.

SLACIB also expands the definition of critical infrastructure assets to a total of 22 critical infrastructure asset classes which will be subject to the enhanced regulatory framework upon passage of the Bill. These requirements apply to both foreign-owned and Australian-owned critical infrastructure where the critical infrastructure asset is located in Australia.

What this means for the public and private sector

Compliance with these laws and the need to manage risk demand an understanding of information and information systems, specifically the retention and flow of CDR data-sets and derived data across the information architecture.

It also requires affected entities to know what data they create, hold and distribute in order to handle it correctly and securely throughout its lifecycle. Not only CDR data is involved. Other personal, sensitive, confidential and even secret information is at issue, particularly under SLACIB.

Navigating an approach to the CDR and security of critical infrastructure must begin with identifying the laws applicable to an entity (regulatory universe) and with information classification.

Australia’s regulatory regime is complex because entities must comply with federal, state and local requirements, but also manage the distinction between public and private sector requirements. By way of example, freedom of information law applies to the public, not private sector, and requires additional safeguards, controls and procedures to avoid unlawful distribution of personal and other information.

Public and private sector regulation and governance

The task of regulating the corporate sector in Australia is mainly the responsibility of three key agencies; the Australian Securities and Investment Commission (ASIC), Australian Prudential Regulatory Authority (APRA) and the Australian Competition and Consumer Commission (ACCC). Each of these have distinct powers to make rules and enforcement powers.

For example, new penalty provisions enable ASIC to pursue harsher civil penalties and criminal sanctions under the following ASIC-administered legislation:

• Corporations Act 2001
• Australian Securities and Investments Commission Act 2001
• National Consumer Credit Protection Act 2009 and National Credit Code
• Insurance Contracts Act 1984.

Under new penalty provisions, the maximum civil penalty for individuals is the greater of 5,000 penalty units (currently $1.11 million) or three times the benefit obtained and detriment avoided.

The maximum civil penalty for companies is the greater of:

• 50,000 penalty units (currently $11.1 million)
• Three times the benefit obtained and detriment avoided, or
• 10% of annual turnover, capped at 2.5 million penalty units (currently $555 million).

The Department of Finance provides comprehensive information about the Public Governance, Performance and Accountability Act 2013 (PGPA). The PGPA does not contain penalties and sanctions, which are addressed in employment arrangements or, for criminal conduct, in the Criminal Code Act 1995 or Crimes Act 1914.

1. 3. State law and standards

State owned entities have additional complexities to navigate. For example, a water corporation in Victoria must also comply with the Privacy and Data Protection Act 2014 (Vic), and the Victorian Protective Data Security Standards (VPDSS). Understanding the relationship between the Victorian state and federal provisions requires legal and security expertise.

Here to Assist

­­If you are impacted by these far-reaching regulatory reforms and seek assistance, we are here to assist you in relation to law, security, privacy and data protection, and governance.

Helaine Leggat

Managing Partner ICTLC Australia