Competition and Consumer Act 2010
No. 51, 1974
Compilation No. 156
Compilation date: 11 December 2024
Includes amendments: Act No. 128, 2024, Act No. 136, 2024 and Act No. 137, 2024
This compilation is in 4 volumes
Volume 2: sections 55–110
Volume 3: sections 10.01–187
Volume 4: Schedules
Endnotes
Each volume has its own contents
About this compilation
This compilation
This is a compilation of the Competition and Consumer Act 2010 that shows the text of the law as amended and in force on 11 December 2024 (the compilation date).
The notes at the end of this compilation (the endnotes) include information about amending laws and the amendment history of provisions of the compiled law.
Uncommenced amendments
The effect of uncommenced amendments is not shown in the text of the compiled law. Any uncommenced amendments affecting the law are accessible on the Register (www.legislation.gov.au). The details of amendments made up to, but not commenced at, the compilation date are underlined in the endnotes. For more information on any uncommenced amendments, see the Register for the compiled law.
Application, saving and transitional provisions for provisions and amendments
If the operation of a provision or amendment of the compiled law is affected by an application, saving or transitional provision that is not included in this compilation, details are included in the endnotes.
Editorial changes
For more information about any editorial changes made in this compilation, see the endnotes.
Modifications
If the compiled law is modified by another law, the compiled law operates as modified but the modification does not amend the text of the law. Accordingly, this compilation does not show the text of the compiled law as modified. For more information on any modifications, see the Register for the compiled law.
Self‑repealing provisions
If a provision of the compiled law has been repealed in accordance with a provision of the law, details are included in the endnotes.
Contents
Part IVC—Payment surcharges
Division 1—Preliminary
55 Object of this Part
55A Definitions
Division 2—Limit on payment surcharges
55B Payment surcharges must not be excessive
Division 3—Information about payment surcharges
55C Surcharge information notices
55D Extending periods for complying with notices
55E Participant must comply with notice
Division 4—Infringement notices
55F Purpose and effect of this Division
55G Issuing an infringement notice
55H Matters to be included in an infringement notice
55J Amount of penalty
55K Effect of compliance with an infringement notice
55L Effect of failure to comply with an infringement notice
55M Infringement notice compliance period for infringement notice
55N Withdrawal of an infringement notice
Part IVD—Consumer data right
Division 1—Preliminary
Subdivision A—Object and simplified outline
56AA Object of this Part
56AB Simplified outline
Subdivision B—Designating sectors, and declaring actions, to which the consumer data right applies
56AC Designated sectors subject to the consumer data right
56ACA Declared types of actions that can be initiated under the consumer data rules
56AD Minister’s tasks before designating a sector or declaring actions etc.
56AE Secretary must arrange for analysis, consultation and report about an instrument proposing to designate a sector or declare actions
56AEA Commission must analyse an instrument proposing to designate a sector or declare actions
56AF Information Commissioner must analyse and report about an instrument proposing to designate a sector or declare actions
56AH Other matters
Subdivision C—Meanings of key terms
56AI Meanings of CDR data, directly or indirectly derived and CDR consumer
56AJ Meaning of data holder
56AK Meaning of accredited data recipient
56AL Meanings of CDR participant and designated gateway
56AM Meanings of chargeable CDR data, chargeable circumstances and fee‑free CDR data
56AMA Meanings of CDR action and CDR declaration
56AMB Meanings of action service provider and voluntary action service provider
56AMC Meaning of accredited action initiator
56AMD Meaning of CDR action participant
Subdivision D—Extension to external Territories and extraterritorial operation
56AN Extension to external Territories
56AO Extraterritorial operation of the CDR provisions
56AP Geographical application of offences
Subdivision E—Application to government entities
56AQ CDR provisions bind the Crown
56AR Government entities may participate under this Part
56AS Participating government entities of a State or Territory—declaration
56AT Participating government entities of a State or Territory—revocation
Subdivision F—Application to acts done by or in relation to agents etc. of CDR entities
56AU Acts done by or in relation to agents etc. of CDR entities
Division 2—Consumer data right
Subdivision A—Power to make consumer data rules
56BA Minister may make consumer data rules
56BAA Rules must include requirement to delete CDR data on request from CDR consumer
56BB Matters that the consumer data rules may deal with
56BC Rules about disclosure, collection, use, accuracy, storage, security or deletion of CDR data for which there are CDR consumers
56BD Limitations for rules about CDR data for which there are CDR consumers
56BE Rules about disclosure, collection, use, accuracy, storage, security or deletion of product data
56BF Limitations for rules about product data
56BG Rules about designated gateways
56BGA Rules about initiating CDR actions
56BH Rules about accreditation for the purposes of this Part
56BHA Rules about approving persons to be voluntary action service providers for types of CDR actions
56BI Rules about reporting, record keeping and auditing
56BJ Rules about incidental or related matters
56BK Further limitations on the consumer data rules
Subdivision B—Compliance with consumer data rules
56BL Obligation to comply with consumer data rules
56BM Infringement notices
56BN Misleading or deceptive conduct—offence
56BO Misleading or deceptive conduct—civil penalty
Subdivision C—Process for making consumer data rules etc.
56BP Minister’s tasks before making the rules
56BQ Secretary must arrange for consultation and report before the rules are made
56BR Commission and Information Commissioner must analyse the proposed rules
56BS Emergency rules: public consultation not required etc.
56BT Emergency rules: consequences if made
56BTA Other matters
Subdivision D—Fees for disclosing CDR data
56BU Charging a fee in inappropriate circumstances when required to disclose CDR data
56BV Commission may intervene if fee for disclosing or using chargeable CDR data is unreasonable etc.
Subdivision E—Effective initiation and non‑discriminatory performance of CDR actions
56BZA Accredited persons must act efficiently, honestly and fairly when initiating CDR actions etc.
56BZB Accredited persons must only initiate CDR actions in accordance with CDR consumers’ valid requests etc.
56BZC No discrimination against CDR action instructions—service provider fails to perform CDR actions when it ordinarily performs actions of that type
56BZD No discrimination against CDR action instructions—service provider’s fees relating to CDR actions
56BZE Commission may intervene if fee for processing a valid instruction for a CDR action is unreasonable
Subdivision F—Review by the Tribunal of determinations about certain fees
56BZF Review by the Tribunal of determinations about fees of particular participants or providers
56BZG Functions and powers of Tribunal
56BZH Provisions that do not apply in relation to a Tribunal review
Subdivision G—Prohibitions on holding out
56BZI Prohibition on holding out that a person is something they are not—offence
56BZJ Prohibition on holding out that a person is something they are not—civil penalty
Division 3—Accreditation etc.
Subdivision A—Accreditation process
56CA Granting accreditations
56CB Review of decisions refusing to accredit
Subdivision B—Register of Accredited Persons
56CE Register of Accredited Persons
56CF Evidentiary value of the register
Subdivision C—CDR Accreditor
56CG Appointment of the CDR Accreditor
56CH Functions, powers and annual report
56CI Directions by Minister
56CJ Delegation
Subdivision D—Accreditation Registrar
56CK Appointment of the Accreditation Registrar
56CL Functions, powers and annual report
56CM Directions by Minister
56CN Delegation
Division 4—External dispute resolution
56DA Minister may recognise external dispute resolution schemes
Division 5—Privacy safeguards
Subdivision A—Preliminary
56EA Simplified outline
56EB Kinds of CDR data to which the privacy safeguards apply
56EC Relationship with other laws
Subdivision B—Consideration of CDR data privacy
56ED Privacy safeguard 1—open and transparent management of CDR data
56EE Privacy safeguard 2—anonymity and pseudonymity
Subdivision C—Collecting CDR data
56EF Privacy safeguard 3—soliciting CDR data from participants under the consumer data rules
56EG Privacy safeguard 4—dealing with unsolicited CDR data from participants in CDR
56EH Privacy safeguard 5—notifying of the collection of CDR data
Subdivision D—Dealing with CDR data
56EI Privacy safeguard 6—use or disclosure of CDR data by accredited data recipients or designated gateways
56EJ Privacy safeguard 7—use or disclosure of CDR data for direct marketing by accredited data recipients or designated gateways
56EK Privacy safeguard 8—overseas disclosure of CDR data by accredited data recipients
56EL Privacy safeguard 9—adoption or disclosure of government related identifiers by accredited data recipients
56EM Privacy safeguard 10—notifying of the disclosure of CDR data
Subdivision E—Integrity of CDR data
56EN Privacy safeguard 11—quality of CDR data
56EO Privacy safeguard 12—security of CDR data, and destruction or de‑identification of redundant CDR data
Subdivision F—Correction of CDR data
56EP Privacy safeguard 13—correction of CDR data
Subdivision G—Compliance with the privacy safeguards
56EQ Information Commissioner to promote compliance etc.
56ER Information Commissioner may conduct an assessment relating to the management and handling of CDR data
56ES Notification of CDR data security breaches
56ET Investigating breaches of the privacy safeguards etc.
56EU Civil penalty provisions
56EV Civil penalty provisions—maximum amount of penalty
56EW Enforceable undertakings
56EX Injunctions
56EY Actions for damages
56EZ Delegation to the Commission etc.
Division 6—Data standards etc.
Subdivision A—Data standards
56FA Making data standards
56FB What data standards can set out etc.
56FC Data standards must be published
56FD Legal effect of data standards
56FE Enforcement of binding data standards
Subdivision B—Data Standards Chair
56FF Data Standards Chair
56FG Appointment of the Data Standards Chair
56FH Functions and powers of the Data Standards Chair
56FI Directions by Minister
Subdivision C—Data Standards Body
56FJ Appointment of the Data Standards Body
56FK Function and powers of the Data Standards Body
Subdivision D—Administrative provisions
56FL Acting appointments
56FM Terms and conditions
56FN Remuneration
56FO Leave
56FP Application of the finance law etc.
56FQ Resignation
56FR Termination of appointment
56FS Delegation
Division 7—Other matters
56GA CDR functions of the Information Commissioner
56GAA Delegation by the Minister or the Secretary
56GAB Concurrent operation of other laws
56GB Referring to instruments as in force from time to time
56GC Complying with CDR requirements etc.: protection from liability
56GD Exemptions by the Commission
56GE Exemptions and modifications by regulations
56GF Application of the CDR provisions
56GG Compensation for acquisition of property
56GH Review of the operation of this Part
Part IVE—Motor vehicle service and repair information sharing scheme
Division 1—Objects of Part and simplified outline
57AA Objects of Part
57AB Simplified outline
Division 2—Key concepts
57BA Meaning of scheme vehicle
57BB Meaning of Australian repairer
57BC Meaning of scheme RTO and RTO course
57BD Meaning of scheme information
57BE Meaning of data provider
57BF Meaning of safety and security information
57BG Supply of scheme information between related bodies corporate
Division 3—Supply of scheme information
57CA Scheme information—offer to supply to Australian repairers and scheme RTOs
57CB Scheme information—supply on request by Australian repairers or scheme RTOs
57CC Scheme information—terms and conditions of supply and use
57CD Scheme information—interaction of supply obligations and other rights and obligations
Division 4—Information management
57DA Safety and security information—packaging
57DB Safety and security information—supply to Australian repairers and scheme RTOs
57DC Safety and security information—use or disclosure of sensitive information
57DD Safety and security information—storage of, and access to, sensitive information
57DE Security information—records of access
Division 5—Dispute resolution
57EA Scope of Division
57EB Resolving disputes
57EC Right to bring proceedings unaffected
57ED Attempt to resolve dispute before mediation
57EE When is a party taken to have tried to resolve a dispute?
57EF Mediation
57EG Termination of mediation
57EH Costs of mediation
Division 6—Motor vehicle service and repair information scheme adviser
57FA Scheme adviser—establishment and appointment
57FB Scheme adviser—functions
Division 7—Miscellaneous
57GA Civil penalty provisions
57GB Infringement notices
57GC Concurrent operation of State and Territory laws
57GD Acquisition of property
57GE Scheme rules
Part V—Carbon tax price reduction obligation
Division 1—Preliminary
60 Simplified outline of this Part
60AA Objects etc.
60A Definitions
60B Regulated goods
Division 2—Carbon tax price reduction obligation
60C Price exploitation in relation to the carbon tax repeal
60CA Failure to pass on cost savings—250% penalty
60D Notice to entity that is considered to have engaged in price exploitation in relation to the carbon tax repeal
60E Commission may issue notice to aid prevention of price exploitation in relation to the carbon tax repeal
60F Acquisition of property
Division 2A—Carbon tax removal substantiation notices
60FA Carbon tax removal substantiation notices
60FB Extending periods for complying with carbon tax removal substantiation notices
60FC Compliance with carbon tax removal substantiation notices
Division 2B—Carbon tax removal substantiation statements
60FD Carbon tax removal substantiation statements
Division 2C—Statements for customers
60FE Statements for customers
Division 3—Price monitoring in relation to the carbon tax repeal etc.
60G Commission may monitor prices in relation to the carbon tax repeal etc.
60H Information‑gathering powers
60J Reporting
Division 4—False or misleading representations about the effect of the carbon tax repeal etc. on prices
60K False or misleading representations about the effect of the carbon tax repeal etc. on prices
Division 5—Infringement notices
60L Issuing an infringement notice
60M Effect of compliance with an infringement notice
60N Effect of failure to comply with an infringement notice
60P Infringement notice compliance period for infringement notice
60Q Withdrawal of an infringement notice
60R Effect of this Division
Part VI—Enforcement and remedies
75B Interpretation
76 Pecuniary penalties
76A Defence to proceedings under section 76 relating to a contravention of section 92
76B Consequences in some cases if substantially the same conduct contravenes a provision of this Act and is an offence
77 Civil action for recovery of pecuniary penalties
77A Indemnification of officers
77B Certain indemnities not authorised and certain documents void
77C Application of section 77A to a person other than a body corporate
78 Criminal proceedings not to be brought for contraventions of Part IV
79 Offences against section 45AF or 45AG
79A Enforcement and recovery of certain fines
79B Preference must be given to compensation for victims
80 Injunctions
80A Price exploitation in relation to the carbon tax repeal—orders limiting prices or requiring refunds of money
80AB Stay of injunctions
80AC Injunctions to prevent mergers if authorisation granted on the basis of false or misleading information
81 Divestiture where merger contravenes section 50 or 50A
81A Divestiture where merger done under authorisation granted on false etc. information
82 Actions for damages
83 Findings and admissions of fact in proceedings to be evidence
84 Conduct by directors, employees or agents
85 Defences
86 Jurisdiction of courts
86AA Limit on jurisdiction of Federal Circuit and Family Court of Australia (Division 2)
86A Transfer of matters
86C Non‑punitive orders
86D Punitive orders—adverse publicity
86E Order disqualifying a person from managing corporations
86F Privilege against exposure to penalty—disqualification from managing corporations
87 Other orders
87AA Special provision relating to Court’s exercise of powers under this Part in relation to boycott conduct
87B Enforcement of undertakings
87C Enforcement of undertakings—Secretary of the Department
87CA Intervention by Commission
Part VIA—Proportionate liability for misleading and deceptive conduct
87CB Application of Part
87CC Certain concurrent wrongdoers not to have benefit of apportionment
87CD Proportionate liability for apportionable claims
87CE Defendant to notify plaintiff of concurrent wrongdoer of whom defendant aware
87CF Contribution not recoverable from defendant
87CG Subsequent actions
87CH Joining non‑party concurrent wrongdoer in the action
87CI Application of Part
Part VIB—Claims for damages or compensation for death or personal injury
Division 1—Introduction
87D Definitions
87E Proceedings to which this Part applies
Division 2—Limitation periods
87F Basic rule
87G Date of discoverability
87H Long‑stop period
87J The effect of minority or incapacity
87K The effect of close relationships
Division 3—Limits on personal injury damages for non‑economic loss
87L Limits on damages for non‑economic loss
87M Maximum amount of damages for non‑economic loss
87N Index numbers
87P Most extreme cases
87Q Cases of 33% or more (but not 100%) of a most extreme case
87R Cases of 15% or more (but less than 33%) of a most extreme case
87S Cases of less than 15% of a most extreme case
87T Referring to earlier decisions on non‑economic loss
Division 4—Limits on personal injury damages for loss of earning capacity
87U Personal injury damages for loss of earning capacity
87V Average weekly earnings
Division 5—Limits on personal injury damages for gratuitous attendant care services
87W Personal injury damages for gratuitous attendant care services for plaintiff
87X Personal injury damages for loss of plaintiff’s capacity to provide gratuitous attendant care services
Division 6—Other limits on personal injury damages
87Y Damages for future economic loss—discount rate
87Z Damages for loss of superannuation entitlements
87ZA Interest on damages
87ZB Exemplary and aggravated damages
Division 7—Structured settlements
87ZC Court may make orders under section 87 for structured settlements
Part VII—Authorisations and notifications
Division 1—Authorisations
87ZP Definitions
88 Commission may grant authorisations
89 Procedure for applications and the keeping of a register
90 Determination of applications for authorisations
90A Commission to afford opportunity for conference before determining application for authorisation
90B Commission may rely on consultations undertaken by the AEMC
91 Grant and variation of authorisations
91A Minor variations of authorisations
91B Revocation of an authorisation
91C Revocation of an authorisation and substitution of a replacement
92 Providing false or misleading information
Division 2—Notifications
Subdivision A—Exclusive dealing and resale price maintenance
93 Notification of exclusive dealing or resale price maintenance
93AAA Imposing conditions relating to notifications
Subdivision B—Collective bargaining
93AA Definitions
93AB Notification of collective bargaining
93AC Commission’s objection notice
93ACA Imposing conditions relating to collective boycott conduct
93AD When collective bargaining notice comes into force and ceases to be in force
93AE Withdrawal of collective bargaining notice
93AEA Only 1 collective bargaining notice under subsection 93AB(1A) may be given
93AF Only 1 collective bargaining notice under subsection 93AB(1) may be given
93AG Stop notice for collective boycott conduct
Subdivision C—Conferences
93A Commission to afford opportunity for conference before giving notice
Subdivision D—Register of notifications
95 Register of notifications
Division 3—Class exemptions
95AA Commission may determine class exemptions
95AB Commission may withdraw the benefit of class exemption in particular case
Part VIIA—Prices surveillance
Division 1—Preliminary
95A Interpretation
95B Exempt supplies
95C Application of Part
95D Crown to be bound
95E Object of this Part
95F Simplified overview of this Part
Division 2—Commission’s functions under this Part
95G Commission’s functions under this Part
Division 3—Price inquiries
Subdivision A—Holding of inquiries
95H Price inquiries
95J Content of inquiry notices
95K Period for completing inquiry
95L Notice of holding of inquiry
95M Notice of extension of period for completing inquiry
95N Price restrictions
Subdivision B—Reports on inquiries
95P Copies of report to be made available
95Q Notification of proposed prices after receipt of report
Subdivision C—Procedure at inquiries
95R Public inquiries etc.
95S Taking of evidence on oath or affirmation
95T Failure of witness to attend
95U Refusal to be sworn or to answer question
95V Protection of witnesses
95W Allowances to witnesses
Division 4—Price notifications
95X Declarations by Minister or Commission
95Y Declarations in relation to State or Territory authorities
95Z Price restrictions
95ZA Later notices modifying a locality notice
95ZB Applicable period in relation to a locality notice
95ZC Register of price notifications
95ZD Delegation by Commission
Division 5—Price monitoring
95ZE Directions to monitor prices, costs and profits of an industry
95ZF Directions to monitor prices, costs and profits of a business
95ZG Exceptions to price monitoring
Division 6—Other provisions
95ZH Ministerial directions
95ZI Inquiries by an unincorporated body or a group of 2 or more individuals
95ZJ Withdrawal of notices
95ZK Power to obtain information or documents
95ZL Inspection of documents etc.
95ZM Retention of documents
95ZN Confidential information
95ZO Immunity
95ZP Secrecy: members or staff members of the Commission etc.
95ZPA Disclosure of protected information to the Energy Department
95ZQ Secrecy: persons involved in inquiries by bodies other than the Commission
Part VIII—Resale price maintenance
96 Acts constituting engaging in resale price maintenance
96A Resale price maintenance in relation to services
97 Recommended prices
98 Withholding the supply of goods
99 Statements as to the minimum price of goods
100 Evidentiary provisions
Part IX—Review by Tribunal of Determinations of Commission
Division 1—Applications for review
101 Applications for review
101A Application for review of notices under Division 2 of Part VII
101B Application for review of notice under section 95AB
102 Functions and powers of Tribunal
Division 2—Procedure and Evidence
103 Procedure generally
104 Regulations as to certain matters
105 Power to take evidence on oath
106 Hearings to be in public except in special circumstances
107 Evidence in form of written statement
108 Taking of evidence by single member
109 Participants in proceedings before Tribunal
110 Representation
The object of this Part is to ensure that payment surcharges:
(a) are not excessive; and
(b) reflect the cost of using the payment methods for which they are charged.
In this Part:
excessive, in relation to a payment surcharge, has the meaning given by subsection 55B(2).
infringement notice compliance period has the meaning given by subsection 55M(1).
listed corporation has the meaning given by section 9 of the Corporations Act 2001.
payment surcharge means:
(a) an amount charged, in addition to the price of goods or services, for processing payment for the goods or services; or
(b) an amount (however described) charged for using one payment method rather than another.
Reserve Bank standard means a standard determined under section 18 of the Payment Systems (Regulation) Act 1998 after the commencement of this definition.
surcharge information notice has the meaning given by subsection 55C(3).
surcharge participant has the meaning given by subsection 55C(2).
Division 2—Limit on payment surcharges
55B Payment surcharges must not be excessive
(1) A corporation must not, in trade or commerce, charge a payment surcharge that is excessive.
(2) A payment surcharge is excessive if:
(a) the surcharge is for a kind of payment covered by:
(i) a Reserve Bank standard; or
(ii) regulations made for the purposes of this subparagraph; and
(b) the amount of the surcharge exceeds the permitted surcharge referred to in the Reserve Bank standard or the regulations.
(3) Subsection (1) does not apply to a corporation who is exempted from its operation by the regulations.
Division 3—Information about payment surcharges
55C Surcharge information notices
(1) The Commission may, by written notice given to a surcharge participant, require the participant to give to the Commission information or documents evidencing either or both of the following:
(a) the amount of a payment surcharge;
(b) the cost of processing a payment in relation to which a payment surcharge was paid.
(2) A corporation is a surcharge participant if, in trade or commerce, the corporation:
(a) charges a payment surcharge; or
(b) processes a payment for which a payment surcharge is charged.
(3) The notice given by the Commission to the surcharge participant is a surcharge information notice.
(4) The surcharge information notice must specify:
(a) the kinds of information or documents to be given to the Commission; and
(b) the period for giving the information or documents.
55D Extending periods for complying with notices
(1) A surcharge participant that has been given a notice under section 55C may, at any time within 21 days after the notice was given to the participant, apply in writing to the Commission for an extension of the period for complying with the notice.
(2) The Commission may, by written notice given to the surcharge participant, extend the period within which the participant must comply with the notice.
55E Participant must comply with notice
(1) A surcharge participant commits an offence if:
(a) the surcharge participant is given a surcharge information notice; and
(b) the surcharge participant fails to comply with the notice within the period for so complying.
Penalty: 30 penalty units.
(2) Subsection (1) is an offence of strict liability.
Note: Sections 137.1 and 137.2 of the Criminal Code create offences for providing false or misleading information or documents.
Division 4—Infringement notices
55F Purpose and effect of this Division
(1) The purpose of this Division is to provide for the issue of an infringement notice to a person for an alleged contravention of section 55B as an alternative to proceedings for an order under section 76 for the payment of a pecuniary penalty.
(2) This Division does not:
(a) require an infringement notice to be issued to a person for an alleged contravention of section 55B; or
(b) affect the liability of a person to proceedings under section 76 in relation to an alleged contravention of section 55B if:
(i) an infringement notice is not issued to the person for the contravention; or
(ii) an infringement notice issued to the person for the contravention is withdrawn under section 55N; or
(c) prevent a court from imposing a higher penalty than the penalty specified in the infringement notice if the person does not comply with the notice.
55G Issuing an infringement notice
(1) If the Commission has reasonable grounds to believe that a person has contravened section 55B, the Commission may issue an infringement notice to the person.
(2) The Commission must not issue more than one infringement notice to the person for the same alleged contravention of section 55B.
(3) The infringement notice does not have any effect if the notice:
(a) is issued more than 12 months after the day that the contravention of section 55B is alleged to have occurred; or
(b) relates to more than one alleged contravention of section 55B by the person.
55H Matters to be included in an infringement notice
(1) An infringement notice must:
(a) be identified by a unique number; and
(b) state the day on which it is issued; and
(c) state the name and address of the person to whom it is issued; and
(d) identify the Commission and state how it may be contacted; and
(e) give details of the alleged contravention, including the day of the alleged contravention; and
(f) state the maximum pecuniary penalty that the court could order the person to pay under section 76 for the alleged contravention; and
(g) specify the penalty that is payable in relation to the alleged contravention; and
(h) state that the penalty is payable within the infringement notice compliance period for the notice; and
(i) state that the penalty is payable to the Commission on behalf of the Commonwealth; and
(j) explain how payment of the penalty is to be made; and
(k) explain the effect of sections 55K, 55L, 55M and 55N.
The penalty to be specified in an infringement notice that is to be issued to a person in relation to an alleged contravention of section 55B must be:
(a) if the person is a listed corporation—600 penalty units; or
(b) if the person is a body corporate other than a listed corporation—60 penalty units; or
(c) if the person is not a body corporate—12 penalty units.
55K Effect of compliance with an infringement notice
(1) This section applies if:
(a) an infringement notice for an alleged contravention of section 55B is issued to a person; and
(b) the person pays the penalty specified in the infringement notice within the infringement notice compliance period and in accordance with the notice; and
(c) the infringement notice is not withdrawn under section 55N.
(2) The person is not, merely because of the payment, regarded as having contravened section 55B.
(3) No proceedings (whether criminal or civil) may be started or continued against the person, by or on behalf of the Commonwealth, in relation to the alleged contravention of section 55B.
55L Effect of failure to comply with an infringement notice
If:
(a) an infringement notice for an alleged contravention of section 55B is issued to a person; and
(b) the person fails to pay the penalty specified in the infringement notice within the infringement notice compliance period and in accordance with the notice; and
(c) the infringement notice is not withdrawn under section 55N;
the person is liable to proceedings under section 76 in relation to the alleged contravention of section 55B.
