House of Assembly: Wednesday, September 28, 2022

Contents

Bills

National Electricity Law (South Australia) (Consumer Data Right) Amendment Bill

Second Reading

Debate resumed.

Mr FULBROOK (Playford) (16:28): I rise to speak in support of the National Electricity Law (South Australia) (Consumer Data Right) Amendment Bill 2022. It is very pleasing, having heard the member for Morphett speak, that this will also be backed by the opposition. This bill before the house should be seen as part of the set of reforms aiming to increase opportunities for consumers to manage their affairs and to improve the energy market.

As I am sure most would agree, the energy market has undergone immense change over the past few years. The former Labor government rightly put South Australians ahead of the pack in the unstoppable transition to renewable energy, setting the trajectory to lower prices and cleaner power. At the same time, innovation in communications and the digital world has created a new environment for the way we go about our lives.

This bill will allow households to benefit from these changes rather than leave them vulnerable to unscrupulous profiteering. Consumer Data Rights or CDR, is a significant, economy-wide reform designed to empower consumers to benefit from the data Australian businesses hold about them, and in doing so strengthen innovation, competition and productivity.

They empower consumers to share data held about them with accredited and trusted third parties so that they can deliver direct benefits. The system has already been introduced in the finance sector, and I understand it will be extended into telecommunications after the energy sector. Importantly, the reforms will be managed and monitored by agencies with strong investigative and enforcement powers. This will protect consumers at the same time as creating many opportunities.

I find it assuring that, to participate in data sharing, businesses will have to be accredited by the Australian Competition and Consumer Commission (ACCC). To become an accredited data recipient, a business must meet strict criteria around data collection, use of storage, information security, protecting a consumer's privacy and obtaining a consumer's consent.

Once accredited, a business will have ongoing obligations consistent with these criteria. If they do not meet these requirements the ACCC can suspend or cancel their accreditation. It should also be stressed that it will be entirely voluntary for consumers to opt into a data sharing agreement.

It is also significant to note that this bill dovetails with federal laws that are already in place. These include provisions about privacy, which are crucial for the successful acceptance of the data-sharing system. There are 13 legally binding privacy safeguards contained in the Competition and Consumer Act 2010 to protect a consumer's data in the Consumer Data Right for energy. They set out the privacy rights and obligations to users of the scheme, including the requirement for a consumer's informed consent for their data to be collected, disclosed, held or used.

The Competition and Consumer (Consumer Data Right) Rules 2020 also supplement privacy safeguards by prescribing further detail about these requirements. The rules provide the framework for how the CDR operates. They also define the elements for consumer consent, outline the accredited framework for accredited data recipients and elaborate on the privacy aspects of the CDR scheme.

In addition to several obligations under the privacy safeguards, data holders must also comply with some key privacy obligations in the CDR rules, and these include:

providing consumer data request services;

disclosing CDR data in response to consumer requests;

asking consumers to give or amend authorisations;

managing authorisations by including the use of consumer dashboards;

notifying consumers of certain matters in relation to their data-sharing arrangements; and

providing access to copies of records when requested by consumers.

The Office of the Australian Information Commissioner enforces the privacy safeguards and privacy-related CDR rules. They also handle complaints and notifications of eligible data breaches relating to CDR data.

These provisions will be important to South Australians to understand the appropriate protections that are in place. It is pleasing that these reforms are taking shape concurrently at both a state and federal level, with new Labor governments working together to deliver greater opportunities for consumers that mirror the times that we live in.

To get to the point where we are today has taken significant effort, and I commend those who have worked behind the scenes to make this all happen. This bill is one cog in a reform system to empower consumers, and I am pleased to have this opportunity to commend it to the house.

The Hon. A. KOUTSANTONIS (West Torrens—Minister for Infrastructure and Transport, Minister for Energy and Mining) (16:33): I wish to thank the opposition and the house for the manner in which this debate has been conducted. This is an important national reform that was, again, a carryover that has been consistent in this parliament.

We are the lead legislator for these matters, and there has been a consistent bipartisan frame around the management of our National Electricity Rules, and this again continues that fine tradition of the opposition agreeing kindly to national reforms made, quite frankly, with their absence, and that is very difficult to do. I did that for four years, the former Liberal opposition did it for 16 years and the current opposition is off to a flying start again.

It is a difficult, difficult job for this parliament. We have it in two areas: we have it in energy and we have it also in transport. That is being conducted well. I would like to thank the opposition. With those concluding remarks, it is also the wish of the house to go into committee.

Bill read a second time.

Committee Stage

In committee.

Clause 1.

