Australian data privacy laws “rushed”

Australia’s Consumer Data Right is being pushed through too rapidly, to the detriment of secure privacy protection, an Australian NGO has said.

According to the Australian Privacy Foundation (APF), there exists a lack of adequate security measures surrounding the forthcoming Consumer Data Right (CDR). The Foundation feels the Australian government is missing out on a very real opportunity to implement more far-reaching laws for the benefit of the nation’s people.

The APF said:

“We consider the framework as it currently stands unnecessarily exposes people to harm because the fundamental privacy safeguards are not in place and risks have been severely underestimated by the government.”

The organisation is calling for a “rigorous and independent” external investigation to improve the situation, to form “a first necessary step”.

“As new risks become apparent there needs to be a process to ensure those risks are managed. If the legislation is enacted without this process, Australians are left at a higher risk of harm.

“This inquiry is only considering the legislation and not the Rules. We argue this is a mistake. Both the Rules and the CDR Bill need to be read together and considered by Parliament to ensure the package works as a whole,” the APF added.

Under the CDR, Australian citizens will be able to “own” their personal data through more open access to banking information, energy details, phone and internet business. They will also have more control regarding the use of their data and who can access it. Banks in Australia will have until July 1st to implement the new policy.

Commenting on the speed with which the CDR has been rushed through, the APF said:

“We remain concerned that the move to introduce CDR is simply too fast. The consultations and the sheer amount of information to look at has meant that the consultation process is not working effectively.

“It is unclear why there is a rush. The equivalent system in the United Kingdom has had a very slow take up and has not delivered any competition or financial revolution to date. The introduction of the CDR Bill into Parliament is yet another rushed process.

Integral to the problem lies the fact that Australia has fewer laws in place to protect the collection, use and sharing of consumer data, particularly in comparison to countries in Europe that adhere to the far more stringent obligations of the GDPR.

The APF has called for the Australian government to meet or exceed the protections offered by the EU’s new data laws, to introduce tougher regulatory powers and to consider making amendments to the Human Rights Act so that personal data is afforded the security it needs in the digital era.

The Foundation labelled the Office of the Australian Information Commissioner (OAIC) as “severely under resourced”, and “not very active” when it comes to enforcing current regulation.

“In summary, the current process for raising a dispute about a privacy breach with the OAIC is inadequate. The OAIC makes very few decisions, awards very little compensation, has a short time limit of 12 months, and discontinues investigation of the majority of complaints made. All of these problems must be rectified,” the APF wrote in a statement.


PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.

For more information on upcoming events, visit the website.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.

Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered. https://www.privacyculture.com/