55M Infringement notice compliance period for infringement notice
(1) Subject to this section, the infringement notice compliance period for an infringement notice is the period of 28 days beginning on the day after the day that the infringement notice is issued by the Commission.
(2) The Commission may extend, by notice in writing, the infringement notice compliance period for the infringement notice if the Commission is satisfied that it is appropriate to do so.
(3) Only one extension may be given and the extension must not be for longer than 28 days.
(4) Notice of the extension must be given to the person who was issued the infringement notice.
(5) A failure to comply with subsection (4) does not affect the validity of the extension.
(6) If the Commission extends the infringement notice compliance period for an infringement notice, a reference in this Division to the infringement notice compliance period for an infringement notice is taken to be a reference to the infringement notice compliance period as so extended.
55N Withdrawal of an infringement notice
Representations to the Commission
(1) A person to whom an infringement notice has been issued for an alleged contravention of section 55B may make written representations to the Commission seeking the withdrawal of the infringement notice.
(2) Evidence or information that the person, or a representative of the person, gives to the Commission in the course of making representations under subsection (1) is not admissible in evidence against the person or representative in any proceedings (other than proceedings for an offence based on the evidence or information given being false or misleading).
Withdrawal by the Commission
(3) The Commission may, by written notice (the withdrawal notice) given to the person to whom an infringement notice was issued, withdraw the infringement notice if the Commission is satisfied that it is appropriate to do so.
(4) Subsection (3) applies whether or not the person has made representations seeking the withdrawal.
Content of withdrawal notices
(5) The withdrawal notice must state:
(a) the name and address of the person; and
(b) the day on which the infringement notice was issued to the person; and
(c) that the infringement notice is withdrawn; and
(d) that proceedings under section 76 may be started or continued against the person in relation to the alleged contravention of section 55B.
Time limit for giving withdrawal notices
(6) To be effective, the withdrawal notice must be given to the person within the infringement notice compliance period for the infringement notice.
Refunds
(7) If the infringement notice is withdrawn after the person has paid the penalty specified in the infringement notice, the Commission must refund to the person an amount equal to the amount paid.
Subdivision A—Object and simplified outline
The object of this Part is:
(a) to enable consumers in certain sectors of the Australian economy to require information relating to themselves in those sectors to be disclosed safely, efficiently and conveniently:
(i) to themselves for use as they see fit; or
(ii) to accredited persons for use subject to privacy safeguards; and
(b) to enable any person to efficiently and conveniently access information in those sectors that:
(i) is about goods (such as products) or services; and
(ii) does not relate to any identifiable, or reasonably identifiable, consumers; and
(ba) to enable consumers in those sectors to request accredited persons to give instructions:
(i) safely, efficiently and conveniently on behalf of the consumers; and
(ii) to service providers in those sectors;
for the performance of actions; and
(c) as a result of paragraphs (a) to (ba), to create more choice and competition, or to otherwise promote the public interest.
Rules made under this Part may:
(a) enable consumers in certain sectors of the Australian economy to require information relating to themselves in those sectors to be disclosed to themselves or to accredited persons; and
(b) enable any person to be disclosed information in those sectors that is about goods (such as products) or services, and does not relate to any identifiable, or reasonably identifiable, consumers; and
(c) enable consumers in those sectors to request accredited persons to give instructions on behalf of the consumers to service providers in those sectors for the performance of actions; and
(d) require these kinds of disclosures and other things to be done, and these kinds of instructions to be given, in accordance with data standards.
This Part regulates the instruction layer associated with instructions for the performance of actions, which includes regulating requests for instructions, the giving of instructions, and how service providers process instructions.
A service provider given an instruction under the rules to perform an action must do so if the provider ordinarily performs actions of that type in the course of its business. Otherwise, this Part contains little regulation of the action layer (that is, regulating how service providers perform actions they are instructed to do). For example, the provider can perform the action, and charge any fees, in the way it ordinarily does.
A register is to be kept of accredited persons.
Privacy safeguards apply. These mainly apply to accredited persons who, under those rules, are disclosed information relating to identifiable, or reasonably identifiable, consumers.
Subdivision B—Designating sectors, and declaring actions, to which the consumer data right applies
56AC Designated sectors subject to the consumer data right
Designating a sector
(1) A designated sector means a sector of the Australian economy designated under subsection (2).
(2) The Minister may, by legislative instrument, designate a sector of the Australian economy by specifying:
(a) classes of information (the designated information); and
(b) persons who hold information within those classes of information (or on whose behalf such information is held); and
(c) the earliest day (the earliest holding day) applicable to the sector for holding the designated information; and
(d) each of the classes of information within the designated information for which a person may charge a fee if:
(i) the person is required under the consumer data rules to disclose information within that class to another person in specified circumstances; or
(ii) another person uses information within that class in specified circumstances as the result of a disclosure required of the first‑mentioned person under the consumer data rules; and
(e) if the sector is to have one or more gateways:
(i) the particular persons who are gateways; and
(ii) for each of those persons, the classes of information within the designated information for which the person is a gateway.
Note 1: The persons specified under paragraph (b):
(a) may be specified by class (see subsection 13(3) of the Legislation Act 2003); and
(b) will be holders of the information, rather than the consumers to whom the information relates; and
(c) may not be the only holders of the information who can be required to disclose it under the consumer data rules (see section 56AJ (about the meaning of data holder)).
Note 2: While a class of information specified under paragraph (d) or (e) needs to be of the information specified under paragraph (a), it need not be the same class as a class specified under paragraph (a).
Note 3: Subparagraph (e)(i) allows only particular persons to be specified, not classes of persons.
Note 4: For variation and repeal, see subsection 33(3) of the Acts Interpretation Act 1901.
Geographical limitation on information that can be designated
(3) Despite paragraph (2)(a), treat a class of information specified as described in that paragraph as only including so much of the information in that class as:
(a) has at any time been generated or collected wholly or partly in Australia or the external Territories, and:
(i) has been so generated or collected by (or on behalf of) one or more Australian persons; or
(ii) relates to one or more Australian persons (other than the persons who so generated or collected it); or
(iii) relates to goods or services supplied, or offered for supply, to one or more Australian persons; or
(b) has only ever been generated and collected outside of Australia and the external Territories, and:
(i) has been so generated or collected by (or on behalf of) one or more Australian persons; and
(ii) relates to one or more Australian persons (other than the persons who so generated or collected it), or relates to goods or services supplied, or offered for supply, to one or more Australian persons.
In this subsection, Australian person has the same meaning as in subsection 56AO(5).
Limitation on the earliest holding day
(4) While the earliest holding day may be before the day the instrument under subsection (2) is made, the earliest holding day must not be earlier than the first day of the calendar year that is 2 years before the calendar year in which that instrument is made.
Example: The instrument is made on 1 July 2020. The earliest holding day could be 1 January 2018, but not before.
Note: The earliest holding day helps to work out if a person is a data holder of information specified under paragraph (2)(a), and so whether that information is subject to the consumer data right.
56ACA Declared types of actions that can be initiated under the consumer data rules
The Minister may, by legislative instrument, declare:
(a) one or more types of actions for which an instruction may be given under the consumer data rules; and
(b) for each of those action types—the classes of data holders, of CDR data, that are to be action service providers for that type of action.
Note: The classes of data holders specified for an action type will have no choice about being action service providers for that action type.
56AD Minister’s tasks before designating a sector or declaring actions etc.
(1) Before making an instrument under subsection 56AC(2) or section 56ACA, the Minister must consider all of the following:
(a) the likely effect of making the instrument on:
(i) the interests of consumers; and
(ii) the efficiency of relevant markets; and
(iii) the privacy or confidentiality of consumers’ information; and
(iv) promoting competition; and
(v) promoting data‑driven innovation; and
(vi) any intellectual property in the information, or relating to the types of actions, to be covered by the instrument; and
(vii) the public interest;
(b) the likely regulatory impact of allowing the consumer data rules to impose requirements relating to the information, or types of actions, to be covered by the instrument;
(c) for an instrument under subsection 56AC(2)—the following matters when considering whether to specify a class of information, as described in paragraph 56AC(2)(d), in the instrument:
(i) whether not specifying that class could result in an acquisition of property (within the meaning of paragraph 51(xxxi) of the Constitution) otherwise than on just terms (within the meaning of that paragraph);
(ii) whether holders of information within that class currently charge a fee for disclosing such information;
(iii) whether the incentive to generate, collect, hold or maintain information within that class would be reduced if that class were not so specified;
(iv) the marginal cost of the disclosures required under the consumer data rules of information within that class;
(d) for an instrument under subsection 56AC(2)—whether one or more gateways need to be specified in the instrument in order to facilitate access to the information to be covered by the instrument;
(e) any other matters the Minister considers relevant.
Note: The consumers could be individuals or other persons such as companies (see also subsection 56AI(4)).
(2) Before making an instrument under subsection 56AC(2) or section 56ACA, the Minister must:
(a) be satisfied that the Secretary of the Department has complied with section 56AE in relation to the making of the instrument; and
(b) wait at least 60 days after the day the Secretary publishes the report relating to the making of the instrument (see section 56AE).
(3) Before making an instrument under subsection 56AC(2) or section 56ACA, the Minister must consult the Information Commissioner about the likely effect of making the instrument on the privacy or confidentiality of consumers’ information.
56AE Secretary must arrange for analysis, consultation and report about an instrument proposing to designate a sector or declare actions
(1) The Secretary of the Department complies with this section in relation to the making of an instrument under subsection 56AC(2) or section 56ACA if the Secretary arranges for all of the following:
(a) an analysis of the matters in paragraphs 56AD(1)(a) to (e) in relation to the instrument;
(b) public consultation about those matters in relation to the instrument:
(i) for at least 28 days; and
(ii) in one or more ways that include making information available on the Department’s website and inviting the public to comment;
(c) consultation with each of the following about those matters in relation to the instrument:
(i) the Commission;
(ii) the Information Commissioner;
(iii) for an instrument under subsection 56AC(2)—the person or body (if any) that the Secretary believes to be the primary regulator of the sector that the instrument would designate;
(iiia) for an instrument under section 56ACA—a person or body (if any) that the Secretary believes to be a regulator of a type of actions that the instrument would declare;
(iv) any person or body prescribed by the regulations;
(d) the preparation of a report for the Minister about that analysis and consultation.
(2) The Secretary must publish the report on the Department’s website.
56AEA Commission must analyse an instrument proposing to designate a sector or declare actions
When the Commission is consulted under subparagraph 56AE(1)(c)(i), the Commission must analyse the matters in paragraphs 56AD(1)(a) to (d) in relation to the instrument.
56AF Information Commissioner must analyse and report about an instrument proposing to designate a sector or declare actions
(1) When the Information Commissioner is consulted under subsection 56AD(3), the Information Commissioner must:
(a) analyse the likely effect of making the instrument on the privacy or confidentiality of consumers’ information; and
(b) report to the Minister about that analysis.
(2) The Information Commissioner must publish the report on the Information Commissioner’s website, except for any excluded part of the report.
(3) In deciding whether or not to exclude a part of the report from publication, the Information Commissioner must:
(a) have regard to the need to prevent the matters in subsection 33(2) of the Privacy Act 1988; and
(b) try to achieve an appropriate balance between the need to prevent those matters and the desirability of ensuring that interested persons are sufficiently informed of the Information Commissioner’s analysis in the report.
A failure to comply with section 56AD, 56AE, 56AEA or 56AF does not invalidate an instrument made under subsection 56AC(2) or section 56ACA.
Subdivision C—Meanings of key terms
56AI Meanings of CDR data, directly or indirectly derived and CDR consumer
Meaning of CDR data
(1) CDR data is:
(a) information that is within a class of information specified, as described in paragraph 56AC(2)(a), in an instrument designating a sector under subsection 56AC(2); or
(aa) information that:
(i) relates to a CDR consumer for a CDR action; and
(ii) an accredited action initiator for CDR actions of that type is authorised by the consumer data rules to use, or disclose, to prepare or give a valid instruction for the performance of the CDR action on behalf of the CDR consumer; or
(b) information that is not covered by paragraph (a) or (aa) of this subsection, but is wholly or partly derived from information covered by:
(i) paragraph (a) or (aa) of this subsection; or
(ii) a previous application of this paragraph.
Note 1: Geographical limitations may cause some information within a class specified as described in paragraph 56AC(2)(a) to be disregarded (see subsection 56AC(3)), which means it will not be CDR data.
Note 2: Information covered by paragraph (b) includes information derived from information covered by paragraph (a) or (aa), information derived from that derived information, and so on.
Note 3: Information covered by paragraph (b), for which there is a CDR consumer, cannot be required to be disclosed under the consumer data rules (see subsection 56BD(1)).
Note 4: Only certain kinds of CDR data for which there are no CDR consumers (also known as product data) can be required to be disclosed under the consumer data rules (see subsection 56BF(1)).
Meaning of directly or indirectly derived
(2) CDR data is directly or indirectly derived from other CDR data if the first‑mentioned CDR data is wholly or partly derived from the other CDR data after one or more applications of paragraph (1)(b).
Meaning of CDR consumer for CDR data
(3) A person is a CDR consumer for CDR data if:
(a) the CDR data relates to the person because:
(i) of the supply of a good or service to the person or to one or more of the person’s associates (within the meaning of section 318 of the Income Tax Assessment Act 1936); or
(ii) of circumstances of a kind prescribed by the regulations; and
(b) the CDR data is held by another person who:
(i) is a data holder of the CDR data; or
(ii) is an accredited data recipient of the CDR data; or
(iia) is holding the CDR data as an action service provider for a type of CDR action; or
(iii) is holding the CDR data on behalf of a person mentioned in subparagraph (i), (ii) or (iia); and
(c) the person is identifiable, or reasonably identifiable, from:
(i) the CDR data; or
(ii) other information held by the other person referred to in paragraph (b); and
(d) none of the exclusions (if any) prescribed by the regulations apply to the first‑mentioned person in relation to the CDR data.
Meaning of CDR consumer for a CDR action
(3A) A person is a CDR consumer for a CDR action if:
(a) the performance of the CDR action:
(i) is for the person; or
(ii) relates to the person because of circumstances of a kind prescribed by the regulations; and
(b) the performance of the CDR action is not for the person as:
(i) an accredited action initiator for CDR actions of that type; or
(ii) an action service provider for CDR actions of that type; and
(c) none of the exclusions (if any) prescribed by the regulations apply to the person in relation to the CDR action.
Example: Assume X and Y are both accredited action initiators, and Y gives a valid instruction for the performance of a CDR action (that relates to the supply of accounting services) on X’s behalf. X will be a CDR consumer for the CDR action, but Y will not be because of paragraph (b).
Other definitions of consumer do not apply for this Part
(4) Section 4B (about consumers) does not apply to this Part.
(1) A person is a data holder, of CDR data, if:
(a) the CDR data:
(i) is information within a class of information specified, as described in paragraph 56AC(2)(a), in an instrument designating a sector under subsection 56AC(2) (the designation instrument); or
(ii) is directly or indirectly derived from information covered by subparagraph (i); and
(b) the CDR data is held by (or on behalf of) the person on or after the earliest holding day specified in the designation instrument; and
(ba) in the case of the CDR data beginning to be held by (or on behalf of) the person before that earliest holding day, the CDR data:
(i) is of continuing use and relevance; and
(ii) is not about the provision before that earliest holding day of a product or service by (or on behalf of) the person; and
(c) the person is not a designated gateway for the CDR data; and
(d) subsection (2), (3), (3A), (4) or (5) applies to the person and the CDR data.
Note 1: Geographical limitations may cause some information within a class specified as described in paragraph 56AC(2)(a) to be disregarded (see subsection 56AC(3)), which means it will not be CDR data.
Note 2: For a product or service that the person began providing before the earliest holding day and continued providing after that day:
(a) subparagraph (ba)(ii) means the person will not be the data holder of CDR data about the person’s provision of the product or service before that day; but
(b) the person will be the data holder of CDR data about the person’s provision of the product or service on or after that day.
First case—person is specified in the designation instrument and data not disclosed to the person under the consumer data rules
(2) This subsection applies to a person and CDR data if:
(a) the person, or a class of persons to which the person belongs, is specified, as described in paragraph 56AC(2)(b), in the designation instrument as holding a class of information to which the CDR data belongs; and
(b) neither the CDR data, nor any other CDR data from which it was directly or indirectly derived, was disclosed to the person under the consumer data rules.
Second case—reciprocity arising from the person being disclosed other CDR data under the consumer data rules
(3) This subsection applies to a person and CDR data if:
(a) neither the CDR data, nor any other CDR data from which it was directly or indirectly derived, was disclosed to the person under the consumer data rules; and
(b) the person is an accredited data recipient of other CDR data; and
(c) the conditions (if any) specified in the consumer data rules are met.
Note 1: Paragraph (b) is referring to other CDR data not covered by paragraph (a).
Note 2: The other CDR data referred to in paragraph (b) could be within a class of information specified in another instrument designating a different sector under subsection 56AC(2).
Third case—reciprocity arising from the person being a voluntary action service provider for a type of CDR action
(3A) This subsection applies to a person and CDR data if:
(a) neither the CDR data, nor any other CDR data from which it was directly or indirectly derived, was disclosed to the person under the consumer data rules; and
(b) the designation instrument (see subsection (1)) also specifies, as described in paragraph 56AC(2)(b), a class of persons (the core data holders) as holding a class of information to which the CDR data belongs; and
(c) the person is not a core data holder, but is a voluntary action service provider for a type of CDR action; and
(d) the classes of data holders declared in the CDR declaration for that type of CDR action include the core data holders; and
(e) the conditions (if any) specified in the consumer data rules are met.
Note 1: The CDR data needs to be held by (or on behalf of) the person (see paragraph (1)(b)).
Note 2: The core data holders are data holders because of subsection (2).
Fourth case—person is an accredited person and conditions in the consumer data rules are met
(4) This subsection applies to a person and CDR data if:
(a) the person is an accredited person; and
(b) the CDR data, or any other CDR data from which it was directly or indirectly derived, was disclosed to the person under the consumer data rules; and
(c) the conditions specified in the consumer data rules are met.
Fifth case—person is specified in the designation instrument and conditions in the consumer data rules are met
(5) This subsection applies to a person and CDR data if:
(a) the person, or a class of persons to which the person belongs, is specified, as described in paragraph 56AC(2)(b), in the designation instrument as holding a class of information to which the CDR data belongs; and
(b) the CDR data, or any other CDR data from which it was directly or indirectly derived, was disclosed to the person under the consumer data rules; and
(c) the conditions specified in the consumer data rules are met.
56AK Meaning of accredited data recipient
(1) A person is an accredited data recipient, of CDR data, if:
(a) the person is an accredited person; and
(b) the CDR data is held by (or on behalf of) the person; and
(c) the CDR data, or any other CDR data from which it was directly or indirectly derived, either:
(i) was disclosed to the person under the consumer data rules; or
(ii) is covered by subsection (2) for the person; and
(d) the person is neither a data holder, nor a designated gateway, for the first‑mentioned CDR data; and
(e) the first‑mentioned CDR data is not being held by (or on behalf of) the person as an action service provider for a type of CDR action.
Note: For paragraph (d), the person will be a data holder of that CDR data if subsection 56AJ(4) applies.
(2) This subsection covers CDR data for a person if:
(a) the CDR data is information that relates to a CDR consumer for a CDR action; and
(b) the person is authorised by the consumer data rules to use or disclose that information to prepare or give a valid instruction for the performance of the CDR action on behalf of the CDR consumer.
56AL Meanings of CDR participant and designated gateway
(1) A CDR participant, for CDR data, is a data holder, or an accredited data recipient, of the CDR data.
(2) A person is a designated gateway, for CDR data, if:
(a) the person is specified as a gateway, as described in subparagraph 56AC(2)(e)(i), in an instrument designating a sector under subsection 56AC(2); and
(b) the CDR data is information within a class, specified in that instrument, for which the person is a gateway; and
(c) the CDR data is, or is to be, disclosed to the person under the consumer data rules because the person is:
(i) acting as described in a subparagraph of paragraph 56BG(1)(a) or (b); or
(ii) if there are no consumers for the CDR data—acting between a CDR participant for the CDR data and a person requesting a disclosure of the CDR data;
and not because the person is an accredited person or a CDR consumer for the CDR data.
56AM Meanings of chargeable CDR data, chargeable circumstances and fee‑free CDR data
(1) CDR data is chargeable CDR data if the CDR data is information within a class specified, as described in paragraph 56AC(2)(d), in an instrument designating a sector under subsection 56AC(2) (the designation instrument).
(2) The chargeable CDR data is disclosed in chargeable circumstances if it is disclosed in circumstances specified:
(a) for that class of information; and
(b) as described in subparagraph 56AC(2)(d)(i);
in the designation instrument.
(3) The chargeable CDR data is used in chargeable circumstances if it is used in circumstances specified:
(a) for that class of information; and
(b) as described in subparagraph 56AC(2)(d)(ii);
in the designation instrument.
(4) CDR data is fee‑free CDR data if:
(a) the consumer data rules require it to be disclosed; and
(b) it is not chargeable CDR data.
56AMA Meanings of CDR action and CDR declaration
(1) A CDR action is an action of a type declared under section 56ACA.
(2) A CDR declaration, for a type of CDR action, is the declaration under section 56ACA that declares actions of that type.
56AMB Meanings of action service provider and voluntary action service provider
(1) A person is an action service provider, for a type of CDR action, if the person:
(a) is within a class of data holders (of CDR data) declared in the CDR declaration for that type of CDR action; or
(b) is a voluntary action service provider for that type of CDR action.
Note 1: A data holder covered by paragraph (a) has no choice about being an action service provider for CDR actions of that type.
Note 2: A data holder covered by paragraph (a) for one or more types of CDR actions will not be an action service provider for any other type of CDR action unless the data holder chooses to apply to be a voluntary action service provider.
(2) A person is a voluntary action service provider, for a type of CDR action, if:
(a) paragraph (1)(a) does not apply to the person for that type of CDR action; and
(b) the person holds an approval, of the kind described in subsection 56BHA(1), under the consumer data rules for that type of CDR action.
Note: The person will need to have applied to be approved as an action service provider for CDR actions of that type (see subsection 56BHA(1)).
56AMC Meaning of accredited action initiator
A person is an accredited action initiator for a type of CDR action if:
(a) the person is an accredited person; and
(b) the person’s accreditation authorises the person to initiate that type of CDR action.
Note 1: The consumer data rules may include rules about accreditation, including about different levels of accreditation (see subsection 56BH(1)).
Note 2: The Register of Accredited Persons may include information about what a person’s level of accreditation authorises the person to do (see section 56CE).
56AMD Meaning of CDR action participant
A CDR action participant is an action service provider, or an accredited action initiator, for one or more types of CDR actions.
Subdivision D—Extension to external Territories and extraterritorial operation
56AN Extension to external Territories
Each of the following provisions (the CDR provisions) extends to every external Territory:
(a) a provision of this Part;
(b) a provision of the regulations made for the purposes of a provision of this Part;
(c) a provision of the consumer data rules;
(ca) a provision of any other instrument made under this Part;
(d) another provision of this Act to the extent that it relates to a provision covered by paragraph (a), (b), (c) or (ca);
(e) a provision of the Regulatory Powers Act to the extent that it applies in relation to a provision of this Part;
(f) a provision of the Privacy Act 1988 to the extent that it applies as described in section 56ES or 56ET of this Act.
56AO Extraterritorial operation of the CDR provisions
CDR provisions generally apply inside and outside Australia
(1) Subject to subsections (2) to (3B), the CDR provisions extend to acts, omissions, matters and things outside Australia.
CDR provisions apply for CDR data held inside Australia
(2) To the extent that the CDR provisions have effect in relation to CDR data held within Australia, the CDR provisions apply in relation to all persons (including foreign persons).
CDR provisions can apply for CDR data held outside Australia
(3) To the extent that the CDR provisions have effect in relation to an act, or omission, relating to CDR data held outside Australia, the CDR provisions only apply if:
(a) the act or omission is by (or on behalf of) an Australian person; or
(b) the act or omission occurs wholly or partly in Australia, or wholly or partly on board an Australian aircraft or an Australian ship; or
(c) the act or omission occurs wholly outside Australia, and an Australian person suffers, or is likely to suffer, financial or other disadvantage as a result of the act or omission.
CDR provisions apply for CDR actions to be performed inside Australia
(3A) To the extent that the CDR provisions have effect in relation to a CDR action to be performed within Australia, the CDR provisions apply in relation to all persons (including foreign persons).
Example: Requirements in the consumer data rules relating to giving a valid instruction for the performance of a CDR action within Australia can apply to the accredited action initiator for the CDR action even if the accredited action initiator is a foreign person.
CDR provisions can apply for CDR actions to be performed outside Australia
(3B) To the extent that the CDR provisions have effect in relation to an act, or omission, relating to a CDR action to be performed outside Australia, the CDR provisions only apply if:
(a) the act or omission is by (or on behalf of) an Australian person; or
(b) the act or omission occurs wholly or partly in Australia, or wholly or partly on board an Australian aircraft or an Australian ship.
Example: Requirements in the consumer data rules relating to giving a valid instruction for the performance of a CDR action outside Australia can apply to the accredited action initiator for the CDR action if the accredited action initiator is an Australian person.
Interpretation
(4) For the purposes of subsection (3) or (3B), if a person’s act or omission includes sending, omitting to send, causing to be sent or omitting to cause to be sent an electronic communication or other thing:
(a) from a point outside Australia to a point inside Australia; or
(b) from a point inside Australia to a point outside Australia;
that act or omission is taken to have occurred partly in Australia.
(5) In this section:
Australia, when used in a geographical sense, includes all the external Territories.
Australian aircraft has the same meaning as in the Criminal Code.
Australian person means:
(a) a body corporate established by or under a law of the Commonwealth, of a State or of a Territory; or
(b) an Australian citizen, a permanent resident (within the meaning of the Australian Citizenship Act 2007), or any other person ordinarily resident within Australia or an external Territory; or
(c) an entity covered by subsection 56AR(1), (2) or (3) (about Australian government entities).
Australian ship has the same meaning as in the Criminal Code.
foreign person means a person other than an Australian person.
point includes a mobile or potentially mobile point, whether on land, underground, in the atmosphere, underwater, at sea or anywhere else.
56AP Geographical application of offences
Division 14 (Standard geographical jurisdiction) of the Criminal Code does not apply in relation to an offence against the CDR provisions.