Mr PATTERSON: With regard to Consumer Data Right, we have spoken in many contributions about the importance of access to data for customers. I also mentioned some of the issues around data and the safe retention of that data. Could you give the committee some updates in terms of the data holders: are they required to store the customer's data in a secure environment? Is that either in the current rules or in the rules that are proposed to go with this amendment bill?

The Hon. A. KOUTSANTONIS: I am advised that there are 13 legally binding privacy safeguards contained within the Competition and Consumer Act 2010 to protect consumer data—consumer data rights and consumer data rights for energy. They set out the privacy rights and obligations for users of the scheme, including the requirement for a consumer's informed consent to collect, disclose, hold—which is the part you are interested in, which I think is now the topic du jour across the country, given what has happened with Optus—or the use of their consumer rights data. You should also note that the CDR for energy is an opt-in system. The privacy safeguards cover the following topics:

open and transparent management of CDR data by data holders and accredited data recipients. Accredited data recipients are accredited by the ACCC;

anonymity and pseudonymity of a consumer when dealing with ADR in relation to their CDR data;

the process for accredited data recipients seeking to collect a consumer's CDR data;

ADR use of unsolicited CDR data received without the consumer's consent;

ADR notification to the consumer when they collect the consumer's CDR data;

ADR use or disclosure of CDR data;

ADR use or disclosure of CDR data for direct marketing;

ADR overseas disclosure of CDR data;

ADR adoption or disclosure of government-related identifiers, which I assume are things that could identify you in terms of passports and any other information that might be relevant;

ADR and data holder notification of disclosure of CDR data;

ADR data holder obligations to ensure the quality of CDR data;

importantly, ADR obligations regarding security of CDR data and destruction or de-identification of redundant CDR data; and

ADR and data holder obligations to correct a consumer's CDR data in response to a request from the consumer.

That was just basically me reading out a series of acronyms that could be of some use to the house, but importantly (and I am happy to go backwards and forwards on this with the shadow minister) these data rights and rules are made under an act that is governed by the commonwealth government, which obviously has the regulatory agencies—Australian Signals Directorate, ASIS, ASIO and the other security agencies—at its disposal to ensure that the regulatory requirements in these Competition and Consumer (Consumer Data Rights) Rules are properly affiliated.

I understand and I am advised that there is a regular audit done by the appropriate minister of the accredited agencies that hold data that could be compromised or valuable to people, so there are a number of safeguards. As I said, the Competition and Consumer (Consumer Data Rights) Rules 2020, which are the CDR rules that we are discussing now, are made under that act. They supplement the privacy safeguards by prescribing further detail about their requirements.

The CDR rules provide the framework for how the CDR operates. That federal act operates a framework. They define the elements for consumer consent, outline the accreditation framework for the recipients of the data and elaborate on the privacy aspects of the CDR scheme. What we are basically doing is taking data consumed, generated at a state-based level, regulated by the states, and using the commonwealth legislation to protect the privacy of it because, quite frankly, they would be better equipped with the agencies at their disposal.

In addition to the obligations under that act and the privacy safeguards, data holders (the people who receive the data) must also comply with some key privacy obligations in the CDR rules, including:

providing consumer data request services, so we have to have a process for that;

disclosing CDR data in response to consumer data requests;

asking consumers to give or amend authorisations;

managing authorisations;

notifying consumers of certain matters in relation to data sharing arrangements; and

providing access to copies of records when requested by consumers.

In terms of protecting consumers' privacy, the commonwealth act governs the safeguard measures that are meant to be put in place. If at any time the ADRs, who are the recipients of this data, are unable to protect the consumers' privacy through an audit process, they have ongoing obligations consistent with the criteria. If they do not meet these requirements, the ACCC can suspend or cancel their accreditation.

Does that mean that there will not ever be a data breach? We have sovereign nations that are working overtime with the resources of sovereign nations to hack our data, and there are also state sponsors and bad actors involved here. Given the privacy provisions, I am satisfied, as is the national energy minister's body satisfied, as are the national agencies that govern this satisfied, that the data can be held securely.

I am happy to take any other questions the minister might have. If he has any other concerns, I am prepared to offer our officers offline or between houses to give the opposition a full briefing on the operation of that commonwealth act in terms of accrediting people who receive this data.

Mr PATTERSON: Thank you for that fulsome answer. I think it puts on notice for those data holders that to pass this legislation security of consumers should be front of mind. They are really the only questions I have for this bill, so we can move on that short title.

Clause passed.

Remaining clauses (2 to 7) and title passed.

Bill reported without amendment.

Third Reading

The Hon. A. KOUTSANTONIS (West Torrens—Minister for Infrastructure and Transport, Minister for Energy and Mining) (16:45): I move:

That this bill be now read at the time.

Bill read a third time and passed.