Note: The extended geographical application that section 56AO gives to the CDR provisions applies to the offences against the CDR provisions.
Subdivision E—Application to government entities
56AQ CDR provisions bind the Crown
(1) The CDR provisions bind the Crown in each of its capacities.
(2) However, the CDR provisions do not make the Crown:
(a) liable to a pecuniary penalty or to be prosecuted for an offence; or
(b) subject to a remedy under section 56EY (about actions for damages for contravening the privacy safeguards); or
(c) subject to a remedy under Part VI (about enforcement) other than section 87B (about enforceable undertakings); or
(d) subject to a remedy under Part 4 (about civil penalties) or 7 (about injunctions) of the Regulatory Powers Act; or
(e) subject to Part XID of this Act (about search and seizure).
56AR Government entities may participate under this Part
Application to Commonwealth government entities
(1) The CDR provisions apply in relation to an entity that:
(a) is part of the Commonwealth; or
(b) is a Commonwealth entity (within the meaning of the Public Governance, Performance and Accountability Act 2013); or
(c) is a body (whether or not incorporated) established by or under a law of the Commonwealth; or
(d) is:
(i) holding or performing the duties of an office established by or under a law of the Commonwealth; or
(ii) holding an appointment made under a law of the Commonwealth; or
(e) is prescribed by the regulations.
Note: For how the CDR provisions so apply, see subsection (4).
Application to State or Territory government entities
(2) The CDR provisions apply only in relation to an entity that:
(a) is part of a State or Territory; or
(b) is a body (whether or not incorporated) established for a public purpose by or under a law of a State or Territory; or
(c) is:
(i) holding or performing the duties of an office established by or under a law of a State or Territory; or
(ii) holding an appointment made under a law of a State or Territory; or
(d) is an entity prescribed by the regulations in relation to a State or Territory;
if the entity is declared under subsection 56AS(1) as a participating entity, for the State or Territory, in one or more specified capacities.
Note 1: The entity is only a participating entity for those capacities specified in the declaration, for example, as a data holder.
Note 2: For how the CDR provisions so apply, see subsection (4).
(3) However, whether or not such a declaration is in force for an entity referred to in subsection (2), the CDR provisions apply in relation to the entity to the extent that:
(a) the CDR provisions relate to a CDR consumer for CDR data, and the entity is a CDR consumer for CDR data (or would be if the entity were a person); or
(b) the CDR provisions relate to a CDR consumer for a CDR action, and the entity is a CDR consumer for a CDR action (or would be if the entity were a person).
Note: For how the CDR provisions so apply, see subsection (4).
How the CDR provisions apply to a government entity
(4) For an entity covered by subsection (1), (2) or (3), the CDR provisions apply as described in that subsection in relation to the entity:
(a) as if the entity were a person; and
(b) with the modifications (if any) prescribed by the regulations.
This subsection does not affect how subsection 56AQ(2) applies to the entity.
(5) If the CDR provisions so apply to an entity covered by subsection (1):
(a) as a data holder of CDR data, the entity is conferred such functions as are necessary to enable the entity to operate as a data holder in accordance with the CDR provisions; or
(aa) as an accredited person, the entity is conferred such functions as are necessary to enable the entity to operate as an accredited person in accordance with the CDR provisions; or
(b) as a designated gateway for CDR data, the entity is conferred such functions as are necessary to enable the entity to operate as a designated gateway in accordance with the CDR provisions; or
(c) as an action service provider for a type of CDR action, the entity is conferred such functions as are necessary to enable the entity to operate as an action service provider in accordance with the CDR provisions.
56AS Participating government entities of a State or Territory—declaration
(1) The Minister may, by notifiable instrument, declare that an entity is a participating entity, for a State or Territory, in one or more of the following specified capacities:
(a) as a data holder of CDR data;
(b) as an accredited person;
(c) as a designated gateway for CDR data;
(d) as an action service provider for a type of CDR action.
Note: An entity may be declared by class (see subsection 13(3) of the Legislation Act 2003).
(2) However, the Minister must not do so unless the Minister is satisfied that the State or Territory has agreed to the entity participating under this Part in those capacities.
(3) If:
(a) a State or Territory has agreed to an entity of the State or Territory participating under this Part in those capacities; and
(b) the entity is a body corporate;
the entity is taken to have also agreed to participate under this Part in those capacities.
56AT Participating government entities of a State or Territory—revocation
(1) The Minister may, by notifiable instrument, revoke a declaration made under subsection 56AS(1) that an entity is a participating entity for a State or Territory.
(2) If a State or Territory requests in writing the Minister to revoke a declaration made under subsection 56AS(1) that an entity is a participating entity for the State or Territory, the Minister must, under subsection (1) of this section, revoke the declaration as soon as practicable.
(3) If the Minister revokes a declaration made under subsection 56AS(1) in relation to an entity, then, despite the revocation, subsection 56AR(2) continues to apply to the entity in relation to:
(a) any right, privilege, obligation or liability acquired, accrued or incurred before the revocation; and
(b) any investigation, legal proceeding or remedy in respect of any such right, privilege, obligation or liability;
as if the declaration were still in force.
Subdivision F—Application to acts done by or in relation to agents etc. of CDR entities
56AU Acts done by or in relation to agents etc. of CDR entities
Conduct of agents etc. of a CDR entity attributable to the CDR entity
(1) For the purposes of this Part and the consumer data rules, each of the following provisions applies to a CDR entity who is not a body corporate in a corresponding way to the way that provision applies to a CDR entity who is a body corporate:
(a) section 84 of this Act;
(b) section 97 of the Regulatory Powers Act (to the extent that it applies in relation to a provision of this Part).
Acts done in relation to an agent of a CDR entity taken to be done in relation to the CDR entity
(2) For the purposes of this Part and the consumer data rules, if an act is done by a person in relation to another person (the agent) who:
(a) is acting on behalf of a CDR entity; and
(b) is so acting within the agent’s actual or apparent authority;
the act is taken to have also been done in relation to the CDR entity.
Definitions
(3) In this section:
CDR entity means any of the following:
(a) a data holder of CDR data;
(b) an accredited person;
(c) a designated gateway for CDR data;
(d) an action service provider for a type of CDR action.
Division 2—Consumer data right
Subdivision A—Power to make consumer data rules
56BA Minister may make consumer data rules
(1) The Minister may, by legislative instrument, make rules (the consumer data rules) for designated sectors, or types of CDR actions, in accordance with this Division.
Note: Subdivision C deals with the process for making the consumer data rules.
(2) Without limiting subsection (1), the consumer data rules may set out:
(a) different rules for different designated sectors; or
(b) different rules for different classes of CDR data; or
(c) different rules for different classes of persons specified, as described in paragraph 56AC(2)(b), in an instrument designating a sector under subsection 56AC(2); or
(d) different rules for different classes of persons who are able to be disclosed CDR data under the consumer data rules; or
(e) different rules for different types of CDR actions; or
(f) different rules for different classes of:
(i) action service providers for types of CDR actions; or
(ii) accredited persons; or
(iii) CDR consumers for CDR actions.
56BAA Rules must include requirement to delete CDR data on request from CDR consumer
Requirement to delete CDR data in response to request from CDR consumer
(1) The consumer data rules must include a requirement on an accredited data recipient of CDR data to delete all or part of the CDR data if a CDR consumer for the CDR data validly requests this.
(2) However, a rule described in subsection (1) must not require deletion of all or part of the CDR data if:
(a) the accredited data recipient is required to retain the CDR data by or under an Australian law or a court/tribunal order; or
(b) the CDR data relates to any current or anticipated:
(i) legal proceedings; or
(ii) dispute resolution proceedings;
to which the accredited data recipient is a party; or
(c) the CDR data relates to any current or anticipated:
(i) legal proceedings; or
(ii) dispute resolution proceedings;
to which the CDR consumer is a party.
Consumer data rules may include rules in relation to the requirement
(3) The consumer data rules may include the following rules in relation to the requirement:
(a) rules about:
(i) how the CDR consumer may make a valid request; and
(ii) what must be included in a request for it to be valid and when a request ceases to be a valid request;
(b) rules specifying circumstances (in addition to those in subsection (2)) in which the accredited data recipient may refuse to delete the CDR data despite the requirement;
(c) rules about how an accredited data recipient is to delete the CDR data covered in a valid request;
(d) rules about how the requirement is to be complied with depending on the class of CDR data requested to be deleted;
(e) rules about how an accredited data recipient is to notify the CDR consumer of:
(i) the deletion of the CDR data and the extent of the deletion; or
(ii) if the CDR data is not deleted—the reasons the deletion did not occur;
(f) rules about any other matters incidental or related to the requirement (see also section 56BJ).
(4) This section applies despite any other provision of this Division.
(5) This section does not limit the consumer data rules dealing with the deletion of CDR data in circumstances other than compliance with the requirement.
56BB Matters that the consumer data rules may deal with
The consumer data rules may deal with the following matters:
(a) disclosure, collection, use, accuracy, storage, security or deletion of CDR data for which there are one or more CDR consumers (see also sections 56BC and 56BD);
(b) disclosure, collection, use, accuracy, storage, security or deletion of CDR data for which there are no CDR consumers (see also sections 56BE and 56BF);
(c) designated gateways for CDR data (see also section 56BG);
(ca) initiating CDR actions (see also section 56BGA);
(d) accreditation for the purposes of this Part (see also section 56BH);
(da) approving persons to be voluntary action service providers for types of CDR actions (see also section 56BHA);
(e) reporting, record keeping and auditing (see also section 56BI);
(f) matters incidental or related to any of the above matters (see also section 56BJ).
Required disclosures in response to valid requests
(1) Without limiting paragraph 56BB(a), the consumer data rules may include the following rules:
(a) requirements on a CDR participant for CDR data to disclose all or part of the CDR data, in response to a valid request by a CDR consumer for the CDR data, to:
(i) the CDR consumer for use as the CDR consumer sees fit; or
(ii) an accredited person for use subject to the privacy safeguards; or
(iii) a data holder of other CDR data;
(b) rules about:
(i) how a CDR consumer for the CDR data may make a valid request of the kind described in paragraph (a); and
(ii) what must be included in a request for it to be valid, what disclosures or other matters a valid request may cover, and when a request ceases to be a valid request;
(c) requirements on a person (other than a CDR consumer for the CDR data) to satisfy in order to be disclosed the CDR data in the way described in paragraph (a).
Note 1: The requirements described in paragraph (a) could, for example, include a requirement that the disclosure be in accordance with the relevant data standards.
Note 2: A fee may be charged for such a disclosure if the CDR data is chargeable CDR data, unless section 56BU provides otherwise.
Authorised disclosures or use in accordance with valid consents
(2) Without limiting paragraph 56BB(a), the consumer data rules may include the following rules:
(a) rules authorising a CDR participant for CDR data to disclose all or part of the CDR data to a person in accordance with a valid consent of a CDR consumer for the CDR data;
(b) rules authorising a person to use CDR data in accordance with a valid consent of a CDR consumer for the CDR data;
(c) rules about:
(i) how a CDR consumer for the CDR data may make a valid consent of the kind described in paragraph (a) or (b); and
(ii) what must be included in a consent for it to be valid, what disclosures, uses or other matters a valid consent may cover, and when a consent ceases to be a valid consent.
Note: Fees may be charged for these disclosures or uses.
Other rules
(3) Without limiting paragraph 56BB(a), the consumer data rules may include the following rules relating to CDR data for which there are one or more CDR consumers:
(a) rules relating to the privacy safeguards;
(b) other rules relating to the disclosure, collection, use, accuracy, storage or security of the CDR data that affect:
(i) an accredited person; or
(ii) a CDR participant, or CDR consumer, for the CDR data;
(c) other rules relating to the deletion of the CDR data that affect:
(i) an accredited person; or
(ii) an accredited data recipient of the CDR data; or
(iii) a CDR consumer for the CDR data.
Note 1: Subsection 56BD(3) limits how such rules can affect a data holder.
Note 2: The rules may deal with similar or additional matters to those in the privacy safeguards. When doing so, the rules will need to be consistent with those safeguards (see subsections 56EC(1) and (2)).
Note 3: The rules must include a requirement on an accredited data recipient to delete all or part of the CDR data in response to a valid request by a CDR consumer for the CDR data (see section 56BAA).
56BD Limitations for rules about CDR data for which there are CDR consumers
Only certain CDR data can be required to be disclosed
(1) The consumer data rules can only require a disclosure of CDR data for which there are one or more CDR consumers if:
(a) the CDR data is covered by paragraph 56AI(1)(a) or (aa); and
(b) the disclosure is to:
(i) one or more of those CDR consumers; or
(ii) an accredited person; or
(iii) a designated gateway for the CDR data; or
(iv) a data holder of the CDR data by a designated gateway for the CDR data; or
(iva) a data holder of other CDR data; or
(ivb) an action service provider for a type of CDR action; or
(v) a person acting on behalf of a person referred to in any of subparagraphs (ii) to (ivb).
Note 1: This means CDR data cannot be required to be disclosed if it is only CDR data because it is directly or indirectly derived from:
(a) other CDR data within a class specified, as described in paragraph 56AC(2)(a), in an instrument designating a sector under subsection 56AC(2); or
(b) other CDR data, about a CDR consumer for a CDR action, that an accredited action initiator is authorised to use to prepare or give a valid instruction for the performance of the CDR action.
Note 2: The consumer data rules can include other rules relating to this other derived CDR data.
Note 3: Voluntary disclosures of this other derived CDR data can be authorised under the consumer data rules.
No fee when fee‑free CDR data is required to be disclosed
(2) The consumer data rules cannot allow a fee to be charged for:
(a) the disclosure of fee‑free CDR data under rules like those described in paragraph 56BC(1)(a) or 56BG(1)(a); or
(b) the use of fee‑free CDR data received as the result of such a disclosure.
Note: Fees may be charged for other kinds of disclosures or uses of fee‑free CDR data.
Rules affecting data holders that relate to the use, accuracy, storage, security or deletion of CDR data
(3) For a data holder of CDR data for which there are one or more CDR consumers, the consumer data rules:
(a) can only include rules affecting the data holder that relate to the deletion of the CDR data if:
(i) the CDR data; or
(ii) any other CDR data from which it was directly or indirectly derived;
was disclosed to the data holder under the consumer data rules; and
(b) can only include rules affecting the data holder that relate to the use, accuracy, storage or security of the CDR data if such rules also relate to the disclosure of the CDR data under the consumer data rules.
Effect of limitations
(4) Subsections (1), (2) and (3) apply despite any other provision of this Division.
Without limiting paragraph 56BB(b), the consumer data rules may include the following rules for CDR data for which there are no CDR consumers:
(a) requirements on a CDR participant for the CDR data to disclose all or part of the CDR data to a person in response to a valid request by the person;
(b) rules about:
(i) how a person may make a valid request of the kind described in paragraph (a); and
(ii) what must be included in a request for it to be valid, what disclosures or other matters a valid request may cover, and when a request ceases to be a valid request;
(c) requirements on a person to satisfy in order to be disclosed the CDR data in the way described in paragraph (a);
(d) other rules affecting:
(i) CDR participants for the CDR data; or
(ii) persons wishing to be disclosed the CDR data;
that relate to the disclosure, collection, use, accuracy, storage, security or deletion of the CDR data.
Note 1: A request for this CDR data could be made, for example, to assist the development of a product or service.
Note 2: The requirements described in paragraph (a) could, for example, include a requirement that the disclosure be in accordance with the relevant data standards.
Note 3: The privacy safeguards do not apply to this CDR data (see subsection 56EB(1)).
56BF Limitations for rules about product data
Only certain kinds of product data can be required to be disclosed
(1) The consumer data rules can only require a disclosure of CDR data for which there are no CDR consumers if:
(a) the CDR data is about the eligibility criteria, terms and conditions, price, availability or performance of:
(i) a product or other kind of good; or
(ii) a service; and
(b) in the case where the CDR data is about availability or performance—the CDR data is publicly available.
Note 1: This means other kinds of CDR data for which there are no CDR consumers cannot be required to be disclosed.
Note 2: The consumer data rules can include other rules relating to other kinds of CDR data for which there are no CDR consumers.
Note 3: Voluntary disclosures of other kinds of CDR data for which there are no CDR consumers can be authorised under the consumer data rules.
No fee when this CDR data is required to be disclosed
(2) The consumer data rules cannot allow a fee to be charged for:
(a) the disclosure of CDR data under rules like those described in paragraph 56BE(a) or 56BG(2)(a); or
(b) the use of CDR data received as the result of such a disclosure.
Note: A fee could be charged for other disclosures or uses of CDR data for which there are no CDR consumers.
Effect of limitations
(3) Subsections (1) and (2) apply despite any other provision of this Division.
56BG Rules about designated gateways
CDR data for which there are CDR consumers
(1) Without limiting paragraph 56BB(c), if there is a designated gateway for CDR data for which there are one or more CDR consumers, the consumer data rules may include the following rules:
(a) rules like those described in subsection 56BC(1) for the CDR data, but involving the designated gateway:
(i) acting between the CDR consumer and the CDR participant in the making of a valid request; or
(ii) acting between the CDR consumer and the accredited person who is the proposed recipient of the requested disclosure; or
(iii) acting between the CDR participant and the CDR consumer, or accredited person, who is the proposed recipient of the requested disclosure;
(b) rules like those described in subsection 56BC(2) for the CDR data, but involving the designated gateway:
(i) acting between the CDR consumer and a person authorised as described in that subsection; or
(ii) acting between persons authorised as described in that subsection;
(c) other rules affecting the designated gateway that relate to the disclosure, collection, use, accuracy, storage, security or deletion of the CDR data.
Product data
(2) Without limiting paragraph 56BB(c), if there is a designated gateway for CDR data for which there are no CDR consumers, the consumer data rules may include the following rules:
(a) rules like those described in paragraphs 56BE(a) to (c), but involving the designated gateway acting between the CDR participant and the person requesting the disclosure;
(b) other rules affecting the designated gateway that relate to the disclosure, collection, use, accuracy, storage, security or deletion of the CDR data.
Limitation—rules relating to the collection, use, accuracy, storage, security or deletion of CDR data
(3) For a designated gateway for CDR data for which there are one or more CDR consumers, the consumer data rules:
(a) can only include rules affecting the designated gateway requiring or authorising the disclosure of the CDR data if such rules are as described in paragraph (1)(a) or (b); and
(b) can only include rules affecting the designated gateway that relate to the collection, use, accuracy, storage, security or deletion of the CDR data if such rules also relate to a disclosure described in paragraph (a) of this subsection.
Note: Paragraph (a) does not prevent the inclusion of a rule relating to a disclosure described in that paragraph.
(4) Subsection (3) applies despite any other provision of this Division.
Transitional rules
(5) Without limiting paragraph 56BB(c), if there is a designated gateway for CDR data, the consumer data rules may include transitional rules for when a person ceases to be the designated gateway, including about the disclosure, collection, use, accuracy, storage, security or deletion of the CDR data.
Note: These rules could, for example, include a requirement that the CDR data be disclosed in accordance with the relevant data standards to another gateway. Some of these transitional rules could be similar to some of the privacy safeguards.
56BGA Rules about initiating CDR actions
Instructions may be given to initiate types of CDR actions
(1) Without limiting paragraph 56BB(ca), the consumer data rules may include the following rules:
(a) requirements on an accredited action initiator for a type of CDR action relating to giving a valid instruction:
(i) for the performance of a CDR action of that type; and
(ii) to an action service provider for a CDR action of that type; and
(iii) on behalf of a CDR consumer for the CDR action, and in response to that consumer’s valid request; and
(iv) after a series of specified kinds of interactions between that initiator, provider, consumer or other persons (whether involving all or any 2 of them);
(b) rules about how an instruction must be prepared for it to be a valid instruction of the kind described in paragraph (a), what matters a valid instruction may cover, and when an instruction ceases to be a valid instruction;
(c) rules about:
(i) how a CDR consumer for a CDR action may make a valid request of the kind described in subparagraph (a)(iii); and
(ii) what must be included in a request for it to be valid, what matters a valid request may cover, and when a request ceases to be a valid request;
(d) for an accredited action initiator for a type of CDR action who is acting as described in paragraph (a) to give a valid instruction on behalf of a CDR consumer for a CDR action—rules authorising the initiator to use or disclose information relating to the consumer that:
(i) is disclosed to the initiator; or
(ii) is otherwise held by the initiator;
to prepare or give the valid instruction;
(e) requirements on an action service provider for a type of CDR action relating to how the provider processes a valid instruction of the kind described in paragraph (a);
(f) rules relating to the interactions described in subparagraph (a)(iv);
(g) rules relating to the privacy safeguards in relation to an instruction or request relating to a CDR action;
(h) rules relating to information that is not CDR data, but that relates to a CDR action.
Note 1: The requirements described in paragraph (a) could, for example, include a requirement that the instruction be prepared and given in accordance with the relevant data standards.
Note 2: The rules may deal with similar or additional matters to those in the privacy safeguards. When doing so, the rules will need to be consistent with those safeguards (see subsections 56EC(1) and (2)).
Allowing providers to charge fees at the instruction layer
(2) Without limiting paragraph 56BB(ca), the consumer data rules may include rules declaring that action service providers for a type of CDR action may charge (or cause to be charged) fees for processing valid instructions of the kind described in paragraph (1)(a) for CDR actions of that type.
Note 1: The action service providers will not be able to charge fees for processing valid instructions in the absence of such a declaration (see subsection 56BZD(1) and paragraph 56BZD(2)(a)).
Note 2: This subsection has no effect on what fees the providers decide to charge at the action layer for performing the CDR actions.
Authorised disclosures or use of related CDR data in accordance with valid consents
(3) Without limiting paragraph 56BB(ca), the consumer data rules may include the following rules:
(a) rules authorising a CDR action participant to disclose all or part of specified CDR data to a person in accordance with a valid consent of a CDR consumer for the CDR data;
(b) rules authorising a person to use CDR data in accordance with a valid consent of a CDR consumer for the CDR data;
(c) rules about:
(i) how a CDR consumer for the CDR data may make a valid consent of the kind described in paragraph (a) or (b); and
(ii) what must be included in a consent for it to be valid, what disclosures, uses or other matters a valid consent may cover, and when a consent ceases to be a valid consent.
Rules must not apply at the action layer
(4) Despite any other provision of this Division, the consumer data rules cannot include rules requiring an action service provider for a type of CDR action to perform (or not perform) a CDR action of that type in a particular way.
Note 1: The consumer data rules focus on the instruction layer not the action layer.
Note 2: The action service provider will need to ensure it does not discriminate against a valid instruction given under the consumer data rules (see sections 56BZC and 56BZD).
(a) is information referred to in paragraph (1)(d), or is directly or indirectly derived from other information referred to in that paragraph; and
the consumer data rules can include rules affecting that CDR action participant that relate to the use, disclosure, accuracy, storage, security or deletion of the CDR data.
56BH Rules about accreditation for the purposes of this Part
(1) Without limiting paragraph 56BB(d), the consumer data rules may include the following rules:
(a) rules conferring functions or powers on the CDR Accreditor;
(b) the criteria for a person to be accredited under subsection 56CA(1);
(c) rules providing that accreditations may be granted subject to conditions, and that conditions may be imposed on an accreditation after it has been granted;
(d) rules providing that accreditations may be granted at different levels corresponding to different risks, including the risks associated with:
(i) specified classes of CDR data; or
(ii) specified classes of activities; or
(iia) specified types of CDR actions; or
(iii) specified classes of applicants for accreditation;
(da) rules specifying what a person accredited at a particular level is authorised to do (or not authorised to do);
(e) rules for the period, renewal, transfer, variation, suspension, revocation or surrender of accreditations;
(f) notification requirements on persons whose accreditations have been varied, suspended, revoked or surrendered;
(g) transitional rules for when an accreditation is varied, is suspended or ends, including about the disclosure, collection, use, accuracy, storage, security or deletion of CDR data;
(h) rules about a matter referred to in subsection 56CE(4) (about the Register of Accredited Persons).
Note 1: The rules described in paragraph (d) could, for example, include a level of accreditation for initiating CDR actions under the consumer data rules.
Note 2: The rules described in paragraph (g) could, for example, include a requirement that the CDR data be disclosed in accordance with the relevant data standards to an accredited person. Some of these transitional rules could be similar to some of the privacy safeguards.
(2) Without limiting paragraph (1)(b):
(a) the criteria may differ for different classes of persons; and
(b) the criteria may include the payment of a fee.
Any fee must not be such as to amount to taxation.
(3) Without limiting paragraph (1)(e), the grounds for varying, suspending or revoking an accreditation could include failing to comply with a requirement in this Part or in the consumer data rules.
Note 1: The requirements in this Part include the privacy safeguards.
Note 2: An example of a variation could be the imposition of a condition, or changing the level of an accreditation.
(4) If the consumer data rules include rules enabling decisions to be made:
(a) to vary, suspend or revoke an accreditation; or
(b) to refuse to make a decision described in paragraph (a);
the rules must permit the making of applications to the Administrative Review Tribunal for review of those decisions.
Note 1: The consumer data rules can also provide for internal review of these decisions, and internal and review by the Administrative Review Tribunal of other decisions (see section 56BJ).
Note 2: The decisions could be decisions of the Minister or of another person (see paragraph 56BJ(c)).
56BHA Rules about approving persons to be voluntary action service providers for types of CDR actions
(1) Without limiting paragraph 56BB(da), the consumer data rules may include the following rules:
(a) rules for the approval of persons who apply to be action service providers for one or more types of CDR actions;
(b) the criteria for a person to be so approved;
(c) rules providing that such approval may be granted subject to conditions, and that conditions may be imposed on such an approval after it has been granted;
(d) rules providing that such approvals may be granted at different levels corresponding to different risks, including the risks associated with:
(i) specified types of CDR actions; or
(ii) specified classes of CDR data; or
(iii) specified classes of applicants for such approvals;
(e) rules specifying what a person approved at a particular level is authorised to do (or not authorised to do);
(f) rules for the period, renewal, transfer, variation, suspension, revocation or surrender of such approvals;
(g) notification requirements on persons whose such approvals have been granted, renewed, transferred, varied, suspended, revoked or surrendered;
(h) rules about publishing details of such approvals, renewals, transfers, variations, suspensions, revocations or surrenders;
(i) transitional rules for when such an approval is varied, is suspended or ends, including about the disclosure, collection, use, accuracy, storage, security or deletion of CDR data;
(j) rules conferring functions or powers on the Minister for any of the matters described in this subsection.
Note: The Minister may delegate the functions or powers referred to in paragraph (j) (see section 56GAA).
(2) Without limiting paragraph (1)(b):
(a) the criteria may differ for different classes of persons; and
(b) the criteria may permit a person to be approved even if the person:
(i) is not a body corporate established by or under a law of the Commonwealth, of a State or of a Territory; and
(ii) is neither an Australian citizen, nor a permanent resident (within the meaning of the Australian Citizenship Act 2007); and
(c) the criteria may include the payment of a fee.
Any fee must not be such as to amount to taxation.
(3) Any such approval is granted on the basis that no compensation is payable if the approval is varied, transferred, suspended, revoked or surrendered in any way.
(4) Without limiting paragraph (1)(f), the grounds for varying, suspending or revoking such an approval could include failing to comply with a requirement in this Part or in the consumer data rules.
Note 1: The requirements in this Part include the privacy safeguards.
Note 2: An example of a variation could be the imposition of a condition, or changing the level of an approval.
(5) If the consumer data rules include rules enabling decisions to be made:
(a) to grant, vary, suspend or revoke such an approval; or
(b) to refuse to make a decision described in paragraph (a);
the rules must permit the making of applications to the Administrative Appeals Tribunal for review of those decisions.
Note: The consumer data rules can also provide for internal review of these decisions, and internal and AAT review of other decisions (see section 56BJ).
(6) Without limiting paragraph (1)(h), the rules may provide that:
(a) a person able to make any of the kinds of decisions described in subsection (5) may supply to another person a copy or extract that:
(i) is from a publication of details described in paragraph (1)(h), where those details are matters of fact; and
(ii) is certified by the person to be a true copy or a true extract (as applicable); and
(b) such a certified copy or extract (the certificate) is admissible in any proceedings as prima facie evidence of the original; and
(c) the certificate must not be admitted in evidence in proceedings relating to a person unless:
(i) the person; or
(ii) a barrister or solicitor who is representing the person in the proceedings;
has, at least 14 days before the certificate is sought to be so admitted, been given a copy of the certificate together with notice of the intention to produce the certificate as evidence in the proceedings.
56BI Rules about reporting, record keeping and auditing
(1) Without limiting paragraph 56BB(e), the consumer data rules may include the following rules:
(a) a power for a CDR consumer for CDR data to direct a CDR participant for the CDR data to give the consumer, or an accredited person, reports about:
(i) the consumer’s valid requests to the CDR participant, under rules like those described in paragraph 56BC(1)(a) or 56BG(1)(a), for the CDR data; and
(ii) any disclosures made in response to such requests;
(b) a power for a CDR consumer for CDR data to direct a CDR participant for the CDR data to give the consumer, or an accredited person, reports about:
(i) the consumer’s valid consents to the CDR participant, under rules like those described in paragraph 56BC(2)(a) or (b) or 56BG(1)(b), for the CDR data; and
(ii) any disclosures made in response to such consents;
(c) a power for a person referred to in paragraph 56BG(1)(a) or (b) to direct a designated gateway referred to in that paragraph to give reports about:
(i) valid requests or consents, affecting the designated gateway, under rules like those described in that paragraph; and
(ii) any disclosures made in response to such requests or consents;
(ca) a power for a CDR consumer for a CDR action to direct an accredited action initiator for CDR actions of that type to give the consumer, or an accredited person, reports about:
(i) the consumer’s valid request made to the initiator, under rules like those described in subsection 56BGA(1), for the giving of a valid instruction for the performance of the CDR action; or
(ii) a valid instruction given by the initiator, under rules like those described in subsection 56BGA(1), on behalf of the consumer and for the performance of the CDR action;
(cb) a power for a CDR consumer for a CDR action to direct an action service provider for CDR actions of that type to give the consumer, or an accredited person, reports about the provider’s processing of any valid instruction given to the provider:
(i) on behalf of the consumer under rules like those described in subsection 56BGA(1); and
(ii) for the performance of the CDR action;
(d) requirements for CDR participants for CDR data, or CDR action participants, to give reports to the Commission or the Information Commissioner;
(e) requirements for accredited persons to give reports to the Commission or the Information Commissioner;
(f) requirements for designated gateways for CDR data to give reports to the Commission or the Information Commissioner;
(g) requirements for the keeping of records relating to the operation of the consumer data rules;
(h) requirements for each of the following entities:
(i) the CDR Accreditor;
(ii) the Accreditation Registrar;
(iii) the Data Standards Chair;
to give reports to the Commission or the Information Commissioner about that entity’s functions or powers.
Note: Information or documents relating to compliance with the consumer data rules may also be required to be given (see subsections 155(1) and (2)).
(2) Without limiting subsection (1), the consumer data rules may include requirements for CDR participants or designated gateways for CDR data, CDR action participants or accredited persons to give to the Commission or Information Commissioner:
(a) copies of one or more of the records required to be kept as described in paragraph (1)(g); or
(b) information from such records;
either periodically, or on request by the Commission or Information Commissioner, or both.
56BJ Rules about incidental or related matters
Without limiting paragraph 56BAA(3)(f) or 56BB(f), the consumer data rules may include the following rules:
(a) rules that refer to the data standards;
(b) the circumstances in which persons are, or may be, relieved from complying with requirements in the consumer data rules that would otherwise apply to them;
(c) a rule that depends on a person being satisfied of one or more specified matters;
(d) rules for the making of applications for internal review, or of applications to the Administrative Review Tribunal for review, of decisions of a person under the consumer data rules;
(e) rules about the manner or form in which persons or bodies:
(i) may exercise powers under the consumer data rules; or
(ii) must comply with requirements imposed by the consumer data rules;
which could include requiring the use of a form approved by the Commission or by the Information Commissioner;
(f) rules about the following matters:
(i) the manner in which CDR participants for CDR data, or CDR action participants, may charge (or cause to be charged) a fee for a matter covered by the consumer data rules;
(ii) the time for paying such a fee;
(iii) giving notice of, or publicising, such a fee or matters about such a fee;
(g) rules requiring CDR participants, or designated gateways, for CDR data, or CDR action participants, to have internal or external dispute resolution processes:
(i) that relate to the operation of the consumer data rules or this Part; and
(ii) that meet specified criteria;
(h) rules relating to an external dispute resolution scheme recognised under Division 4, including about access to such a scheme;
(i) transitional rules for the external resolution of disputes:
(i) described in subsection 56DA(1); and
(ii) not covered by a scheme recognised under that subsection;
(ia) rules requiring agents of any of the following entities (a CDR entity):
(i) a data holder of CDR data;
(ii) an accredited person;
(iii) a designated gateway for CDR data;
(iv) an action service provider for a type of CDR action;
to do or not to do specified things when acting on behalf of the CDR entity and within the agent’s actual or apparent authority;
(j) rules about any other matters that the provisions of this Part provide may be specified, or otherwise dealt with, in the consumer data rules.
56BK Further limitations on the consumer data rules
(1) The consumer data rules cannot impose on a person a requirement that has a retrospective commencement or application.
Example: The rules cannot require a data holder to disclose CDR data on a day before the rules are registered, or on a day before the registration of a variation to the rules that includes the requirement.
Note: Other limitations on the consumer data rules are in sections 56BD, 56BF and 56BG.
(2) To avoid doubt, the consumer data rules may require a person to do something on a particular day, in relation to CDR data generated or collected on an earlier day, if the person:
(a) is a data holder of the CDR data; or
(b) is an accredited person; or
(c) is a person who has given a valid request under the consumer data rules relating to the CDR data; or
(d) is a designated gateway for the CDR data; or
(e) is an action service provider for a type of CDR action.
Example: A data holder is given a valid request to disclose CDR data that was generated before the rules are registered. The rules can require that disclosure.
(4) Subsection (1) applies despite any other provision of this Division.
Subdivision B—Compliance with consumer data rules
56BL Obligation to comply with consumer data rules
The consumer data rules may provide that specified provisions of the rules are civil penalty provisions (within the meaning of the Regulatory Powers Act).
Note: Sections 76 to 77 deal with enforcing the civil penalty provisions.
Object
(1) The object of this section is for Division 5 of Part XI to apply to a civil penalty provision of the consumer data rules in a corresponding way to the way that Division applies to a provision of Part 2‑2 of the Australian Consumer Law.
Note: That Division is about infringement notices issued for alleged contraventions of provisions of the Australian Consumer Law.
Extended application of Division 5 of Part XI etc.
(2) Division 5 of Part XI, and any other provision of this Act that relates to that Division, also apply in relation to a civil penalty provision of the consumer data rules as if the substitutions in the following table were made.
Substitutions to be made | ||
Item | For a reference in Division 5 of Part XI to … | … substitute a reference to … |
1 | section 224 of the Australian Consumer Law | section 76 of this Act. |
2 | Chapter 4 or Part 5‑2 of the Australian Consumer Law | Part VI of this Act. |
3 | a provision of Part 2‑2 of the Australian Consumer Law | a civil penalty provision of the consumer data rules. |
(3) To avoid doubt, Division 2 of Part XI does not limit the application of section 56GF (about constitutional basis) to the extended application of Division 5 of Part XI as described in this section.
56BN Misleading or deceptive conduct—offence
(1) A person commits an offence if:
(a) the person engages in conduct; and
(b) the person does so knowing that the conduct:
(i) is misleading or deceptive; or
(ii) is likely to be misleading or deceptive; and
(c) the conduct misleads or deceives, or is likely to mislead or deceive, another person (the second person) into believing that:
(i) a person is a CDR consumer for CDR data; or
(ii) a person is making a valid request or consent, or has satisfied other criteria, for the disclosure of CDR data under the consumer data rules; or
(iii) a person is a CDR consumer for a CDR action; or
(iv) a person has satisfied any criteria under the consumer data rules for the making of a request, the giving of a valid instruction, or the processing of a valid instruction, for the performance of a CDR action.
Note: The person mentioned in subparagraph (c)(i), (ii), (iii) or (iv) could be the first‑mentioned person, the second person or a third person.
Defence
(2) Subsection (1) does not apply if the conduct is not misleading or deceptive in a material particular.
Note: A defendant bears an evidential burden in relation to the matter in this subsection (see subsection 13.3(3) of the Criminal Code).
Penalty—body corporate
(3) An offence against subsection (1) committed by a body corporate is punishable on conviction by a fine of not more than the greater of the following:
(a) $10,000,000;
(b) if the court can determine the value of the benefit that the body corporate, and any body corporate related to the body corporate, have obtained directly or indirectly and that is reasonably attributable to the commission of the offence—3 times the value of that benefit;
(c) if the court cannot determine the value of that benefit—10% of the adjusted turnover of the body corporate during the 12‑month period ending at the end of the month in which the commission of the offence happened or began.
Penalty—other persons
(5) An offence against subsection (1) committed by a person other than a body corporate is punishable on conviction by imprisonment for not more than 5 years, a fine of not more than $500,000, or both.
56BO Misleading or deceptive conduct—civil penalty
(1) A person must not engage in conduct that misleads or deceives, or is likely to mislead or deceive, another person (the second person) into believing that:
(a) a person is a CDR consumer for CDR data; or
(b) a person is making a valid request or consent, or has satisfied other criteria, for the disclosure of CDR data under the consumer data rules; or
(c) a person is a CDR consumer for a CDR action; or
(d) a person has satisfied any criteria under the consumer data rules for:
(i) the making of a request; or
(ii) the giving of a valid instruction; or
(iii) the processing of a valid instruction;
for the performance of a CDR action.
Note 1: The person mentioned in paragraph (a), (b), (c) or (d) could be the first‑mentioned person, the second person or a third person.
Note 2: For enforcement, see Part VI (including section 76 for an order for payment of a pecuniary penalty).
Defence
(2) Subsection (1) does not apply if the conduct is not misleading or deceptive in a material particular.
(3) A person who wishes to rely on subsection (2) bears the burden of adducing or pointing to evidence that suggests a reasonable possibility that the conduct is not misleading or deceptive in a material particular.
Subdivision C—Process for making consumer data rules etc.
56BP Minister’s tasks before making the rules
Before making consumer data rules under subsection 56BA(1), the Minister must:
(a) consider the kinds of matters referred to in paragraphs 56AD(1)(a) and (b) in relation to the making of the rules; and
(aa) consider the following kinds of matters in relation to making a rule described in subsection 56BGA(2) (about fees at the instruction layer) for a type of CDR action:
(i) whether performers of actions of that type currently charge fees for processing instructions to perform such actions;
(ii) whether the incentive to perform actions of that type would be reduced if fees could not be charged for processing such instructions;
(iii) the marginal cost of processing such instructions in accordance with the consumer data rules; and
(b) be satisfied that the Secretary of the Department has complied with section 56BQ in relation to the making of the rules; and
(c) wait at least 60 days after the day public consultation begins under paragraph 56BQ(b) about the making of the rules.
56BQ Secretary must arrange for consultation and report before the rules are made
The Secretary of the Department complies with this section in relation to the making of consumer data rules if the Secretary arranges for all of the following:
(a) an analysis of the kinds of matters referred to in paragraphs 56BP(a) and (aa) in relation to the making of the rules;
(b) public consultation about the making of the rules:
(i) for at least 28 days; and
(ii) in one or more ways that includes making information available on the Department’s website and inviting the public to comment;
(c) consultation with each of the following about the making of the rules:
(i) the Commission;
(ii) the Information Commissioner;
(iii) the person or body (if any) that the Secretary believes to be the primary regulator of the sector;
(iv) any person or body prescribed by the regulations;
(d) the preparation of a report for the Minister about that analysis and consultation.
56BR Commission and Information Commissioner must analyse the proposed rules
When consulted under paragraph 56BQ(c), the Commission and the Information Commissioner must each analyse the kinds of matters referred to in paragraphs 56BP(a) and (aa) in relation to the making of the rules.
56BS Emergency rules: public consultation not required etc.
(1) The Minister may make consumer data rules under subsection 56BA(1):
(a) without complying with paragraph 56BP(b) or (c); but
(b) after consulting the Commission and Information Commissioner;
if the Minister believes (whether or not that belief is reasonable) that it is necessary to do so in order to avoid a risk of serious harm to:
(c) the efficiency, integrity or stability of any aspect of the Australian economy; or
(d) the interests of consumers.
Note: The Minister still needs to comply with paragraph 56BP(a).
(2) However, a failure to comply with paragraph (1)(b) of this section does not invalidate consumer data rules made as described in subsection (1).
Note: Such rules may have a limited life (see section 56BT).
56BT Emergency rules: consequences if made
If:
(a) the Minister makes consumer data rules as described in subsection 56BS(1) (the emergency rules); and
(b) the emergency rules are made without consulting either the Commission or the Information Commissioner, or both;
the emergency rules cease to be in force 6 months after the day they are made.
Note: If the emergency rules vary other consumer data rules, this section causes only the emergency rules to cease to be in force.
A failure to comply with section 56BP, 56BQ or 56BR does not invalidate consumer data rules made under subsection 56BA(1).
Subdivision D—Fees for disclosing CDR data
56BU Charging a fee in inappropriate circumstances when required to disclose CDR data
(1) A person contravenes this subsection if:
(a) the person is a CDR participant for CDR data; and
(b) the person is required under the consumer data rules to disclose all or part of the CDR data; and
(c) the person charges (or causes to be charged) a fee for either or both of the following matters:
(i) the disclosure (or a related disclosure by a designated gateway or other CDR participant for the CDR data);
(ii) the use of the CDR data as the result of the disclosure (or of that related disclosure); and
(d) subsection (2) or any of the following subparagraphs applies:
(i) the CDR data is fee‑free CDR data;
(ii) to the extent that the fee is charged for the disclosure of chargeable CDR data—the fee purports to cover a disclosure in circumstances that are not chargeable circumstances;
(iii) to the extent that the fee is charged for the use of chargeable CDR data—the fee purports to cover use in circumstances that are not chargeable circumstances.
Note: For enforcement, see Part VI (including section 76 for an order for payment of a pecuniary penalty).
(2) This subsection applies if:
(a) any fee (the reasonable fee):
(i) that has been determined under subsection 56BV(1) or (2) for the person; or
(ii) that can be worked out from a method determined under subsection 56BV(1) or (2) for the person;
covers either or both of the matters in paragraph (1)(c) of this section; and
(b) the portion of the fee charged as described in that paragraph for those matters exceeds the corresponding portion of the reasonable fee.
Intervening for a class of CDR participants
(1) The Commission may, by legislative instrument, determine:
(a) the amount of a fee, or a method for working out the amount of a fee, that a specified class of CDR participants for specified chargeable CDR data may charge (or cause to be charged) for either or both of the following matters (the chargeable matters):
(i) the disclosure of the chargeable CDR data in chargeable circumstances because of a requirement under the consumer data rules to do so;
(ii) the use of the chargeable CDR data in chargeable circumstances as the result of such a disclosure; and
(b) the specified persons who are liable to pay that fee;
if the Commission is satisfied that the fee that the CDR participants would otherwise charge (or cause to be charged) is unreasonable having regard to the criteria in subsection (4).
Intervening for a particular CDR participant
(2) The Commission may, by written notice given to a CDR participant for specified chargeable CDR data, determine:
(a) the amount of a fee, or a method for working out the amount of a fee, that the CDR participant may charge (or cause to be charged) for either or both of the following matters (the chargeable matters):
(i) the disclosure of the chargeable CDR data in chargeable circumstances because of a requirement under the consumer data rules to do so;
(ii) the use of the chargeable CDR data in chargeable circumstances as the result of such a disclosure; and
(b) the specified persons who are liable to pay that fee;
if the Commission is satisfied that the fee that the CDR participant would otherwise charge (or cause to be charged) is unreasonable having regard to the criteria in subsection (4).
Note: The determination is reviewable (see Subdivision F).
Matters and criteria when intervening
(3) When determining an amount or method under subsection (1) or (2), the Commission must seek to ensure that the resulting fee:
(a) reflects the reasonable costs (including capital costs) necessary for the CDR participants or CDR participant to comply with this Part and the consumer data rules in relation to the chargeable matters; and
(b) is reasonable having regard to the criteria in subsection (4).
(4) The criteria for the purposes of subsections (1), (2) and paragraph (3)(b) are:
(a) the matters in subparagraphs 56AD(1)(a)(i), (ii), (iv) to (vi) and (c)(ii) and (iv); and
(b) whether a lower fee could result in an acquisition of property (within the meaning of paragraph 51(xxxi) of the Constitution) otherwise than on just terms (within the meaning of that paragraph); and
(c) whether a lower fee would reduce the incentive to generate, collect, hold or maintain CDR data of that kind; and
(d) any other matters the Commission considers relevant.
Other matters
(5) The Commission may publish a determination under subsection (2) on the Commission’s website.
(6) A fee determined under subsection (1) or (2) must not be such as to amount to taxation.
Subdivision E—Effective initiation and non‑discriminatory performance of CDR actions
56BZA Accredited persons must act efficiently, honestly and fairly when initiating CDR actions etc.
A person contravenes this section if:
(a) the person is an accredited person; and
(b) the person’s accreditation authorises the person to initiate a type of CDR action; and
(c) the person engages in conduct that includes:
(i) proposing to a potential CDR consumer for a CDR action of that type that the person give a valid instruction under the consumer data rules for the performance of the CDR action; or
(ii) giving a valid instruction under the consumer data rules for the performance of a CDR action of that type; and
(d) the person fails to act efficiently, honestly and fairly in relation to a matter described in subparagraph (c)(i) or (ii).
Note: For enforcement, see Part VI (including section 76 for an order for payment of a pecuniary penalty).
A person contravenes this section if:
(a) the person is an accredited person; and
(b) the person’s accreditation authorises the person to initiate a type of CDR action; and
(c) the person purports to give a valid instruction:
(i) for the performance of a CDR action of that type; and
(ii) to an action service provider for a CDR action of that type; and
(iii) on behalf of a CDR consumer for the CDR action; and
(d) when purporting to give that instruction:
(i) there was no valid request by the consumer, made in accordance with the consumer data rules, for the giving of that instruction; or
(ii) the person had failed to comply with a requirement in the consumer data rules for giving a valid instruction for a CDR action of that type.
Note: For enforcement, see Part VI (including section 76 for an order for payment of a pecuniary penalty).
A person contravenes this section if:
(a) the person is an action service provider for a type of CDR action; and
(b) the person is given a valid instruction under the consumer data rules to perform a CDR action of that type; and
(c) the person fails to perform the CDR action in accordance with the valid instruction; and
(d) having regard to criteria in the consumer data rules, the person would ordinarily perform actions of that type in the course of the person’s business.
Note: For enforcement, see Part VI (including section 76 for an order for payment of a pecuniary penalty).
No discrimination against CDR action instructions via fees
(1) A person contravenes this subsection if:
(a) the person is an action service provider for a type of CDR action; and
(b) the person is given a valid instruction under the consumer data rules to perform a CDR action of that type; and
(c) the person charges (or causes to be charged) one or more fees for either or both of the following matters:
(i) processing the valid instruction;
(ii) performing the CDR action in accordance with the valid instruction; and
(d) either subsection (2) or (3) applies to those fees.
Note: For enforcement, see Part VI (including section 76 for an order for payment of a pecuniary penalty).
First case—charging inappropriate fees at the instruction layer
(2) This subsection applies to fees, to the extent they are for processing the valid instruction, if:
(a) the consumer data rules have not declared, as described in subsection 56BGA(2), that fees may be charged (or caused to be charged) for processing valid instructions for CDR actions of that type; or
(b) the fees for processing the valid instruction exceed any fees:
(i) determined under subsection 56BZE(1) or (2) for the person; or
(ii) worked out from a method determined under subsection 56BZE(1) or (2) for the person;
for processing the valid instruction.
Note: This protects the integrity of the CDR action regime by discouraging the person from charging inappropriate fees at the instruction layer.
Second case—charging higher than ordinary fees at the action layer
(3) This subsection applies to fees, to the extent they are for performing the CDR action in accordance with the valid instruction, if those fees exceed the fees that the person would ordinarily charge for performing actions of that type in the course of the person’s business.
Note: This confirms that the person can continue to charge what the person ordinarily charges at the action layer, but no more than this.
(4) To work out the fees that the person would ordinarily charge for performing actions of that type in the course of the person’s business, have regard to any criteria specified in the consumer data rules.
Intervening for a class of action service providers
(1) The Commission may, by legislative instrument, determine:
(a) the amount of a fee that a specified class of action service providers for a type of CDR action may charge (or cause to be charged) for processing a valid instruction for a CDR action of that type; or
(b) a method for working out the amount of such a fee;
if subsection (3) applies for the fee and CDR actions of that type.
Intervening for a particular action service provider
(2) The Commission may, by written notice given to an action service provider for a type of CDR action, determine:
(a) the amount of a fee that the provider may charge (or cause to be charged) for processing a valid instruction for a CDR action of that type; or
(b) a method for working out the amount of such a fee;
if subsection (3) applies for the fee and CDR actions of that type.
Note: The determination is reviewable (see Subdivision F).
Conditions in order to intervene
(3) This subsection applies for a fee and a type of CDR action if:
(a) the consumer data rules have declared, as described in subsection 56BGA(2), that fees may be charged (or caused to be charged) for processing valid instructions for CDR actions of that type; and
(b) the Commission is satisfied that the fee that would otherwise be charged (or caused to be charged) is unreasonable having regard to the criteria in subsection (5).
Matters and criteria when intervening
(4) When determining an amount or method under subsection (1) or (2), the Commission must seek to ensure that the resulting fee:
(a) reflects the reasonable costs (including capital costs) necessary for the providers or provider to comply with this Part and the consumer data rules in relation to processing the valid instruction; and
(b) is reasonable having regard to the criteria in subsection (5).
(5) The criteria for the purposes of subsection (3) and paragraph (4)(b) are:
(a) the matters in subparagraphs 56AD(1)(a)(i), (ii) and (iv) to (vi); and
(b) the marginal cost of processing the valid instruction in accordance with the consumer data rules; and
(c) whether a lower fee could result in an acquisition of property (within the meaning of paragraph 51(xxxi) of the Constitution) otherwise than on just terms (within the meaning of that paragraph); and
(d) whether a lower fee would reduce the incentive to perform actions of that type; and
(e) any other matters the Commission considers relevant.
Other matters
(6) The Commission may publish a determination under subsection (2) on the Commission’s website.
(7) A fee determined under subsection (1) or (2) must not be such as to amount to taxation.
Subdivision F—Review by the Tribunal of determinations about certain fees
56BZF Review by the Tribunal of determinations about fees of particular participants or providers
(1) If the Commission makes a determination under subsection 56BV(2) or 56BZE(2):
(a) the CDR participant or action service provider specified in the determination; or
(b) a person whose interests are affected by the determination;
may apply in writing to the Tribunal for a review of the determination.
(2) An application under this section for a review of a determination must be made within 21 days after the day the Commission made the determination.
(3) If the Tribunal receives an application under this section for a review of a determination, the Tribunal must review the determination.
56BZG Functions and powers of Tribunal
(1) On a review of a determination made under subsection 56BV(2) or 56BZE(2), the Tribunal:
(a) may make a decision affirming, setting aside or varying the determination; and
(b) for the purposes of the review, may perform all the functions and exercise all the powers of the Commission.
(2) A decision by the Tribunal affirming, setting aside or varying such a determination is taken for the purposes of this Act (other than this Subdivision) to be a determination of the Commission.
(3) For the purposes of a review by the Tribunal, the member of the Tribunal presiding at the review may require the Commission to give such information, make such reports and provide such other assistance to the Tribunal as the member specifies.
(4) For the purposes of a review, the Tribunal may have regard to any information given, documents produced or evidence given to the Commission in connection with the making of the determination to which the review relates.
Note: Division 2 of Part IX applies to proceedings before the Tribunal.
56BZH Provisions that do not apply in relation to a Tribunal review
Division 1 of Part IX does not apply in relation to a review by the Tribunal of a determination made under subsection 56BV(2) or 56BZE(2).
Subdivision G—Prohibitions on holding out
56BZI Prohibition on holding out that a person is something they are not—offence
(1) A person commits an offence if the person holds out that:
(a) the person is an accredited person; or
(b) the person is an accredited person holding an accreditation that has been granted at a particular level (see paragraph 56BH(1)(d)); or
(c) the person is an accredited person holding an accreditation that authorises the person to do something (see paragraph 56BH(1)(da)); or
(d) the person is an accredited data recipient of CDR data; or
(e) the person is an accredited action initiator for a type of CDR action; or
(f) the person is an action service provider for a type of CDR action; or
(g) the person is approved as an action service provider at a particular level (see paragraph 56BHA(1)(d)); or
(h) the person’s approval as an action service provider authorises the person to do something (see paragraph 56BHA(1)(e));
if that is not the case.
Penalty—body corporate
(2) An offence against subsection (1) committed by a body corporate is punishable on conviction by a fine of not more than the greater of the following:
(a) $10,000,000;
(b) if the court can determine the value of the benefit that the body corporate, and any body corporate related to the body corporate, have obtained directly or indirectly and that is reasonably attributable to the commission of the offence—3 times the value of that benefit;
(c) if the court cannot determine the value of that benefit—10% of the adjusted turnover of the body corporate during the 12‑month period ending at the end of the month in which the commission of the offence happened or began.
Penalty—other persons
(3) An offence against subsection (1) committed by a person other than a body corporate is punishable on conviction by imprisonment for not more than 5 years, a fine of not more than $500,000, or both.
56BZJ Prohibition on holding out that a person is something they are not—civil penalty
A person must not hold out that:
(a) the person is an accredited person; or
(b) the person is an accredited person holding an accreditation that has been granted at a particular level (see paragraph 56BH(1)(d)); or
(c) the person is an accredited person holding an accreditation that authorises the person to do something (see paragraph 56BH(1)(da)); or
(d) the person is an accredited data recipient of CDR data; or
(e) the person is an accredited action initiator for a type of CDR action; or
(f) the person is an action service provider for a type of CDR action; or
(g) the person is approved as an action service provider at a particular level (see paragraph 56BHA(1)(d)); or
(h) the person’s approval as an action service provider authorises the person to do something (see paragraph 56BHA(1)(e));
if that is not the case.
Note: For enforcement, see Part VI (including section 76 for an order for payment of a pecuniary penalty).
Subdivision A—Accreditation process
(1) The CDR Accreditor may, in writing, accredit a person if the CDR Accreditor is satisfied that the person meets the criteria for accreditation specified in the consumer data rules.
(2) To avoid doubt, a person may be accredited even if the person:
(a) is not a body corporate established by or under a law of the Commonwealth, of a State or of a Territory; and
(b) is neither an Australian citizen, nor a permanent resident (within the meaning of the Australian Citizenship Act 2007).
(3) An accreditation is granted on the basis that no compensation is payable if the accreditation is varied, transferred, suspended, revoked or surrendered in any way.
56CB Review of decisions refusing to accredit
Applications may be made to the Administrative Review Tribunal for review of decisions of the CDR Accreditor under subsection 56CA(1) refusing to accredit persons.
Note: For review by the Administrative Review Tribunal of decisions to vary, suspend or revoke accreditations, see subsection 56BH(4).
Subdivision B—Register of Accredited Persons
56CE Register of Accredited Persons
(1) The Accreditation Registrar must establish and maintain a register for the purposes of this Part, to be known as the Register of Accredited Persons.
(2) The Accreditation Registrar must maintain the register by electronic means.
(3) The register is not a legislative instrument.
(4) The consumer data rules may make provision for or in relation to the following:
(a) the inclusion in the register of entries for accredited persons;
(b) the correction of entries in the register;
(c) the publication or availability of all or part of the register, or of specified information in the register;
(d) any other matter relating to the content, administration or operation of the register.
56CF Evidentiary value of the register
(1) The register is admissible in any proceedings as prima facie evidence of the matters in it.
(2) The Accreditation Registrar may issue a document containing the details of a matter taken from the register.
(3) The document issued under subsection (2) is admissible in any proceedings as prima facie evidence of the matter.
56CG Appointment of the CDR Accreditor
(1) The Minister may, by written instrument, appoint as the CDR Accreditor a person who:
(a) is the accountable authority of a Commonwealth entity (within the meaning of the Public Governance, Performance and Accountability Act 2013); or
(b) is a Commonwealth entity (within the meaning of that Act).
Note 1: For variation, see subsection 33(3) of the Acts Interpretation Act 1901.
Note 2: The Commission will be the CDR Accreditor in the absence of an appointment under this subsection (see the definition of CDR Accreditor in subsection 4(1)).
(2) The Minister may, at any time by written instrument, terminate an appointment made under subsection (1).
56CH Functions, powers and annual report
(1) The functions of the CDR Accreditor are:
(a) to accredit persons under subsection 56CA(1); and
(b) such other functions as are conferred by the consumer data rules.
(2) The CDR Accreditor has the power to do all other things necessary or convenient to be done for or in connection with the performance of the CDR Accreditor’s functions.
(3) To avoid doubt, for a person who is the CDR Accreditor, both:
(a) the person’s functions and powers in their capacity other than as the CDR Accreditor (their primary capacity); and
(b) if the person is not a body corporate—the functions that may be performed, and the powers that may be exercised, by anyone appointed under a Commonwealth law to act as the person in that primary capacity;
are taken to include the functions and powers of the CDR Accreditor while the person is the CDR Accreditor.
(4) If:
(a) a person is the CDR Accreditor at any time during a period; and
(b) an annual report for the period is prepared under section 46 of the Public Governance, Performance and Accountability Act 2013:
(i) by the person in the person’s primary capacity; or
(ii) about the person in the person’s primary capacity;
the annual report must include information about the performance of the CDR Accreditor’s functions, and the exercise of the CDR Accreditor’s powers, at that time.
(1) The Minister may, by legislative instrument, give written directions to the CDR Accreditor about the performance of its functions and the exercise of its powers.
Note: Section 42 (disallowance) and Part 4 of Chapter 3 (sunsetting) of the Legislation Act 2003 do not apply to the directions (see regulations made for the purposes of paragraphs 44(2)(b) and 54(2)(b) of that Act).
(2) A direction under subsection (1) must be of a general nature only.
(3) The CDR Accreditor must comply with a direction under subsection (1).
(1) The CDR Accreditor may delegate any or all of the CDR Accreditor’s functions or powers to:
(a) an SES employee, or an acting SES employee, in the Department, in the Commission or in the Commonwealth entity appointed under paragraph 56CG(1)(b) (if any); or
(b) an APS employee who is holding or performing the duties of a specified office or position that:
(i) is in the Department, in the Commission or in the Commonwealth entity appointed under paragraph 56CG(1)(b) (if any); and
(ii) is an office or position that the CDR Accreditor is satisfied is sufficiently senior for the APS employee to perform the function or exercise the power.
(2) In doing anything under a delegation under this section, the delegate must comply with any directions of the CDR Accreditor.
Subdivision D—Accreditation Registrar
56CK Appointment of the Accreditation Registrar
(1) The Minister may, by written instrument, appoint as the Accreditation Registrar a person who:
(a) is the accountable authority of a Commonwealth entity (within the meaning of the Public Governance, Performance and Accountability Act 2013); or
(b) is a Commonwealth entity (within the meaning of that Act).
Note 1: For variation, see subsection 33(3) of the Acts Interpretation Act 1901.
Note 2: The Commission will be the Accreditation Registrar in the absence of an appointment under this subsection (see the definition of Accreditation Registrar in subsection 4(1)).
(2) The Minister may, at any time by written instrument, terminate an appointment made under subsection (1).
56CL Functions, powers and annual report
(1) The functions of the Accreditation Registrar are:
(a) those described in Subdivision B; and
(b) such other functions as are conferred by the consumer data rules.
(2) The Accreditation Registrar has the power to do all other things necessary or convenient to be done for or in connection with the performance of the Accreditation Registrar’s functions.
(3) To avoid doubt, for a person who is the Accreditation Registrar, both:
(a) the person’s functions and powers in their capacity other than as the Accreditation Registrar (their primary capacity); and
(b) if the person is not a body corporate—the functions that may be performed, and the powers that may be exercised, by anyone appointed under a Commonwealth law to act as the person in that primary capacity;
are taken to include the functions and powers of the Accreditation Registrar while the person is the Accreditation Registrar.
(4) If:
(a) a person is the Accreditation Registrar at any time during a period; and
(b) an annual report for the period is prepared under section 46 of the Public Governance, Performance and Accountability Act 2013:
(i) by the person in the person’s primary capacity; or
(ii) about the person in the person’s primary capacity;
the annual report must include information about the performance of the Accreditation Registrar’s functions, and the exercise of the Accreditation Registrar’s powers, at that time.
(1) The Minister may, by legislative instrument, give written directions to the Accreditation Registrar about the performance of its functions and the exercise of its powers.
Note: Section 42 (disallowance) and Part 4 of Chapter 3 (sunsetting) of the Legislation Act 2003 do not apply to the directions (see regulations made for the purposes of paragraphs 44(2)(b) and 54(2)(b) of that Act).
(2) A direction under subsection (1) must be of a general nature only.
(3) The Accreditation Registrar must comply with a direction under subsection (1).
(1) The Accreditation Registrar may delegate any or all of the Accreditation Registrar’s functions or powers to:
(a) an SES employee, or an acting SES employee, in the Department, in the Commission or in the Commonwealth entity appointed under paragraph 56CK(1)(b) (if any); or
(b) an APS employee who is holding or performing the duties of a specified office or position that:
(i) is in the Department, in the Commission or in the Commonwealth entity appointed under paragraph 56CK(1)(b) (if any); and
(ii) is an office or position that the Accreditation Registrar is satisfied is sufficiently senior for the APS employee to perform the function or exercise the power.
Note: For the Registrar’s functions and powers, see section 56CE.
(2) In doing anything under a delegation under this section, the delegate must comply with any directions of the Accreditation Registrar.
Division 4—External dispute resolution
56DA Minister may recognise external dispute resolution schemes
Recognising an external dispute resolution scheme
(1) The Minister may, by notifiable instrument, recognise an external dispute resolution scheme for the resolution of disputes:
(a) relating to the operation of the consumer data rules, or this Part, in relation to one or more designated sectors or types of CDR actions; and
(b) involving one or more of the following:
(i) CDR participants for CDR data;
(ii) CDR consumers for CDR data;
(iii) designated gateways for CDR data;
(iiia) CDR action participants;
(iiib) CDR consumers for CDR actions;
(iv) other persons relating to any of those designated sectors or types of CDR actions.
Note 1: The consumer data rules may require internal dispute resolution schemes, see paragraph 56BJ(g).
Note 2: For variation and repeal, see subsection 33(3) of the Acts Interpretation Act 1901.
(2) The Minister may, in the instrument under subsection (1):
(a) specify a period for which the recognition of the external dispute resolution scheme is in force; and
(b) make the recognition of the external dispute resolution scheme subject to specified conditions, including conditions relating to the conduct of an independent review of the operation of the scheme.
Before recognising an external dispute resolution scheme
(3) Before recognising an external dispute resolution scheme under subsection (1), the Minister must consider:
(a) the accessibility of the scheme; and
(b) the independence of the scheme; and
(c) the fairness of the scheme; and
(d) the accountability of the scheme; and
(e) the efficiency of the scheme; and
(f) the effectiveness of the scheme; and
(g) any other matters the Minister considers relevant.
(4) Before recognising an external dispute resolution scheme under subsection (1), the Minister must arrange for the Information Commissioner to be consulted about the scheme.
(5) A failure to comply with subsection (4) does not invalidate an instrument made under subsection (1).
This Division sets out privacy safeguards that protect the privacy or confidentiality of CDR consumers’ CDR data, whether the CDR consumers are individuals or bodies corporate.
The privacy safeguards apply mainly to accredited persons, but also to data holders, designated gateways and action service providers, in relation to their handling or future handling of the CDR data.
The circumstances in which these safeguards can apply to an accredited person include where the person is an accredited action initiator for a type of CDR action who is or may become an accredited data recipient of CDR data.
A person’s failure to comply with any of these safeguards may lead to consequences, including liability to a civil penalty (see Subdivision G) or the suspension or revocation of the person’s accreditation (see subsection 56BH(3)).
56EB Kinds of CDR data to which the privacy safeguards apply
(1) The privacy safeguards only apply to CDR data for which there are one or more CDR consumers.
Note: One requirement for CDR data to have a CDR consumer is that there needs to be at least one person who is identifiable, or reasonably identifiable, from the CDR data or from related information (see paragraph 56AI(3)(c)).
(2) The privacy safeguards apply to CDR data whether the CDR data is true or not.
56EC Relationship with other laws
Relationship with the consumer data rules
(1) If there is an inconsistency between the privacy safeguards and the consumer data rules, those safeguards prevail over those rules to the extent of the inconsistency.
(2) However, the consumer data rules are taken to be consistent with the privacy safeguards to the extent that they are capable of operating concurrently.
Note: This means that the privacy safeguards do not cover the field that they deal with.
Relationship with the Privacy Act 1988
(3) This Division does not limit Part IIIA (about credit reporting) of the Privacy Act 1988. However, the regulations may declare that in specified circumstances that Part applies in relation to CDR data as if specified provisions of that Part were omitted, modified or varied as specified in the declaration.
(4) Despite the Privacy Act 1988:
(a) the Australian Privacy Principles do not apply to an accredited data recipient of CDR data in relation to the CDR data; and
(aa) if section 56ED or 56EE applies to an accredited person in relation to CDR data—the corresponding Australian Privacy Principle does not apply to the accredited person in relation to the CDR data; and
(ab) if section 56EF or 56EG applies to a person:
(i) who is an accredited person; or
(ii) as a CDR action participant;
in relation to CDR data—the corresponding Australian Privacy Principle does not apply to the person in relation to the CDR data; and
(b) if section 56EN applies to a disclosure of CDR data by a person:
(i) who is a data holder of the CDR data; or
(ii) as an action service provider for a type of CDR action;
then Australian Privacy Principle 10 does not apply to the person in relation to that disclosure of the CDR data; and
(c) if subsection 56EP(1) applies to CDR data and a person:
(i) who is a data holder of the CDR data; or
(ii) as an action service provider for a type of CDR action;
then Australian Privacy Principle 13 does not apply to the person in relation to the CDR data; and
(d) Australian Privacy Principles 6, 7 and 11 do not apply to a designated gateway for CDR data in relation to the CDR data; and
(e) if a small business operator (within the meaning of the Privacy Act 1988) is an action service provider for a type of CDR action, the Privacy Act 1988 applies:
(i) subject to paragraphs (ab) to (c) of this subsection; and
(ii) in relation to personal information disclosed to the provider under the consumer data rules;
as if the provider were an organisation (within the meaning of the Privacy Act 1988).
Note 1: For the accredited data recipient, the privacy safeguards will apply instead.
Note 2: Section 56EN (or privacy safeguard 11) is about the quality of CDR data. Section 56EP (or privacy safeguard 13) is about correcting CDR data.
(5) Apart from paragraphs (4)(aa) to (d), this Division does not affect how the Australian Privacy Principles apply to:
(aa) an accredited person who does not become an accredited data recipient of the CDR data; or
(a) a data holder of CDR data in relation to the CDR data; or
(b) a designated gateway for CDR data in relation to the CDR data; or
(c) a person as an action service provider, for a type of CDR action, in relation to CDR data.
Note 1: Privacy safeguard 1 will apply to a data holder, designated gateway or action service provider in parallel to Australian Privacy Principle 1.
Note 2: The consumer data rules (which are made under Division 2) will affect how the Australian Privacy Principles apply. Requirements and authorisations under those rules will be requirements or authorisations under an Australian law for the purposes of the Australian Privacy Principles.
Subdivision B—Consideration of CDR data privacy
56ED Privacy safeguard 1—open and transparent management of CDR data
Object
(1) The object of this section is to ensure that each person (a CDR entity) who:
(a) is a data holder of CDR data; or
(b) is an accredited person who is or who may become an accredited data recipient of CDR data; or
(c) is a designated gateway for CDR data; or
(d) as an action service provider for a type of CDR action, has been or may be disclosed CDR data under the consumer data rules;
manages the CDR data in an open and transparent way.
Compliance with this Part etc.
(2) The CDR entity must take such steps as are reasonable in the circumstances to implement practices, procedures and systems that:
(a) will ensure that the CDR entity complies with this Part and the consumer data rules; and
(b) will enable the CDR entity to deal with inquiries or complaints from a CDR consumer for the CDR data about the CDR entity’s compliance with this Part or the consumer data rules.
Policy about the management of CDR data
(3) The CDR entity must have and maintain a clearly expressed and up‑to‑date policy that:
(a) is about the CDR entity’s management of CDR data; and
(b) is in a form approved in accordance with the consumer data rules; and
(c) contains the information required by subsections (4), (5), (6) and (6A) (as applicable).
Note: This subsection is a civil penalty provision (see section 56EU).
(4) If the CDR entity is a data holder of any CDR data, the CDR entity’s policy must contain the following information:
(a) how a CDR consumer for the CDR data may access the CDR data and seek the correction of the CDR data;
(b) how a CDR consumer for the CDR data may complain about a failure of the CDR entity to comply with this Part or the consumer data rules, and how the CDR entity will deal with such a complaint.
(5) If the CDR entity is an accredited person who is or who may become an accredited data recipient of any CDR data, the CDR entity’s policy must contain the following information:
(a) the classes of CDR data that is or may become held by (or on behalf of) the CDR entity as an accredited data recipient, and how such CDR data is held or is to be held;
(b) the purposes for which the CDR entity may collect, hold, use or disclose such CDR data with the consent of a CDR consumer for the CDR data;
(c) how a CDR consumer for such CDR data may access the CDR data and seek the correction of the CDR data;
(d) how a CDR consumer for such CDR data may complain about a failure of the CDR entity to comply with this Part or the consumer data rules, and how the CDR entity will deal with such a complaint;
(e) whether the CDR entity is likely to disclose such CDR data to accredited persons who are based overseas;
(f) if the CDR entity is likely to disclose such CDR data to accredited persons who are based overseas—the countries in which such persons are likely to be based if it is practicable to specify those countries in the policy;
(g) the circumstances in which the CDR entity may disclose such CDR data to a person who is not an accredited person;
(h) the events about which the CDR entity will notify the CDR consumers of such CDR data;
(i) the circumstances in which the CDR entity must delete or de‑identify such CDR data in accordance with a request given by a CDR consumer for the CDR data under the consumer data rules.
(6) If the CDR entity is a designated gateway for any CDR data, the CDR entity’s policy must contain the following information:
(a) an explanation of how the CDR entity, as a designated gateway, will act between persons to facilitate:
(i) the disclosure of CDR data; or
(ii) the accuracy of CDR data; or
(iii) other matters;
under the consumer data rules;
(b) how a CDR consumer for such CDR data may complain about a failure of the CDR entity to comply with this Part or the consumer data rules, and how the CDR entity will deal with such a complaint.
(6A) If the CDR entity is a person who, as an action service provider for a type of CDR action, has been or may be disclosed CDR data under the consumer data rules, the CDR entity’s policy must contain the following information:
(a) how a CDR consumer for the CDR data may access the CDR data and seek the correction of the CDR data;
(b) how a CDR consumer for the CDR data may complain about a failure of the CDR entity to comply with this Part or the consumer data rules, and how the CDR entity will deal with such a complaint.
Availability of policy etc.
(7) The CDR entity must make the CDR entity’s policy available:
(a) free of charge; and
(b) in accordance with the consumer data rules.
Note: One way the consumer data rules could require the policy to be made available is to require the policy to be made available in accordance with a data standard.
(8) If a copy of the CDR entity’s policy is requested by a CDR consumer for the CDR data, the CDR entity must give the CDR consumer a copy in accordance with the consumer data rules.
56EE Privacy safeguard 2—anonymity and pseudonymity
(1) A person who is:
(a) an accredited data recipient of CDR data; or
(b) an accredited person who may become an accredited data recipient of CDR data;
must give each CDR consumer for that CDR data the option of using a pseudonym, or not identifying themselves, when dealing with the person in relation to that CDR data.
Note: The CDR participant from whom the person acquired (or may acquire) the CDR data may be subject to a similar obligation under Australian Privacy Principle 2.
(2) That option may be given to a CDR consumer for the CDR data through a designated gateway for the CDR data.
(3) Subsection (1) does not apply in the circumstances specified in the consumer data rules.
Subdivision C—Collecting CDR data
56EF Privacy safeguard 3—soliciting CDR data from participants under the consumer data rules
(1) A person covered by column 1 of an item of the following table must not seek to collect CDR data under the consumer data rules from another person covered by column 2 of that item unless:
(a) a CDR consumer for the CDR data has validly requested this under the consumer data rules for the purposes described in column 3 of that item; and
(b) the person complies with all other requirements in the consumer data rules for the collection of the CDR data from that other person.
Soliciting CDR data from participants under the consumer data rules | |||
Item | Column 1 A person who: | Column 2 must not seek to collect CDR data from: | Column 3 unless a CDR consumer for the CDR data has requested this for the purposes of: |
1 | is an accredited person | a CDR participant for the CDR data | a use or disclosure under the consumer data rules |
2 | is acting as one of the kinds of CDR action participant | the other kind of CDR action participant | a valid instruction to be given: (a) by one of the CDR action participants (as an accredited action initiator for a type of CDR action) to the other; and (b) under the consumer data rules; and (c) for the performance of a CDR action of that type |
Note 1: For item 2, the kinds of CDR action participants are accredited action initiators and action service providers (see section 56AMD).
Note 2: For column 3 of item 2, the CDR consumer for the CDR data would need to have requested the collection of the CDR data as a CDR consumer for the CDR action.
Note 3: This subsection is a civil penalty provision (see section 56EU).
(2) Subsection (1) applies whether the collection is directly or indirectly from the person covered by column 2 of the table.
Note: The collection (whether direct or indirect) would need to be under the consumer data rules for subsection (1) to apply.
Example: The valid request referred to in column 3 of item 1 of the table could be given under the consumer data rules through a designated gateway (see section 56BG).
56EG Privacy safeguard 4—dealing with unsolicited CDR data from participants in CDR
(1) A person must destroy CDR data as soon as practicable after collecting it if:
(a) the person (the collector) collected the CDR data while covered by column 1 of an item of the following table, and from a person covered by column 2 of that item; and
(b) the collector collected the CDR data:
(i) purportedly under the consumer data rules; but
(ii) not as the result of seeking to collect the CDR data under the consumer data rules; and
(c) the collector is not required to retain the CDR data by or under an Australian law or a court/tribunal order; and
(d) in the case where item 3 of the table applies, the circumstances specified in the consumer data rules do not apply.
Dealing with unsolicited CDR data from participants in CDR | ||
Item | Column 1 A collector who: | Column 2 collects the CDR data from: |
1 | is an accredited person | a CDR participant for the CDR data |
2 | as an accredited action initiator for a type of CDR action | an action service provider for that type of CDR action |
3 | as an action service provider for a type of CDR action | an accredited action initiator for that type of CDR action |
Note: This subsection is a civil penalty provision (see section 56EU).
(2) Subsection (1) applies whether the collection is directly or indirectly from the person mentioned in column 2 of the table.
Example: For item 1 of the table, the collection could be from the CDR participant through a designated gateway (see section 56BG).
56EH Privacy safeguard 5—notifying of the collection of CDR data
If an accredited data recipient of CDR data collected the CDR data in accordance with section 56EF, the accredited data recipient must:
(a) take the steps specified in the consumer data rules to notify CDR consumers for the CDR data of the collection; and
(b) ensure that this notification:
(i) is given to those of the CDR consumers (if there are more than one) that the consumer data rules require to be notified; and
(ii) covers the matters specified in those rules; and
(iii) is given at or before the time specified in those rules.
Note 1: The accredited data recipient could have collected the CDR data in accordance with section 56EF as an accredited action initiator, and from an action service provider, for the purposes of giving a valid instruction of the kind described in item 2 of the table in that section.
Note 2: This section is a civil penalty provision (see section 56EU).
Subdivision D—Dealing with CDR data
(1) An accredited data recipient of CDR data must not use or disclose it unless:
(a) in the case of a disclosure—the disclosure is required under the consumer data rules in response to a valid request from a CDR consumer for the CDR data; or
(b) the use or disclosure is otherwise required, or authorised, under the consumer data rules; or
(c) the use or disclosure is required or authorised by or under:
(i) another Australian law; or
(ii) a court/tribunal order;
and the accredited data recipient makes a written note of the use or disclosure.
Note 1: This subsection is a civil penalty provision (see section 56EU).
Note 2: The valid request referred to in paragraph (a) could be given through a designated gateway (see section 56BG).
Note 3: The Australian Privacy Principles will not apply for subparagraph (c)(i) (see paragraph 56EC(4)(a)).
(2) A designated gateway for CDR data must not use or disclose it unless:
(a) in the case of a disclosure—the disclosure is required under the consumer data rules; or
(b) the use or disclosure is authorised under the consumer data rules; or
(c) the use or disclosure is required or authorised by or under:
(i) another Australian law; or
(ii) a court/tribunal order;
and the designated gateway makes a written note of the use or disclosure in accordance with the consumer data rules.
Note 1: This subsection is a civil penalty provision (see section 56EU).
Note 2: Australian Privacy Principle 6 will not apply for subparagraph (c)(i) (see paragraph 56EC(4)(d)).
(3) Neither subsection (1) nor (2) applies to the use or disclosure of CDR data for the purposes of direct marketing.
Note: Section 56EJ deals with the use or disclosure of CDR data for the purposes of direct marketing.
(1) An accredited data recipient of CDR data must not use or disclose it for direct marketing unless:
(a) in the case of a disclosure—the disclosure is required under the consumer data rules in response to a valid request from a CDR consumer for the CDR data; or
(b) the use or disclosure is authorised under the consumer data rules in accordance with a valid consent of a CDR consumer for the CDR data.
Note 1: This subsection is a civil penalty provision (see section 56EU).
Note 2: The valid request referred to in paragraph (a), or the valid consent referred to in paragraph (b), could be given through a designated gateway (see section 56BG).
(2) A designated gateway for CDR data must not use or disclose it for direct marketing unless:
(a) in the case of a disclosure—the disclosure is required under the consumer data rules; or
(b) the use or disclosure is authorised under the consumer data rules.
Note: This subsection is a civil penalty provision (see section 56EU).
56EK Privacy safeguard 8—overseas disclosure of CDR data by accredited data recipients
(1) If:
(a) an accredited data recipient of CDR data proposes to disclose the CDR data; and
(b) the recipient (the new recipient) of the proposed disclosure:
(i) is not in Australia or an external Territory; and
(ii) is not a CDR consumer for the CDR data;
the accredited data recipient must not make the disclosure unless:
(c) the new recipient is an accredited person; or
(d) the accredited data recipient takes reasonable steps to ensure that any act or omission by (or on behalf of) the new recipient will not, after taking into account subsection (3), contravene:
(i) subsection 56ED(3); or
(ii) another privacy safeguard penalty provision in relation to the CDR data; or
(e) the accredited data recipient reasonably believes:
(i) that the new recipient is subject to a law, or binding scheme, that provides substantially similar protection for the CDR data as the privacy safeguards provide in relation to accredited data recipients; and
(ii) that a CDR consumer for the CDR data will be able to enforce those protections provided by that law or binding scheme; or
(f) the conditions specified in the consumer data rules are met.
Note 1: This subsection is a civil penalty provision (see section 56EU).
Note 2: This subsection applies in addition to the disclosure restrictions in sections 56EI, 56EJ and 56EL.
Note 3: A similar disclosure by a data holder of the CDR data that is required under the consumer data rules will be covered by Australian Privacy Principle 8 if the CDR data is personal information about an individual.
(2) If:
(a) the accredited data recipient of the CDR data makes the disclosure to the new recipient; and
(b) none of paragraphs (1)(c), (e) and (f) apply in relation to the disclosure to the new recipient; and
(c) an act or omission by (or on behalf of) the new recipient, after taking into account subsection (3), contravenes:
(i) subsection 56ED(3); or
(ii) another privacy safeguard penalty provision in relation to the CDR data;
then the act or omission is taken to also be an act or omission by the accredited data recipient.
(3) For the purposes of paragraphs (1)(d) and (2)(c), assume that the privacy safeguards apply to the new recipient as if the new recipient were an accredited data recipient for the CDR data.
(1) If:
(a) a person is an accredited data recipient of CDR data; and
(b) the CDR data includes a government related identifier (within the meaning of the Privacy Act 1988) of a CDR consumer for the CDR data who is an individual;
the person must not adopt the government related identifier as the person’s own identifier of the CDR consumer, or otherwise use the government related identifier, unless:
(c) the adoption or use is required or authorised by or under:
(i) an Australian law other than the consumer data rules; or
(ii) a court/tribunal order; or
(d) subclause 9.3 of Australian Privacy Principle 9 applies in relation to the adoption or use.
Note: This subsection is a civil penalty provision (see section 56EU).
(2) If:
(a) a person who is an accredited data recipient of CDR data proposes to disclose the CDR data; and
(b) the CDR data includes a government related identifier (within the meaning of the Privacy Act 1988) of a CDR consumer for the CDR data who is an individual;
the person must not include the government related identifier in the disclosure unless:
(c) this is required or authorised by or under:
(i) an Australian law other than the consumer data rules; or
(ii) a court/tribunal order; or
(d) subclause 9.3 of Australian Privacy Principle 9 applies in relation to the disclosure.
Note 1: This subsection is a civil penalty provision (see section 56EU).
Note 2: This subsection applies in addition to the disclosure restrictions in sections 56EI, 56EJ and 56EK.
(3) For the purposes of paragraph (1)(d) or (2)(d), disregard paragraph 56EC(4)(a) (about the APPs not applying).
56EM Privacy safeguard 10—notifying of the disclosure of CDR data
Disclosures by data holders
(1) If a data holder of CDR data is required or authorised under the consumer data rules to disclose the CDR data to a person, the data holder must:
(a) take the steps specified in the consumer data rules to notify CDR consumers for the CDR data of the disclosure; and
(b) ensure that this notification:
(i) is given to those of the CDR consumers (if there are more than one) that the consumer data rules require to be notified; and
(ii) covers the matters specified in those rules; and
(iii) is given at or before the time specified in those rules.
Note: This subsection is a civil penalty provision (see section 56EU).
Disclosures by accredited data recipients
(2) If an accredited data recipient of CDR data discloses the CDR data, the accredited data recipient must:
(a) take the steps specified in the consumer data rules to notify CDR consumers for the CDR data of the disclosure; and
(b) ensure that this notification:
(i) is given to those of the CDR consumers (if there are more than one) that the consumer data rules require to be notified; and
(ii) covers the matters specified in those rules; and
(iii) is given at or before the time specified in those rules.
Note: This subsection is a civil penalty provision (see section 56EU).
Disclosures to designated gateways
(3) To avoid doubt, subsection (1) or (2) applies even if the disclosure of the CDR data is to a designated gateway for the CDR data as required or authorised under the consumer data rules.
Note: The designated gateway may be subject to a similar notification requirement under the consumer data rules (see paragraph 56BG(1)(c)).
Disclosures by action service providers
(4) If a person as an action service provider for a type of CDR action is required or authorised under the consumer data rules to disclose CDR data to another person, the action service provider must:
(a) take the steps specified in the consumer data rules to notify CDR consumers for the CDR data of the disclosure; and
(b) ensure that this notification:
(i) is given to those of the CDR consumers (if there are more than one) that the consumer data rules require to be notified; and
(ii) covers the matters specified in those rules; and
(iii) is given at or before the time specified in those rules.
Note: This subsection is a civil penalty provision (see section 56EU).
Subdivision E—Integrity of CDR data
56EN Privacy safeguard 11—quality of CDR data
Disclosures by data holders
(1) If a data holder of CDR data is required or authorised under the consumer data rules to disclose the CDR data, the data holder must take reasonable steps to ensure that the CDR data is, having regard to the purpose for which it is held, accurate, up to date and complete.
Note: This subsection is a civil penalty provision (see section 56EU).
Disclosures by accredited data recipients
(2) If an accredited data recipient of CDR data is disclosing the CDR data when:
(a) required under the consumer data rules to do so in response to a valid request from a CDR consumer for the CDR data; or
(b) otherwise required, or authorised, under the consumer data rules to do so;
the accredited data recipient must take reasonable steps to ensure that the CDR data is, having regard to the purpose for which it is held, accurate, up to date and complete.
Note 1: This subsection is a civil penalty provision (see section 56EU).
Note 2: The valid request referred to in paragraph (a) could be given through a designated gateway (see section 56BG).
Disclosures by action service providers
(2A) If a person as an action service provider for a type of CDR action is required or authorised under the consumer data rules to disclose CDR data, the action service provider must take reasonable steps to ensure that the CDR data is, having regard to the purpose for which it is held, accurate, up to date and complete.
Note: This subsection is a civil penalty provision (see section 56EU).
Becoming aware after disclosure that the CDR data was incorrect—advising CDR consumer
(3) If a person:
(a) makes a disclosure referred to in subsection (1), (2) or (2A) for a CDR consumer for CDR data; and
(b) later becomes aware that some or all of the CDR data was incorrect when it was disclosed because, having regard to the purpose for which it was held, it was inaccurate, out of date or incomplete;
the person must advise the CDR consumer accordingly in accordance with the consumer data rules.
Note: This subsection is a civil penalty provision (see section 56EU).
Becoming aware after disclosure that the CDR data was incorrect—disclosing corrected CDR data
(4) A person, who is required by subsection (3) to advise a CDR consumer for CDR data that some or all of the CDR data was incorrect when it was earlier disclosed, must:
(a) correct the CDR data; and
(b) disclose the corrected CDR data, in accordance with the consumer data rules, to the recipient of the earlier disclosure;
if the person:
(c) is requested to do so by the CDR consumer in accordance with the consumer data rules; or
(d) is required to do so by the consumer data rules.
Note: This subsection is a civil penalty provision (see section 56EU).
(4A) Subsection (4) does not apply in the circumstances specified in the consumer data rules.
Purpose for which the CDR data was held
(5) When working out the purpose for which the CDR data is or was held, disregard the purpose of holding the CDR data so that it can be disclosed as required under the consumer data rules.
Note: This subsection is relevant for subsections (1), (2) and (2A) and paragraph (3)(b).
(1) Each person (a CDR entity) who is:
(a) an accredited data recipient of CDR data; or
(b) a designated gateway for CDR data;
must take the steps specified in the consumer data rules to protect the CDR data from:
(c) misuse, interference and loss; and
(d) unauthorised access, modification or disclosure.
Note: This subsection is a civil penalty provision (see section 56EU).
(2) If:
(a) the CDR entity no longer needs any of that CDR data for either of the following purposes (the redundant data):
(i) a purpose permitted under the consumer data rules;
(ii) a purpose for which the person is able to use or disclose it in accordance with this Division; and
(b) the CDR entity is not required to retain the redundant data by or under an Australian law or a court/tribunal order; and
(c) the redundant data does not relate to any current or anticipated:
(i) legal proceedings; or
(ii) dispute resolution proceedings;
to which the CDR entity is a party;
the CDR entity must take the steps specified in the consumer data rules to destroy the redundant data or to ensure that the redundant data is de‑identified.
Note 1: This subsection is a civil penalty provision (see section 56EU).
Note 2: Australian Privacy Principle 11 will not apply for paragraph (b) (see paragraph 56EC(4)(a) or (d)).
Subdivision F—Correction of CDR data
56EP Privacy safeguard 13—correction of CDR data
Obligation on data holders and action service providers
(1) If:
(a) a CDR consumer for CDR data gives a request to the following person (the CDR entity):
(i) a data holder of the CDR data (including a request given through a designated gateway for the CDR data);
(ii) a person as an action service provider for a type of CDR action; and
(b) the request is for the CDR entity to correct the CDR data, and is not given in response to advice from the CDR entity under subsection 56EN(3); and
(c) the CDR entity was earlier required or authorised under the consumer data rules to disclose the CDR data;
the CDR entity must respond to the request to correct the CDR data by taking such steps as are specified in the consumer data rules to deal with each of the matters in subsection (3) of this section.
Note 1: This subsection is a civil penalty provision (see section 56EU).
Note 2: Subsection 56EN(4) applies instead of this subsection if the request is given in response to advice from the CDR entity under subsection 56EN(3).
Obligation on accredited data recipients
(2) If:
(a) a CDR consumer for CDR data gives a request to an accredited data recipient of the CDR data (including a request given through a designated gateway for the CDR data); and
(b) the request is for the accredited data recipient to correct the CDR data, and is not given in response to advice from the accredited data recipient under subsection 56EN(3);
the accredited data recipient must respond to the request by taking such steps as are specified in the consumer data rules to deal with each of the matters in subsection (3) of this section.
Note 1: This subsection is a civil penalty provision (see section 56EU).
Note 2: Subsection 56EN(4) applies instead of this subsection if the request is given in response to advice from the accredited data recipient under subsection 56EN(3).
Relevant matters when responding to correction requests
(3) The matters are as follows:
(a) either:
(i) to correct the CDR data; or
(ii) to include a statement with the CDR data, to ensure that, having regard to the purpose for which the CDR data is held, the CDR data is accurate, up to date, complete and not misleading;
(b) to give notice of any correction or statement, or notice of why a correction or statement is unnecessary or inappropriate.
(4) When working out the purpose for which the CDR data is held (see subparagraph (3)(a)(ii)), disregard the purpose of holding the CDR data so that it can be disclosed as required under the consumer data rules.
Subdivision G—Compliance with the privacy safeguards
56EQ Information Commissioner to promote compliance etc.
(1) The Information Commissioner has the following functions:
(a) making guidelines for the avoidance of acts or practices that may breach the privacy safeguards;
(b) promoting an understanding and acceptance of the privacy safeguards;
(c) undertaking educational programs for the purposes of promoting the protection of CDR data.
Note: The Information Commissioner also has functions that relate to this Part more broadly (see section 56GA).
Extra matters about guidelines under paragraph (1)(a)
(2) Before making guidelines under paragraph (1)(a), the Information Commissioner must consult the Minister and the Commission about the proposed guidelines.
(3) The Information Commissioner may publish guidelines made under paragraph (1)(a) in such manner as the Information Commissioner considers appropriate.
(4) If there is an inconsistency between the guidelines made under paragraph (1)(a) and the consumer data rules, those rules prevail over the guidelines to the extent of the inconsistency.
(5) Guidelines made under paragraph (1)(a) are not a legislative instrument.
Extra matters about educational programs under paragraph (1)(c)
(6) The educational programs referred to in paragraph (1)(c) may be undertaken by:
(a) the Information Commissioner; or
(b) a person or authority acting on behalf of the Information Commissioner.
(1) The Information Commissioner may assess whether a CDR participant, or designated gateway, for CDR data is maintaining and handling the CDR data in accordance with:
(a) the privacy safeguards; or
(b) the consumer data rules to the extent that those rules relate to:
(i) the privacy safeguards; or
(ii) the privacy or confidentiality of the CDR data.
(1A) The Information Commissioner may assess whether an accredited person who may become an accredited data recipient of CDR data is complying with:
(a) section 56ED (about privacy safeguard 1); or
(b) the consumer data rules to the extent that those rules relate to that section.
(1B) The Information Commissioner may assess whether an action service provider for a type of CDR action, who has been or may be disclosed CDR data under the consumer data rules, is maintaining and handling the CDR data in accordance with:
(a) the privacy safeguards; or
(b) the consumer data rules to the extent that those rules relate to:
(i) the privacy safeguards; or
(ii) the privacy or confidentiality of the CDR data.
(2) The Information Commissioner may conduct an assessment under subsection (1), (1A) or (1B) in such manner as the Information Commissioner considers fit.
(3) The Information Commissioner may report to the Minister, the Commission or the Data Standards Chair about an assessment under subsection (1), (1A) or (1B).
56ES Notification of CDR data security breaches
Object
(1) The object of this section is for Part IIIC of the Privacy Act 1988 to apply to an accredited data recipient, or designated gateway, that holds a CDR consumer’s CDR data in a corresponding way to the way that Part applies to an entity that holds an individual’s personal information.
Note: That Part is about notification of eligible data breaches.
Extended application of Part IIIC of the Privacy Act 1988
(2) Part IIIC of the Privacy Act 1988, and any other provision of that Act that relates to that Part, also apply in relation to:
(a) an accredited data recipient of CDR data; or
(b) a designated gateway for CDR data;
as if the substitutions in the following table, and the modifications in subsection (3), were made.
Substitutions to be made | ||
Item | Subject to subsection (4), for a reference in Part IIIC to … | … substitute a reference to … |
1 | any of the following: (a) personal information; (b) information | CDR data. |
2 | any of the following: (a) entity; (b) APP entity; (c) APP entity, credit reporting body, credit provider or file number recipient, as the case may be | each of the following: (a) accredited data recipient; (b) designated gateway. |
3 | any of the following: (a) individual to whom information relates; (b) individual | CDR consumer for CDR data. |
Note: When CDR data and the other terms in the last column of the table appear in this notional version of Part IIIC, they have the same meanings as in this Act.
(3) For the purposes of subsection (2), assume that:
(a) sections 26WB to 26WD of the Privacy Act 1988 were not enacted; and
(b) subsection 26WE(1) of that Act were replaced with the following:
“Scope
(1) This section applies if:
(a) CDR data of one or more CDR consumers is held by (or on behalf of) either of the following entities (the CDR entity):
(i) an accredited data recipient of the CDR data;
(ii) a designated gateway for the CDR data; and
(b) section 56EO (about privacy safeguard 12) of the Competition and Consumer Act 2010 applies to the CDR entity in relation to the CDR data.”.
(4) For the purposes of the table in subsection (2):
(a) for item 1 of the table, disregard the following references to information in Part IIIC of the Privacy Act 1988:
(ia) the last reference in section 26WA;
(i) the last reference in paragraph 26WG(h);
(ii) the reference in the note to section 26WG;
(iii) all references in Division 4 of Part IIIC other than the reference in paragraph 26WU(2)(e); and
(b) for item 2 of the table, disregard each reference to entity in paragraphs 26WF(1)(f), (2)(f), (3)(f), (4)(f) and (5)(f) of the Privacy Act 1988.
56ET Investigating breaches of the privacy safeguards etc.
Breaches to which this section applies
(1) This section applies to a breach (a privacy safeguard breach) of any of the following:
(a) one or more of the privacy safeguards;
(b) the consumer data rules to the extent that those rules relate:
(i) to one or more of the privacy safeguards; or
(ii) to the privacy or confidentiality of CDR data;
(c) section 26WH, 26WK or 26WL or subsection 26WR(10) of the Privacy Act 1988, as they apply because of section 56ES of this Act;
in relation to the CDR data of:
(d) a CDR consumer who is an individual; or
(e) a small business (within the meaning of the Privacy Act 1988) carried on by a CDR consumer for the CDR data.
(2) This section also applies to a breach of section 56ED (privacy safeguard 1).
Object
(3) The object of this section is for Part V of the Privacy Act 1988 to apply to an act or practice:
(a) of a CDR participant, designated gateway, accredited person or action service provider for a type of CDR action; and
(b) that may be:
(i) a privacy safeguard breach relating to CDR data covered by subsection (1); or
(ii) a breach of section 56ED (privacy safeguard 1);
in a corresponding way to the way that Part applies to an act or practice of an organisation, person or entity that may be an interference with the privacy of an individual or a breach of Australian Privacy Principle 1.
Note: That Part is about investigations of interferences with privacy etc. The Information Commissioner also has the power, under Division 1AC of Part VIB of the Privacy Act 1988, to investigate contraventions of civil penalty provisions in Division 5 of Part IVD of this Act.
Extended application of Part V of the Privacy Act 1988
(4) Part V of the Privacy Act 1988, and any other provision of that Act that relates to that Part, also apply in relation to:
(a) a CDR participant for CDR data; or
(b) a designated gateway for CDR data; or
(c) an accredited person who may become an accredited data recipient of CDR data; or
(d) an action service provider for a type of CDR action, who has been or may be disclosed CDR data under the consumer data rules;
as if the substitutions in the following table, and the modifications in subsection (5), were made.
Substitutions to be made | ||
Item | Subject to subsection (6), for a reference in Part V to … | … substitute a reference to … |
1 | interference with the privacy of an individual | a privacy safeguard breach relating to the CDR data of: (a) a CDR consumer who is an individual; or (b) a small business (within the meaning of the Privacy Act 1988) carried on by a CDR consumer for the CDR data. |
2 | Australian Privacy Principle 1 | section 56ED (privacy safeguard 1) of this Act. |
3 | individual | a person who: (a) is a CDR consumer for the CDR data to which the privacy safeguard breach (or possible privacy safeguard breach) relates; and (b) is an individual, or is carrying on a small business (within the meaning of the Privacy Act 1988) to which the CDR data relates. |
4 | recognised external dispute resolution scheme | an external dispute resolution scheme for which an instrument is in force under subsection 56DA(1) of this Act. |
Note: When CDR data and the other terms in the last column of the table appear in this notional version of Part V, they have the same meanings as in this Act.
(5) For the purposes of subsection (4), assume that:
(a) subsection 5B(4) of the Privacy Act 1988 were not enacted; and
(b) section 36 of that Act also stated that:
(i) in the case of a complaint about an act or practice of a CDR participant—the CDR participant is the respondent; or
(ii) in the case of a complaint about an act or practice of a designated gateway—the designated gateway is the respondent; or
(iii) in the case of a complaint about an act or practice of an accredited person who may become an accredited data recipient of CDR data—the accredited person is the respondent; or
(iv) in the case of a complaint about an act or practice of an action service provider for a type of CDR action, who has been or may be disclosed CDR data under the consumer data rules—the action service provider is the respondent; and
(c) subsections 36(6) to (8), section 37, subsections 40(1B), 43(1A), (8), (8A) and (9) and 48(2), section 50A, sub‑subparagraph 52(1)(b)(i)(A) and sections 53A and 53B of that Act were not enacted; and
(d) the paragraphs in each of subsections 55B(1) and (3) of that Act were replaced by:
(i) a paragraph that states that an act or practice of a specified CDR participant for CDR data has breached a privacy safeguard; and
(ii) a paragraph that states that an act or practice of a specified designated gateway for CDR data has breached a privacy safeguard; and
(iii) a paragraph that states that an act or practice of an accredited person who may become an accredited data recipient of CDR data has breached a privacy safeguard; and
(iv) a paragraph that states that an act or practice of an action service provider for a type of CDR action, who has been or may be disclosed CDR data under the consumer data rules, has breached a privacy safeguard; and
(e) Division 4 of Part V, and subsection 63(2A), of that Act were not enacted.
(6) For the purposes of item 3 of the table in subsection (4), disregard the reference to individual in the heading to section 39 of the Privacy Act 1988.
The provisions of this Division that are civil penalty provisions
(1) For the purposes of subparagraph 79(2)(a)(ii) of the Regulatory Powers Act, each of the following provisions of this Division (the privacy safeguard penalty provisions) is a civil penalty provision:
(a) subsection 56ED(3);
(b) subsection 56EF(1);
(c) subsection 56EG(1);
(d) section 56EH;
(e) subsection 56EI(1) or (2);
(f) subsection 56EJ(1) or (2);
(g) subsection 56EK(1);
(h) subsection 56EL(1) or (2);
(i) subsection 56EM(1), (2) or (4);
(j) subsection 56EN(1), (2), (2A), (3) or (4);
(k) subsection 56EO(1) or (2);
(l) subsection 56EP(1) or (2).
Enforceable civil penalty provisions
(2) Each privacy safeguard penalty provision is enforceable under Part 4 of the Regulatory Powers Act.
Note: Part 4 of the Regulatory Powers Act allows a civil penalty provision to be enforced by obtaining an order for a person to pay a pecuniary penalty for the contravention of the provision.
Authorised applicant
(3) For the purposes of Part 4 of the Regulatory Powers Act, the Information Commissioner is an authorised applicant in relation to each privacy safeguard penalty provision.
Relevant court
(4) For the purposes of Part 4 of the Regulatory Powers Act, each of the following courts is a relevant court in relation to each privacy safeguard penalty provision:
(a) the Federal Court;
(b) the Federal Circuit and Family Court of Australia (Division 2);
(c) a court of a State or Territory that has jurisdiction in relation to the matter.
Act or omission also contravening a civil penalty provision of the consumer data rules
(5) If an act or omission constitutes:
(a) a contravention of one or more of the privacy safeguard penalty provisions; and
(b) a contravention of one or more civil penalty provisions of the consumer data rules;
proceedings may be instituted against a person in relation to the contravention of any one or more of those provisions.
Note 1: The proceedings for a contravention referred to in paragraph (a) would be instituted under Part 4 of the Regulatory Powers Act.
Note 2: The proceedings for a contravention referred to in paragraph (b) would be instituted under Part VI of this Act.
(6) However, the person is not liable to more than one pecuniary penalty under:
(a) Part 4 of the Regulatory Powers Act for a contravention referred to in paragraph (5)(a) of this section; and
(b) Part VI of this Act for a contravention referred to in paragraph (5)(b) of this section;
in relation to the same act or omission.
Note: This means the person cannot be liable for a pecuniary penalty for a contravention of the privacy safeguards, and for a pecuniary penalty for a contravention of the consumer data rules, in relation to the same act or omission.
56EV Civil penalty provisions—maximum amount of penalty
(1) Despite subsection 82(5) of the Regulatory Powers Act, the pecuniary penalty payable:
(a) by a person; and
(b) under a civil penalty order under Part 4 of that Act (as that Part applies because of section 56EU of this Act);
must not be more than the maximum penalty amount worked out under this section for a contravention by the person.
Maximum amount of civil penalty for a body corporate
(2) For the purposes of subsection (1), the maximum penalty amount for a contravention by a body corporate of a privacy safeguard penalty provision is the greater of the following:
(a) $10,000,000;
(b) if the relevant court (see subsection 56EU(4)) can determine the value of the benefit that the body corporate, and any body corporate related to the body corporate, have obtained directly or indirectly and that is reasonably attributable to the contravention—3 times the value of that benefit;
(c) if that court cannot determine the value of that benefit—10% of the adjusted turnover of the body corporate during the 12‑month period ending at the end of the month in which the contravention happened or began.
Maximum amount of civil penalty for other persons
(4) For the purposes of subsection (1), the maximum penalty amount for a contravention by a person other than a body corporate of a privacy safeguard penalty provision is $500,000.
Enforceable provisions
(1) Each provision of the privacy safeguards is enforceable under Part 6 of the Regulatory Powers Act.
Note: Part 6 of the Regulatory Powers Act creates a framework for accepting and enforcing undertakings relating to compliance with provisions.
Authorised person
(2) For the purposes of Part 6 of the Regulatory Powers Act, the Information Commissioner is an authorised person in relation to each provision referred to in subsection (1).
Relevant court
(3) For the purposes of Part 6 of the Regulatory Powers Act, each of the following courts is a relevant court in relation to each provision referred to in subsection (1):
(a) the Federal Court;
(b) the Federal Circuit and Family Court of Australia (Division 2);
(c) a court of a State or Territory that has jurisdiction in relation to the matter.
Enforceable provisions
(1) Each provision of the privacy safeguards is enforceable under Part 7 of the Regulatory Powers Act.
Note: Part 7 of the Regulatory Powers Act creates a framework for using injunctions to enforce provisions.
Authorised person
(2) For the purposes of Part 7 of the Regulatory Powers Act, the Information Commissioner is an authorised person in relation to each provision referred to in subsection (1).
Relevant court
(3) For the purposes of Part 7 of the Regulatory Powers Act, each of the following courts is a relevant court in relation to each provision referred to in subsection (1):
(a) the Federal Court;
(b) the Federal Circuit and Family Court of Australia (Division 2);
(c) a court of a State or Territory that has jurisdiction in relation to the matter.
Right to bring an action for damages
(1) A person who suffers loss or damage (within the meaning of subsection 25(1) of the Privacy Act 1988) by an act or omission:
(a) of another person; and
(b) that was in contravention of:
(i) a provision of the privacy safeguards; or
(ii) the consumer data rules to the extent that those rules relate to the privacy safeguards or to the privacy or confidentiality of CDR data;
may recover the amount of the loss or damage by action against that other person or against any person involved in the contravention.
Note: Subsections 84(2) and (4) (about attributing conduct engaged in on behalf of a person) apply for the purposes of this section.
(2) An action under subsection (1) may be commenced at any time within 6 years after the day on which the contravention happened or began.
Findings in related proceedings to be prima facie evidence
(3) If a finding of any fact is made by a court in relation to a person, or an admission of any fact is made by a person, in proceedings:
(a) under the Regulatory Powers Act (as that Act applies because of this Subdivision) in which the person is found to have contravened a provision of the privacy safeguards; or
(b) under Part VI of this Act in which the person is found to:
(i) have contravened; or
(ii) have been involved in a contravention;
of the consumer data rules to the extent that those rules relate to the privacy safeguards or to the privacy or confidentiality of CDR data;
the finding or admission is prima facie evidence of that fact in any proceeding under subsection (1) against the person.
(4) The finding or admission may be proved by production of:
(a) in any case—a document under the seal of the court from which the finding or admission appears; or
(b) in the case of an admission—a document from which the admission appears that is filed in the court.
Jurisdiction etc.
(5) The following are conferred with jurisdiction to hear and determine actions under subsection (1):
(a) the Federal Circuit and Family Court of Australia (Division 2);
(b) subject to the Constitution, the several courts of the Territories.
This subsection does not enable an inferior court of a Territory to grant a remedy of a kind that the court is unable to grant under the law of that Territory.
Note: State courts and the Federal Court also have jurisdiction for these actions (see subsection 39(2) and paragraph 39B(1A)(c) of the Judiciary Act 1903).
(6) Section 86AA (about limits on jurisdiction) applies to proceedings under subsection (1) of this section in a corresponding way to the way that section applies to proceedings under section 82.
(7) Section 86A (about transfer of matters) applies in relation to a proceeding under subsection (1) of this section as if paragraph 86A(1)(b) also referred to a matter for determination arising under:
(a) a provision of the privacy safeguards; or
(b) the consumer data rules to the extent that those rules relate to the privacy safeguards or to the privacy or confidentiality of CDR data.
Involved in a contravention
(8) Subsection 75B(1) applies to a reference that:
(a) is in this section; and
(b) is to a person involved in a contravention covered by paragraph (1)(b) of this section;
in a corresponding way to the way that subsection 75B(1) applies to a reference in Part VI to a person involved in a contravention of section 56CD.
56EZ Delegation to the Commission etc.
(1) This section applies in relation to the following functions or powers (the safeguard enforcement functions or powers):
(a) the Information Commissioner’s functions or powers under section 56ER;
(b) the Information Commissioner’s functions or powers under Part IIIC or V of the Privacy Act 1988, as those Parts apply because of sections 56ES and 56ET of this Act;
(c) the Information Commissioner’s functions or powers under Part 4, 6 or 7 of the Regulatory Powers Act, that are conferred because of this Subdivision.
(2) The Information Commissioner may delegate, in writing, any of the safeguard enforcement functions or powers to:
(a) the Commission; or
(b) a member of the Commission; or
(c) a member of the staff of the Commission referred to in section 27 of this Act.
(3) However, the Information Commissioner must not delegate a safeguard enforcement function or power under subsection (2) unless:
(a) the Commission has agreed to the delegation in writing; and
(b) in the case of a delegation to a staff member referred to in paragraph (2)(c)—the Commission is satisfied that the staff member:
(i) is an SES employee or acting SES employee; or
(ii) is holding or performing the duties of a sufficiently senior office or position for the function or power.
Division 6—Data standards etc.
(1) The Data Standards Chair may, by writing, make one or more data standards about each of the following matters:
(a) the format and description of CDR data;
(b) the disclosure of CDR data;
(c) the collection, use, accuracy, storage, security and deletion of CDR data;
(d) de‑identifying CDR data, including so that it no longer relates to:
(i) an identifiable person; or
(ii) a person who is reasonably identifiable;
(da) the format and description of a valid instruction for the performance of a type of CDR action;
(db) the giving of a valid instruction for the performance of a type of CDR action;
(e) other matters prescribed by the regulations.
Note: For variation and repeal, see subsection 33(3) of the Acts Interpretation Act 1901.
Complying with consumer data rules when making standards etc.
(2) The Data Standards Chair must comply with the consumer data rules when:
(a) making a data standard; or
(b) varying or revoking a data standard;
including complying with any related requirements specified in those rules about approval, consultation and the formation of committees, advisory panels and consultative groups.
Note: The rules could, for example, require a proposed data standard to be approved by the Commission before it is made.
(3) Without limiting subsection (2), the Data Standards Chair must:
(a) make, under subsection (1), a data standard about a particular matter mentioned in subsection (1) if the consumer data rules so requires; and
(b) specify in that data standard that it is binding if the consumer data rules so requires.
A data standard is a binding data standard if it is made under subsection (1) in accordance with paragraph (b) of this subsection.
Data standards are not legislative instruments
(4) A data standard made under subsection (1) is not a legislative instrument.
56FB What data standards can set out etc.
(1) Without limiting subsection 56FA(1), a single data standard may set out:
(a) different provisions for different designated sectors; or
(b) different provisions for different classes of CDR data; or
(ba) different provisions for different types of CDR actions; or
(c) different provisions for different classes of persons specified, as described in paragraph 56AC(2)(b), in an instrument designating a sector under subsection 56AC(2); or
(ca) different provisions for different classes of action service providers for types of CDR actions; or
(d) different provisions for different classes of accredited persons.
(2) Without limiting subsection 56FA(1), a separate data standard could deal with:
(a) each of the different designated sectors referred to in paragraph (1)(a) of this section; or
(b) each of the different classes or types referred to in any of paragraphs (1)(b) to (d) of this section.
56FC Data standards must be published
The Data Standards Chair must publish on the internet a copy of each data standard made under subsection 56FA(1).
Note: Once published, the data standards will be available for free.
56FD Legal effect of data standards
(1) A contract is taken to be in force between:
(a) a data holder of CDR data to which a binding data standard applies; and
(b) each accredited person;
under which each of those persons:
(c) agrees to observe the standard to the extent that the standard applies to the person; and
(d) agrees to engage in conduct that the person is required by the standard to engage in.
Note: This means the data holder will be taken to have a separate contract with each accredited person.
(2) If there is a designated gateway for CDR data to which a binding data standard applies, a contract is taken to be in force between:
(a) a data holder of the CDR data; and
(b) the designated gateway for the CDR data; and
(c) each accredited person;
under which each of those persons:
(d) agrees to observe the standard to the extent that the standard applies to the person; and
(e) agrees to engage in conduct that the person is required by the standard to engage in.
Note: This means the data holder will be taken to have a separate 3‑party contract with the designated gateway and each accredited person.
(2A) A contract is taken to be in force between:
(a) an action service provider for a type of CDR action to which a binding data standard applies; and
(b) each accredited action initiator for a CDR action of that type;
under which each of those persons:
(c) agrees to observe the standard to the extent that the standard applies to the person; and
(d) agrees to engage in conduct that the person is required by the standard to engage in.
Note: This means the action service provider will be taken to have a separate contract with each of those accredited action initiators.
(3) However, if there is an inconsistency between a data standard, and the consumer data rules, those rules prevail over the standard to the extent of the inconsistency.
56FE Enforcement of binding data standards
(1) If a person who is under an obligation to comply with a binding data standard fails to meet that obligation, an application to the Court may be made by:
(a) the Commission; or
(b) a person aggrieved by the failure.
(2) After giving an opportunity to be heard to the applicant and the person against whom the order is sought, the Court may make an order giving directions to:
(a) the person against whom the order is sought; or
(b) if that person is a body corporate—the directors of the body corporate;
about compliance with, or enforcement of, the binding data standard.
(3) Without limiting subsection (1), an obligation to comply with a binding data standard includes an obligation arising under a contract referred to in section 56FD.
Subdivision B—Data Standards Chair
There is to be a Data Standards Chair.
56FG Appointment of the Data Standards Chair
(1) The Data Standards Chair is to be appointed, on a full‑time basis or a part‑time basis, by the Minister by written instrument.
(2) The Data Standards Chair holds office for the period specified in the instrument of appointment. The period must not exceed 3 years.
Note 1: The Minister will be the Data Standards Chair in the absence of an appointment under this section (see the definition of Data Standards Chair in subsection 4(1)).
Note 2: The Data Standards Chair may be reappointed (see section 33AA of the Acts Interpretation Act 1901).
56FH Functions and powers of the Data Standards Chair
(1) The functions of the Data Standards Chair are:
(a) to make standards under Subdivision A; and
(b) to review those standards regularly; and
(c) such other functions as are prescribed by the regulations.
(2) The Data Standards Chair has the following powers:
(a) the power to establish committees, advisory panels and consultative groups;
(b) the power to do all other things necessary or convenient to be done for or in connection with the performance of the Chair’s functions.
(1) The Minister may, by legislative instrument, give written directions to the Data Standards Chair about the performance of the Chair’s functions and the exercise of the Chair’s powers.
Note: Section 42 (disallowance) and Part 4 of Chapter 3 (sunsetting) of the Legislation Act 2003 do not apply to the directions (see regulations made for the purposes of paragraphs 44(2)(b) and 54(2)(b) of that Act).
(2) A direction under subsection (1) must be of a general nature only.
(3) The Data Standards Chair must comply with a direction under subsection (1).
Subdivision C—Data Standards Body
56FJ Appointment of the Data Standards Body
(1) The Minister may, by written instrument, appoint as the Data Standards Body:
(a) the Department; or
(b) another Commonwealth entity (within the meaning of the Public Governance, Performance and Accountability Act 2013).
Note: For variation, see subsection 33(3) of the Acts Interpretation Act 1901.
(2) The Minister may, at any time by written instrument, terminate an appointment made under subsection (1).
56FK Function and powers of the Data Standards Body
(1) The function of the Data Standards Body is to assist the Data Standards Chair.
(2) The Data Standards Body has the power to do all other things necessary or convenient to be done for or in connection with the performance of the Data Standards Body’s function.
(3) The Data Standards Body must comply with the consumer data rules when assisting the Data Standards Chair, including complying with any requirements specified in those rules about:
(a) the Body’s composition; or
(b) the Body’s governance or processes.
(4) To avoid doubt, for a body that is the Data Standards Body, the body’s functions and powers in its capacity other than as the Data Standards Body are taken to include the function and powers of the Data Standards Body while it is the Data Standards Body.
Subdivision D—Administrative provisions
The Minister may, by written instrument, appoint a person to act as the Data Standards Chair:
(a) during a vacancy in the office of Data Standards Chair (whether or not an appointment has previously been made to the office); or
(b) during any period, or during all periods, when the Data Standards Chair:
(i) is absent from duty or from Australia; or
(ii) is, for any reason, unable to perform the duties of the office.
Note: For rules that apply to acting appointments, see sections 33AB and 33A of the Acts Interpretation Act 1901.
(1) The Data Standards Chair holds office on the terms and conditions (if any) in relation to matters not covered by this Division that are determined by the Minister.
(2) Subsection (1) does not apply while the Data Standards Chair is the Minister.
(1) The Data Standards Chair is to be paid the remuneration that is determined by the Remuneration Tribunal. If no determination of that remuneration by the Tribunal is in operation, the Data Standards Chair is to be paid the remuneration that is prescribed by the regulations.
(2) The Data Standards Chair is to be paid the allowances that are prescribed by the regulations.
(3) This section has effect subject to the Remuneration Tribunal Act 1973.
(4) Subsections (1) and (2) do not apply while the Data Standards Chair is the Minister.
(1) If the Data Standards Chair is appointed on a full‑time basis, the Data Standards Chair has the recreation leave entitlements that are determined by the Remuneration Tribunal.
(2) If the Data Standards Chair is appointed on a full‑time basis, the Minister may grant the Data Standards Chair leave of absence, other than recreation leave, on the terms and conditions as to remuneration or otherwise that the Minister determines.
(3) If the Data Standards Chair is appointed on a part‑time basis, the Secretary of the Department may grant leave of absence to the Data Standards Chair on the terms and conditions that the Secretary determines.
56FP Application of the finance law etc.
(1) For the purposes of the finance law (within the meaning of the Public Governance, Performance and Accountability Act 2013), the Data Standards Chair is taken to be an official of the Department.
Note: A consequence of this subsection is that the Secretary of the Department will be the accountable authority (within the meaning of that Act) applicable to the Data Standards Chair.
(2) The Secretary of the Department, when preparing the Department’s annual report under section 46 of the Public Governance, Performance and Accountability Act 2013 for a period, must include information in that report about:
(a) the performance of the Data Standards Chair’s functions; and
(b) the exercise of the Data Standards Chair’s powers;
during the period.
(3) If at any time the Data Standards Chair is the Minister then:
(a) subsections (1) and (2) do not apply; and
(b) the Department’s annual report under section 46 of that Act for the period that includes that time must include information about the performance of the Data Standards Chair’s functions, and the exercise of the Data Standards Chair’s powers, at that time.
(1) The Data Standards Chair may resign the Data Standards Chair’s appointment by giving the Minister a written resignation.
(2) The resignation takes effect on the day it is received by the Minister or, if a later day is specified in the resignation, on that later day.
56FR Termination of appointment
(1) The Minister may terminate the appointment of the Data Standards Chair:
(a) for misbehaviour; or
(b) if the Data Standards Chair is unable to perform the duties of the Data Standards Chair’s office because of physical or mental incapacity.
(2) The Minister may terminate the appointment of the Data Standards Chair if:
(a) the Data Standards Chair:
(i) becomes bankrupt; or
(ii) applies to take the benefit of any law for the relief of bankrupt or insolvent debtors; or
(iii) compounds with the Data Standards Chair’s creditors; or
(iv) makes an assignment of the Data Standards Chair’s remuneration for the benefit of the Data Standards Chair’s creditors; or
(b) if the Data Standards Chair is appointed on a full‑time basis—the Data Standards Chair is absent, except on leave of absence, for 14 consecutive days or for 28 days in any 12‑month period; or
(c) the Data Standards Chair fails, without reasonable excuse, to comply with section 29 of the Public Governance, Performance and Accountability Act 2013 (which deals with the duty to disclose interests) or rules made for the purposes of that section.
(1) The Data Standards Chair may delegate, in writing, any or all of the Chair’s functions or powers to:
(a) an SES employee, or an acting SES employee, in the Data Standards Body, in the Department or in the Commission; or
(b) an APS employee who is holding or performing the duties of a specified office or position that:
(i) is in the Data Standards Body, in the Department or in the Commission; and
(ii) is an office or position that the Chair is satisfied is sufficiently senior for the APS employee to perform the function or exercise the power; or
(c) if there are no APS employees (including SES employees) in the Data Standards Body—a person:
(i) who holds an office or position in the Data Standards Body that the Chair considers is sufficiently senior for the person to perform the function; and
(ii) who the Chair considers has appropriate qualifications or expertise to perform the function.
(2) Subsection (1) does not apply to the function referred to in paragraph 56FH(1)(a) (about making standards).
Note: This subsection does not prevent a person who is acting as the Data Standards Chair from making a standard.
(3) In performing a delegated function or exercising a delegated power, the delegate under subsection (1) must comply with any directions of the Data Standards Chair.
56GA CDR functions of the Information Commissioner
(1) The Information Commissioner has the following functions:
(a) the functions conferred on the Information Commissioner by another provision of this Part, or by an instrument made under this Part;
(b) to consult with or advise any of the following about any matter relevant to the operation of this Part (or the operation of instruments made under this Part):
(i) the Minister;
(ii) the Secretary of the Department;
(iii) the Commission;
(iv) the Data Standards Chair.
Note: The Commission may also delegate to the Information Commissioner any of the Commission’s functions relating to this Part (see subsection 26(3)).
(2) The functions referred to in subsection (1) may be performed by the Information Commissioner on request or on the Information Commissioner’s own initiative.
56GAA Delegation by the Minister or the Secretary
Delegation by the Minister of functions or powers relating to voluntary action service providers
(1A) The Minister may, in writing, delegate all or any of the Minister’s functions or powers included:
(a) as described in paragraph 56BHA(1)(j); and
(b) in the consumer data rules;
to an SES employee, or an acting SES employee, in the Department or in the Commission.
Note: Sections 34AA to 34A of the Acts Interpretation Act 1901 contain provisions relating to delegations.
(1B) In performing a delegated function or exercising a delegated power, the delegate must comply with any written directions of the Minister.
Delegation by the Secretary
(1) The Secretary of the Department may, in writing, delegate all or any of the Secretary’s functions or powers under this Part to an SES employee, or an acting SES employee, in the Department.
Note: Sections 34AA to 34A of the Acts Interpretation Act 1901 contain provisions relating to delegations.
(2) In performing a delegated function or exercising a delegated power, the delegate must comply with any written directions of the Secretary.
56GAB Concurrent operation of other laws
The CDR provisions are not intended to exclude or limit the operation of a law of the Commonwealth, or of a State or Territory, that is capable of operating concurrently with the CDR provisions.
56GB Referring to instruments as in force from time to time
(1) This section applies to the following instruments:
(a) designations under section 56AC (about designated sectors);
(aa) CDR declarations for types of CDR actions;
(b) regulations made for the purposes of a provision of this Part;
(c) the consumer data rules;
(d) data standards.
(2) An instrument to which this section applies may make provision in relation to a matter by applying, adopting or incorporating (with or without modification) any matter contained in any other instrument or writing:
(a) as in force or existing at a particular time; or
(b) as in force or existing from time to time.
(3) Subsection (2) has effect despite subsection 14(2) of the Legislation Act 2003.
56GC Complying with CDR requirements etc.: protection from liability
(1) If a person (the CDR entity), acting as described in an item of the following table, does something mentioned in that item:
(a) in good faith; and
(b) in compliance with the CDR provisions; and
(c) in compliance with each law (if any) of the Commonwealth, of a State or of a Territory prescribed by the regulations;
the CDR entity is not liable to an action or other proceeding, whether civil or criminal, for or in relation to the thing in that item.
Doing a CDR thing in good faith in compliance with the CDR provisions etc. | ||
Item | When acting: | the things are: |
1 | (a) as a data holder of CDR data; or (b) as an accredited data recipient of CDR data; or (c) as a designated gateway for CDR data | (a) providing the data to another person; or (b) otherwise allowing another person access to the data. |
2 | as an accredited action initiator for a type of CDR action | giving an instruction that is a valid instruction for the performance of a CDR action of that type. |
3 | as an action service provider for a type of CDR action | processing an instruction that is a valid instruction for the performance of a CDR action of that type. |
Note 1: Item 3 of the table is focussing on the instruction layer not the action layer, and so does not cover performance of the CDR action.
Note 2: A defendant bears an evidential burden in relation to the matter in this subsection for a criminal action or criminal proceeding (see subsection 13.3(3) of the Criminal Code).
(2) A person who wishes to rely on subsection (1) in relation to a civil action or civil proceeding bears an evidential burden in relation to that matter.
(3) In this section:
evidential burden, in relation to a matter, means the burden of adducing or pointing to evidence that suggests a reasonable possibility that the matter exists or does not exist.
56GD Exemptions by the Commission
(1) The provisions covered by this section are:
(a) the following provisions:
(i) the provisions of this Part;
(ii) the provisions of regulations made for the purposes of the provisions of this Part;
(iii) the provisions of the consumer data rules; and
(b) definitions in this Act, or in the regulations or consumer data rules, as they apply to references in provisions referred to in paragraph (a).
(2) The Commission may, by written notice given to a person, exempt the person in relation to:
(a) particular CDR data or one or more classes of CDR data; or
(b) a particular CDR action or one or more types of CDR actions;
from all or specified provisions covered by this section.
(3) An exemption under subsection (2):
(a) may or may not be limited to a specified period; and
(b) may apply unconditionally or subject to specified conditions.
(4) The Commission must publish on its website the details of each exemption under subsection (2).
(5) Applications may be made to the Administrative Review Tribunal for review of a decision of the Commission exempting, or refusing to exempt, a person under subsection (2).
56GE Exemptions and modifications by regulations
(1) The provisions covered by this section are:
(a) the following provisions:
(i) the provisions of this Part;
(ii) the provisions of regulations made for the purposes of the provisions of this Part;
(iii) the provisions of the consumer data rules; and
(b) definitions in this Act, or in the regulations or consumer data rules, as they apply to references in provisions referred to in paragraph (a).
(2) The regulations may:
(a) exempt a particular person in relation to:
(i) particular CDR data or one or more classes of CDR data; or
(ii) a particular CDR action or one or more types of CDR actions;
from all or specified provisions covered by this section; or
(b) exempt a class of persons in relation to:
(i) particular CDR data or one or more classes of CDR data; or
(ii) a particular CDR action or one or more types of CDR actions;
from all or specified provisions covered by this section; or
(c) declare that provisions covered by this section apply in relation to:
(i) a particular person in relation to particular CDR data or one or more classes of CDR data; or
(ii) a class of persons in relation to particular CDR data or one or more classes of CDR data; or
(iii) a particular person in relation to a particular CDR action or one or more types of CDR actions; or
(iv) a class of persons in relation to a particular CDR action or one or more types of CDR actions;
as if specified provisions were omitted, modified or varied as specified in the declaration.
(3) An exemption under paragraph (2)(a) or (b), or a declaration under paragraph (2)(c):
(a) may or may not be limited to a specified period; and
(b) may apply unconditionally or subject to specified conditions.
56GF Application of the CDR provisions
(1) The CDR provisions apply to a person if:
(a) the person is a corporation; or
(b) the person is not a corporation, but the person:
(i) acts; or
(ii) omits to act;
in a way that affects, is capable of affecting or is taken with intent to affect the activities, functions, relationships or business of a corporation.
Note: For the meaning of corporation, see subsection 4(1).
(2) The CDR provisions also apply to:
(i) a postal, telegraphic, telephonic or other like service (within the meaning of paragraph 51(v) of the Constitution); or
(ii) the business of banking, other than State banking (within the meaning of paragraph 51(xiii) of the Constitution) not extending beyond the limits of the State concerned; or
(iii) the business of insurance, other than State insurance (within the meaning of paragraph 51(xiv) of the Constitution) not extending beyond the limits of the State concerned; or
(b) a person (whether or not a corporation):
(i) making a supply or communication; or
(ii) conducting an activity or otherwise doing something;
using a postal, telegraphic, telephonic or other like service (within the meaning of paragraph 51(v) of the Constitution); or
(i) trade or commerce between Australia and places outside Australia; or
(ii) trade or commerce among the States; or
(iii) trade or commerce within a Territory, between a State or Territory or between 2 Territories; or
(d) an individual who is being, has been or is at risk of being subjected to interference, or attacks, of the kind described in paragraph 1 of Article 17 of the ICCPR; or
(e) a person (whether or not a corporation) who is undertaking, has undertaken or could undertake interference, or attacks, of the kind described in paragraph 1 of Article 17 of the ICCPR.
(3) Paragraphs (2)(d) and (e) give effect to Australia’s obligations under the ICCPR.
(4) Section 6 (about the application of this Act to persons who are not corporations) does not apply in relation to the CDR provisions.
(5) In this section:
ICCPR means the International Covenant on Civil and Political Rights, done at New York on 16 December 1966, as amended and in force for Australia from time to time.
Note: The text of the International Covenant is set out in Australian Treaty Series 1980 No. 23 ([1980] ATS 23). In 2024, the text of a Covenant in the Australian Treaty Series was accessible through the Australian Treaties Library on the AustLII website (www.austlii.edu.au).
56GG Compensation for acquisition of property
(1) This section applies if the operation of the CDR provisions would result in an acquisition of property (within the meaning of paragraph 51(xxxi) of the Constitution) from a person otherwise than on just terms (within the meaning of that paragraph).
(2) The person who acquires the property is liable to pay a reasonable amount of compensation to the first‑mentioned person.
(3) If the 2 persons do not agree on the amount of the compensation, the person to whom compensation is payable may institute proceedings in:
(a) the Federal Court; or
(b) the Supreme Court of a State or Territory;
for the recovery from the other person of such reasonable amount of compensation as the Court determines.
56GH Review of the operation of this Part
(1) The Minister must cause an independent review to be conducted of the operation of this Part.
(2) The persons who conduct the review must complete it, and give the Minister a written report of the review, before 1 July 2022.
(3) The Minister must cause copies of the report to be tabled in each House of the Parliament within 15 sitting days of that House after the report is given to the Minister.
Part IVE—Motor vehicle service and repair information sharing scheme
Division 1—Objects of Part and simplified outline
The objects of this Part are to:
(a) promote competition between Australian repairers of passenger and light goods motor vehicles and establish a fair playing field by mandating access, on fair and reasonable commercial terms, to information used to diagnose, repair, service, modify or dismantle scheme vehicles; and
Note: These vehicles are defined as scheme vehicles (see section 57BA).
(b) enable consumers to have scheme vehicles diagnosed, repaired, serviced, modified or dismantled safely and effectively by an Australian repairer of their choice; and
(c) encourage the provision of accessible and affordable information about scheme vehicles to Australian repairers, and to registered training organisations (for training purposes); and
(d) protect safety and security information about scheme vehicles to ensure the safety and security of consumers, information users and the general public; and
(e) provide for the resolution of disputes about the application of this Part.
This Part sets up a scheme to improve access by Australian motor vehicle repairers and registered training organisations (called “scheme RTOs”) to information used to diagnose faults with, service, repair, modify or dismantle motor vehicles covered by the scheme.
Such information (called “scheme information”) is required to be offered for supply to Australian repairers and scheme RTOs at a price that does not exceed fair market value.
Those who supply scheme information (called “data providers”) to Australian repairers and scheme RTOs are protected from certain civil claims in doing so.
To protect the safety and security of vehicle owners, individuals working for an Australian repairer or scheme RTO who access scheme information relating to vehicle safety and security must satisfy certain criteria relating to whether they are fit and proper persons to have access to such information.
Sensitive information about such individuals may be obtained by data providers for this purpose. The handling of such information is also restricted under this Part. The information cannot be made available to anyone outside Australia (including to any data provider).
Provision is made for resolving disputes about the application of the Part.
Provision is made for a scheme adviser. The scheme adviser’s functions include facilitating mediation of disputes between data providers and Australian repairers or scheme RTOs, and providing information about the operation of the scheme.
57BA Meaning of scheme vehicle
A scheme vehicle is:
(a) a light goods vehicle, within the meaning of a national road vehicle standard made under the Road Vehicle Standards Act 2018 that specifies definitions and vehicle categories for the purposes of that Act, that was manufactured on or after:
(i) 1 January 2002; or
(ii) a later date prescribed by the scheme rules; or
(b) a passenger vehicle (other than an omnibus), within the meaning of a national road vehicle standard made under the Road Vehicle Standards Act 2018 that specifies definitions and vehicle categories for the purposes of that Act, that was manufactured on or after:
(i) 1 January 2002; or
(ii) a later date prescribed by the scheme rules; or
(c) another kind of vehicle prescribed by the scheme rules.
57BB Meaning of Australian repairer
A person is an Australian repairer to the extent that the person carries on or actively seeks to carry on, in Australia, a business that involves diagnosing faults with, servicing, repairing, modifying or dismantling scheme vehicles.
Note: In some State and Territory jurisdictions, a person may need to hold a licence or particular qualifications to lawfully carry on such a business.
57BC Meaning of scheme RTO and RTO course
A scheme RTO is a registered training organisation that provides, or seeks to provide, a course (an RTO course) in Australia providing training in diagnosing faults with, servicing, repairing, modifying or dismantling scheme vehicles.
Note: RTO is short for registered training organisation.
57BD Meaning of scheme information
Main definition
(1) Scheme information is information in relation to scheme vehicles prepared by or for manufacturers of scheme vehicles (or their related bodies corporate) for use in diagnosing faults with, servicing or repairing those vehicles, as supplied to the market.
Exceptions
(2) However, scheme information does not include any of the following:
(a) a trade secret;
(b) the intellectual property of a person, other than intellectual property protected under the Copyright Act 1968;
(c) a source code version of a program;
(d) data automatically generated and transmitted by a scheme vehicle, while it is being driven, regarding driver or vehicle performance;
(e) global positioning system data;
(f) information supplied, or to be supplied, only to a restricted number of Australian repairers for the purposes of developing solutions to emerging or unexpected faults with a scheme vehicle;
(g) information that is commercially sensitive about an agreement between a data provider and another person;
(h) information relating to an automated driving system of a scheme vehicle;
(i) any other information prescribed by the scheme rules.
Note: Scheme information may include safety and security information (see the definition of safety and security information in section 57BF). However, for restrictions on the supply of safety and security information to Australian repairers and scheme RTOs: see section 57DB.
(3) An automated driving system is a system which has a SAE level of 3 or greater under the Surface Vehicle Information Report J3016 published by SAE International, as amended from time to time.
Note: The Report, as amended to 2021, could in 2021 be viewed on SAE International’s website (https://www.sae.org).
A data provider is:
(a) a corporation carrying on a business that includes supplying, to any extent and whether directly or indirectly, scheme information to one or more Australian repairers or scheme RTOs; or
(b) any person who carries on such a business in the course of, or in relation to, trade or commerce.
57BF Meaning of safety and security information
(1) Safety and security information, for a scheme vehicle, is either or both of the following:
(a) safety information;
(b) security information.
Note: Restrictions apply in relation to the supply of scheme information that is safety and security information: see section 57DB.
(2) Safety information, for a scheme vehicle, is information relating to any of the following systems installed in the vehicle, of a kind prescribed by the scheme rules:
(a) the hydrogen system;
(b) the high voltage system;
(c) the hybrid system;
(d) the electric propulsion system;
(e) another system prescribed by the scheme rules for the purposes of this paragraph.
(3) Security information, for a scheme vehicle, is information relating to any of the following systems installed in the vehicle, of a kind prescribed by the scheme rules:
(a) the vehicle’s mechanical and electrical security system;
(b) another system prescribed by the scheme rules for the purposes of this paragraph.
57BG Supply of scheme information between related bodies corporate
To avoid doubt, this Part applies in relation to a supply of scheme information about a scheme vehicle from a data provider to an Australian repairer even if the data provider and the Australian repairer are related bodies corporate.
Division 3—Supply of scheme information
57CA Scheme information—offer to supply to Australian repairers and scheme RTOs
Scope
(1) This section applies if a data provider supplies, or offers to supply, scheme information of one or more kinds in relation to one or more kinds of scheme vehicles to one or more Australian repairers or scheme RTOs.
Main obligation
(2) The data provider must make an offer (a scheme offer) to supply, on terms and conditions that comply with section 57CC, the same scheme information in relation to that kind, or those kinds, of vehicle to all Australian repairers and scheme RTOs:
(a) in the same form in which it is supplied or offered for supply under subsection (1); or
(b) if supply in that form is not practicable or accessible—in an electronic form that is reasonably accessible to all Australian repairers and scheme RTOs.
Note 1: A pecuniary penalty of up to $10,000,000 may be imposed for a contravention of this subsection: see section 76.
Note 2: Restrictions apply in relation to the packaging and supply of scheme information that is safety and security information: see section 57DB.
Choice of supply period in scheme offer
(3) If the form in which scheme information is supplied allows for variability in the period for which the information is supplied, the data provider must make the scheme offer on terms and conditions that include provision for the supply of the scheme information:
(a) for any period nominated by an Australian repairer or scheme RTO; or
(b) by day, by month and by year.
Civil penalty:
(a) for a body corporate—600 penalty units; and
(b) for a person other than a body corporate—120 penalty units.
Scheme offer not to exceed fair market price
(4) The data provider must make a scheme offer for the supply of the scheme information in relation to a particular make, model or year of scheme vehicle at a price (the scheme price) that does not exceed the fair market value of the information, as determined by reference to matters including those covered by subsection (5).
Note: A pecuniary penalty of up to $10,000,000 may be imposed for a contravention of this subsection: see section 76.
(5) For the purposes of subsection (4), this subsection covers the following matters:
(a) the price charged to other Australian repairers and scheme RTOs for supplying scheme information (whether under this Part or otherwise) in relation to a scheme vehicle:
(i) of that particular make, model and year; or
(ii) if pricing is not available for information in relation to a scheme vehicle of that particular make, model and year—pricing for information in relation to a scheme vehicle of a similar make, model and year;
(b) the terms and conditions on which such scheme information is offered for supply to Australian repairers and scheme RTOs (whether under this Part or otherwise), including as to the permitted use of the information, the means of access to the information, the number of permitted users, and the frequency or duration of use of the information;
(c) the anticipated demand by Australian repairers and scheme RTOs for supply of the scheme information on the basis of the scheme offer;
(d) the reasonable recovery of costs incurred in creating, producing and providing the scheme information for supply on the basis of the scheme offer;
(e) the price charged for the supply of information similar to scheme information in overseas markets;
(f) the amount (if any) payable by the data provider to any person who has a proprietary interest in the scheme information.
Note: A data provider must pay compensation to a person whose copyright is infringed by a supply of scheme information: see subsection 57CD(3).
Publication of scheme offer
(6) The data provider must publish the scheme offer:
(a) in English; and
(b) on the internet; and
(c) in a form that is accessible free of charge.
Civil penalty:
(a) for a body corporate—600 penalty units; and
(b) for a person other than a body corporate—120 penalty units.
(7) The data provider must:
(a) as soon as reasonably practicable after it publishes a scheme offer under subsection (6)—provide a copy of the scheme offer, in writing, to the scheme adviser; and
(b) notify the scheme adviser, in writing, as soon as reasonably practicable after any change to the scheme offer.
Civil penalty:
(a) for a body corporate—600 penalty units; and
(b) for a person other than a body corporate—120 penalty units.
57CB Scheme information—supply on request by Australian repairers or scheme RTOs
Scope
(1) This section applies if:
(a) a data provider makes, or is required to make, a scheme offer to supply scheme information in relation to a particular make, model and year of scheme vehicle; and
(b) either:
(i) an Australian repairer has a need to access the scheme information for that particular make, model and year of scheme vehicle in carrying on the Australian repairer’s business; or
(ii) a scheme RTO has a need to access the scheme information to provide an RTO course; and
(c) the Australian repairer or scheme RTO requests, in writing, the data provider to supply the scheme information about that particular make, model and year of scheme vehicle; and
(d) the Australian repairer or scheme RTO pays, or offers to pay, the scheme price, or another agreed price, for the scheme information.
Note: Restrictions apply in relation to the supply of scheme information that is safety and security information: see section 57DB.
Supply of scheme information
(2) The data provider must supply the scheme information to the Australian repairer or scheme RTO:
(a) in accordance with terms and conditions that comply with section 57CC; and
(b) within the period covered by subsection (3).
Note: A pecuniary penalty of up to $10,000,000 may be imposed for a contravention of this subsection: see section 76.
(3) For the purposes of subsection (2), the period covered by this subsection:
(a) starts when (at the payment or offer time) the Australian repairer or scheme RTO pays, or offers to pay, the scheme price, or another agreed price, for the scheme information; and
(b) in the circumstances described in column 1 of an item of the following table, ends at the time described in column 2 of that item.
Period for supply of scheme information | ||
Item | Column 1 | Column 2 |
| If … | the period ends … |
1 | (a) either: (i) the data provider has previously supplied the scheme information in the form requested to the Australian repairer or scheme RTO, or to any other person; or (ii) the scheme information is readily accessible by the data provider and can be provided in the form requested; and (b) item 2 of this table does not apply | immediately after the payment or offer time. |
2 | paragraph (a) of item 1 of this table applies to the scheme information, but: (a) the scheme information is, or includes, safety and security information; and (b) the data provider has not been given the information required to determine whether or not the scheme information may be supplied under section 57DB; and (c) as a result, the scheme information cannot be provided immediately after the payment or offer time | at the end of 2 business days after the day on which the Australian repairer or scheme RTO provides the required information to the data provider. |
3 | items 1 and 2 of this table do not apply | at the later of the following times: (a) at a time agreed by the data provider and the Australian repairer or scheme RTO; (b) at the end of 5 business days after the payment or offer time. |
Data provider to notify scheme adviser of terms and conditions of supply
(4) If the data provider supplies scheme information to an Australian repairer or scheme RTO under this Part, the data provider must, within 2 business days after the supply, notify the scheme adviser, in writing, of the terms and conditions of the supply, including the price for which the information is supplied.
Civil penalty:
(a) for a body corporate—600 penalty units; and
(b) for a person other than a body corporate—120 penalty units.
57CC Scheme information—terms and conditions of supply and use
Terms and conditions of supply generally
(1) Subject to this section, nothing in this Part prevents a data provider from supplying scheme information under this Part subject to reasonable terms and conditions that do not prevent, restrict or limit the access to, or use of, the information for the purposes of diagnosing faults with, servicing, repairing, modifying or dismantling scheme vehicles.
Prohibited terms or conditions
(2) However, a data provider must not enter into a contract for the supply of scheme information under this Part that contains any of the following terms or conditions:
(a) a term or condition requiring an Australian repairer or scheme RTO to acquire one or more services or products from the data provider or any other person;
(b) a term or condition allowing an increase, after the contract is made, in the price for the supply of the scheme information under the contract;
(c) a term or condition prohibited by the scheme rules.
Civil penalty:
(a) for a body corporate—600 penalty units; and
(b) for a person other than a body corporate—120 penalty units.
(3) A term or condition of a contract for the supply of scheme information under this Part that contravenes subsection (2) is of no effect.
57CD Scheme information—interaction of supply obligations and other rights and obligations
Data provider must comply with supply obligations despite existence of other rights and obligations
(1) A data provider must comply with an obligation under this Part in relation to scheme information even if such compliance would constitute or result in one or more of the following:
(a) an infringement of copyright by the data provider or any other person;
(b) a breach of contract in relation to the supply of the scheme information;
(c) a breach of an equitable obligation of confidence to which the data provider is subject in relation to the supply of the scheme information.
Note 1: Division 4 of Part IVA of the Copyright Act 1968 (which provides that certain uses of material by educational institutions do not infringe copyright) does not apply in relation to scheme information supplied under this Part (see paragraph 113P(1)(b) of that Act).
Note 2: A data provider is not criminally responsible for conduct that is justified or excused by or under this Part: see section 10.5 of the Criminal Code (lawful authority).
Compensation for third party copyright holders
(2) Subsection (3) applies if:
(a) a data provider supplies scheme information to an Australian repairer or scheme RTO under this Part; and
(b) a person (the third party claimant) holds copyright in relation to some or all of the scheme information that is the subject of the supply; and
(c) the supply constitutes or results in an infringement of the copyright of the third party claimant; and
(d) apart from this section, the infringement would constitute an acquisition of property otherwise than on just terms (within the meaning of paragraph 51(xxxi) of the Constitution).
(3) The data provider must pay to the third party claimant an amount that represents compensation on just terms (within the meaning of paragraph (xxxi) of the Constitution) for the supply of the scheme information to the Australian repairer or scheme RTO.
(4) An amount payable by the data provider under subsection (3):
(a) is a debt due by the data provider to the third party claimant; and
(b) may be recovered by action in a court of competent jurisdiction.
(5) In a civil action by a third party claimant against a data provider for infringement of copyright in relation to scheme information supplied, or offered for supply, under this Part, it is a defence if the data provider proves that:
(a) the data provider was required to supply the scheme information, or offer to supply the scheme information, under this Part; and
(b) the data provider has paid to the third party claimant the compensation required to be paid under subsection (3).
Division 4—Information management
57DA Safety and security information—packaging
A data provider must, in a scheme offer, separate safety and security information from other scheme information to the extent it is reasonably practicable to do so.
Civil penalty:
(a) for a body corporate—600 penalty units; and
(b) for a person other than a body corporate—120 penalty units.
57DB Safety and security information—supply to Australian repairers and scheme RTOs
Supply of safety and security information—restrictions on supply
(1) A data provider must not supply scheme information under this Part that is, or includes, safety and security information for a scheme vehicle of a particular make, model and year unless:
(a) there are reasonable grounds, based on information provided by the Australian repairer or scheme RTO, to believe that the requirements covered by subsection (2) are satisfied in relation to the scheme information for that vehicle; and
(b) the Australian repairer or scheme RTO has provided the required declaration, or declarations, covered by subsection (3) in relation to that vehicle.
Civil penalty:
(a) for a body corporate—600 penalty units; and
(b) for a person other than a body corporate—120 penalty units.
(2) The requirements covered by this subsection are that:
(a) the safety and security information is solely for use by an individual or individuals:
(i) in the case of an Australian repairer—for the purposes of the Australian repairer’s business; or
(ii) in the case of a scheme RTO—for the purposes of providing an RTO course; and
(b) based only on personal information about the individual covered by subsection (6), the individual is a fit and proper person to access and use the safety and security information.
(3) The required declarations covered by this subsection are that:
(a) if security information is to be supplied—a declaration:
(i) confirming that the Australian repairer or scheme RTO is authorised by the owner of the scheme vehicle to access and use the security information for that vehicle; and
(ii) specifying the vehicle identification number of the vehicle; and
(b) in any case, if the scheme rules prescribe a standard in relation to premises at which work is to be carried out on scheme vehicles of that particular make, model and year—a declaration that the premises used by the Australian repairer or scheme RTO comply with that standard.
Fit and proper persons
(4) An individual is a fit and proper person to access and use safety and security information if the individual meets the criteria (the prescribed safety and security criteria) prescribed by the scheme rules.
(5) For the purposes of subsection (4), different criteria may be prescribed in relation to each of the following:
(a) safety information;
(b) security information.
Personal information
(6) For the purposes of paragraph (2)(b), the following personal information about an individual is covered by this subsection:
(a) the individual’s name and residential address;
(b) information about the individual’s relationship to the Australian repairer or scheme RTO (as the case may be);
(c) the individual’s qualifications for using the safety and security information for the applicable purpose mentioned in paragraph (2)(a);
(d) a criminal records check about the individual;
(e) any other information (except sensitive information) prescribed by the scheme rules relevant to working out whether the individual is a fit and proper person to access and use the safety and security information.
Note: This section applies despite section 57CB (which deals with the supply of scheme information on request by an Australian repairer or scheme RTO).
(7) The scheme rules may prescribe matters in relation to the circumstances in which personal information covered by subsection (6) may be sought or given.
57DC Safety and security information—use or disclosure of sensitive information
Scope
(1) This section applies in relation to sensitive information if:
(a) the information is about an individual mentioned in paragraph 57DB(2)(a); and
(b) the information is obtained by a data provider for the purpose of determining whether the individual is a fit and proper person to access and use safety and security information; and
(c) the data provider is a small business operator within the meaning of the Privacy Act 1988; and
(d) that Act would not, apart from this section, apply to the data provider in relation to the information about the individual.
Note: The Privacy Act 1988 generally does not apply in relation to small business operators, except in relation to certain activities (see sections 6C to 6E of that Act).
Application of Privacy Act 1988
(2) Subject to this Division, the Privacy Act 1988 applies in relation to the sensitive information as if the data provider were an organisation within the meaning of that Act.
(3) The administration of this section is a privacy function for the purposes of the Australian Information Commissioner Act 2010.
Note: See the definition of privacy function in section 9 of the Australian Information Commissioner Act 2010.
57DD Safety and security information—storage of, and access to, sensitive information
Scope
(1) This section applies in relation to sensitive information if:
(a) the information is about an individual mentioned in paragraph 57DB(2)(a); and
(b) the information is obtained by a data provider for the purposes of determining whether the individual is a fit and proper person to access and use safety and security information.
Sensitive information must be stored in Australia
(2) If a data provider holds the sensitive information, the data provider must store the information in Australia or an external Territory.
Civil penalty:
(a) for a body corporate—1,500 penalty units; and
(b) for a person other than a body corporate—300 penalty units.
Preventing access to sensitive information outside Australia
(3) A person must not do anything that might reasonably enable the sensitive information to be accessed outside Australia by the data provider, or any other person.
Civil penalty:
(a) for a body corporate—1,500 penalty units; and
(b) for a person other than a body corporate—300 penalty units.
57DE Security information—records of access
Scope
(1) This section applies if a data provider supplies security information about a scheme vehicle to an Australian repairer or a scheme RTO under this Part.
Note: For restrictions on the supply of such information, see section 57DB.
Record‑keeping requirement
(2) The data provider must keep a record of the supply of the security information for a period of 5 years after the day it is supplied, including the following:
(a) the time and date of supply;
(b) the name and contact details of the Australian repairer or scheme RTO;
(c) any personal information used by the data provider to determine whether an individual is a fit and proper person to access and use the security information;
(d) the vehicle identification number of each vehicle for which the security information is supplied;
(e) details of the security information supplied.
Note: For restrictions on the use and disclosure of the information mentioned in paragraph (c), see sections 57DB and 57DC.
Civil penalty:
(a) for a body corporate—600 penalty units; and
(b) for a person other than a body corporate—120 penalty units.
This Division applies to a dispute about the operation of this Part.
A party to the dispute (the initiating party) may initiate action to resolve the dispute against another party (the responding party) in accordance with the procedure set out in this Division.
57EC Right to bring proceedings unaffected
This Division does not affect the right of the initiating party or the responding party to bring legal proceedings, under this Act or otherwise.
57ED Attempt to resolve dispute before mediation
(1) If the initiating party wishes to initiate action to resolve the dispute in accordance with this Division, the initiating party must give written notice to the responding party of the following:
(a) the nature of the dispute;
(b) the matter that is the subject of the dispute;
(c) the way in which that matter relates to the application of this Part;
(d) what outcome the initiating party wants;
(e) what action the initiating party thinks will resolve the dispute.
(2) The parties must then try to resolve the dispute.
Note: For when a party is taken to have tried to resolve a dispute, see section 57EE.
(3) If the parties cannot agree how to resolve the dispute within 2 business days, either party may refer the matter to a mediator for mediation under this Division.
(4) If the parties cannot agree on who should be the mediator, either party may request the scheme adviser to nominate a mediator.
(5) Within 2 business days after a request is made under subsection (4), the scheme adviser must nominate a mediator for the dispute.
57EE When is a party taken to have tried to resolve a dispute?
For the purposes of this Division, a party is taken to have tried to resolve a dispute if the party approaches the resolution of the dispute in a reconciliatory manner, including by doing any of the following:
(a) attending and participating in meetings at reasonable times;
(b) responding to communications to the party within a reasonable time;
(c) if the party has agreed to use a technical expert in resolving the dispute—considering the opinions of the technical expert;
(d) if a mediation process is being used to try to resolve the dispute—both:
(i) making the party’s intention clear, at the beginning of the process, as to what the party is trying to achieve through the process; and
(ii) observing any obligations relating to confidentiality that apply during or after the process.
(1) Subject to this section, a mediator appointed by the parties to a dispute may decide the time and place for mediation.
(2) The mediator may, with the agreement of the parties to the dispute, appoint a technical expert to assist in the resolution of the dispute.
(3) Unless the mediation is conducted using the technology referred to in subsection (4), the mediation must be conducted in Australia.
(4) The mediation may be conducted using any technology that allows a person to participate in the mediation without being physically present at the mediation.
(5) The parties must attend the mediation.
Civil penalty:
(a) for a body corporate—600 penalty units; and
(b) for a person other than a body corporate—120 penalty units.
(6) For the purposes of subsection (5), a party is taken to attend mediation in the following circumstances:
(a) the party is represented at the mediation by a person who has the authority to enter into an agreement to settle the dispute on behalf of the party;
(b) the party, or the party’s authorised representative mentioned in paragraph (a), participates in the mediation using the technology referred to in subsection (4).
(7) The parties must then try to resolve the dispute.
Note: For when a party is taken to have tried to resolve a dispute, see section 57EE.
(8) Within 5 business days after the start of the mediation, the mediator must advise the scheme adviser that the mediation has started.
(1) This section applies to the mediation of a dispute if the dispute has not been resolved within 30 days after the day the mediation starts.
(2) The mediator may terminate the mediation at any time unless satisfied that a resolution of the dispute is imminent.
(3) However, if either party asks the mediator to terminate the mediation, the mediator must do so.
(4) If the mediator terminates the mediation of a dispute under this section, the mediator must issue a certificate stating the following:
(a) the names of the parties;
(b) the nature of the dispute;
(c) whether the parties attended the mediation;
(d) that the mediation has finished;
(e) that the dispute has not been resolved.
(5) The mediator must give a copy of the certificate to:
(a) the scheme adviser; and
(b) each of the parties to the dispute.
(1) The parties are equally liable for the costs of mediation under this Division unless they agree otherwise.
(2) The parties must pay their own costs of attending the mediation.
(3) The costs of mediation under this Division under subsection (1) include the following:
(a) the cost of the mediator;
(b) the cost of any additional input (including from technical experts) agreed by both parties to be necessary to conduct the mediation.
Division 6—Motor vehicle service and repair information scheme adviser
57FA Scheme adviser—establishment and appointment
(1) There is to be a motor vehicle service and repair information scheme adviser for the purposes of this Part.
(2) The Minister may, by instrument, appoint a person to be the scheme adviser.
(3) The scheme adviser is not entitled to any payment (including any remuneration or allowances) relating to this appointment.
Note: The person appointed could be a body corporate or an individual.
(1) The scheme adviser has the following functions:
(a) to nominate mediators or technical experts for the purposes of Division 5 (dispute resolution);
(b) to report to the Minister at any time or by a time specified by the Minister:
(i) on scheme prices, the terms and conditions of scheme offers or the availability of scheme information; and
(ii) about whether or not, in the scheme adviser’s opinion, particular information is, or should be, scheme information; and
(iii) about any other matter relevant to the operation of this Part;
(c) to report to the Commission about any systemic regulatory or enforcement issues relating to the operation of this Part;
(d) to provide general advice in relation to the application of this Part, but excluding any information obtained in confidence;
(e) to publish on the scheme adviser’s website annual reports about:
(i) the number and type of inquiries and disputes relating to the operation of this Part over the period of a financial year;
(ii) the number and type of disputes for which a mediator has been appointed over that period;
(iii) resolution rates for disputes for which a mediator has been appointed over that period;
(iv) other relevant matters affecting the operation of this Part over the period, including any such matter directed by the Minister in writing;
(f) to provide information online to data providers, Australian repairers and scheme RTOs about the availability of scheme information and dispute resolution under this Part, but excluding any information obtained in confidence.
(2) Information about the terms and conditions of a contract on which scheme information is supplied under this Part that is notified to the scheme adviser under subsection 57CB(4) is taken not to be information obtained in confidence, except to the extent that it identifies, or enables identification of, the parties to the contract.
(3) The scheme adviser has all the powers necessary or convenient for the performance of the functions of that office.
(4) Section 34C of the Acts Interpretation Act 1901 does not apply in relation to a report mentioned in this section.
Note: Section 34C of the Acts Interpretation Act 1901 would otherwise require any periodic reports to be given to the Minister and tabled in Parliament.
A provision of this Part that is of one of the following kinds and sets out at its foot a pecuniary penalty indicated by the words “civil penalty” is a civil penalty provision for the purposes of this Part and item 11 of the table in subsection 76(1A):
(a) a subsection;
(b) a section that is not divided into subsections.
(1) Division 2A of Part IVB applies in relation to an alleged contravention of a civil penalty provision mentioned in an item in the table in subsection (2) in the same way in which it applies in relation to an alleged contravention of a civil penalty provision of an industry code (within the meaning of that Part).
(2) For the purposes of the application of Division 2A of Part IVB under subsection (1), the penalty to be specified in an infringement notice in relation to an alleged contravention of a provision mentioned in columns 1 and 2 of an item of the following table must be a penalty equal to the applicable penalty for the contravention mentioned in column 3 or 4 of that item.
Penalties to be specified in infringement notices issued under this Part | ||||
Item | Column 1 | Column 2 | Column 3 | Column 4 |
| For an alleged contravention of the following provision: | that relates to: | if the alleged contravention is by a body corporate—the number of penalty units must be: | if the alleged contravention is by a person other than a body corporate—the number of penalty units must be: |
1 | subsection 57CA(3) | the choice of supply period in scheme offer | 60 | 12 |
2 | subsection 57CA(6) | publishing a scheme offer | 60 | 12 |
3 | subsection 57CA(7) | notifying the scheme adviser about scheme information offered | 60 | 12 |
4 | subsection 57CB(2) | failing to supply scheme information within the period covered by paragraph 57CB(2)(b) | 600 | 120 |
5 | subsection 57CB(4) | notifying the scheme adviser of terms and conditions of supply | 60 | 12 |
6 | subsection 57CC(2) | prohibited terms or conditions in contracts of supply | 60 | 12 |
7 | Section 57DA | packaging of scheme information | 60 | 12 |
8 | subsection 57DB(1) | restrictions on supplying safety and security information | 60 | 12 |
9 | subsection 57DE(2) | requiring a data provider to keep records | 60 | 12 |
10 | subsection 57EF(5) | failing to attend mediation | 60 | 12 |
57GC Concurrent operation of State and Territory laws
It is the Parliament’s intention that a law of a State or Territory should be able to operate concurrently with this Part unless the law is directly inconsistent with this Part.
Scope
(1) This section applies to any of the following provisions:
(a) a provision of Division 3;
(b) any other provision of this Act, to the extent to which the provision relates to Division 3.
Effect of provision
(2) The provision has no effect to the extent (if any) to which its operation would result in the acquisition of property (within the meaning of paragraph 51(xxxi) of the Constitution) from a person otherwise than on just terms (within the meaning of that paragraph).
(1) The Minister may, by legislative instrument, make rules prescribing matters:
(a) required or permitted by this Part to be prescribed by the rules; or
(b) necessary or convenient to be prescribed for carrying out or giving effect to this Part.
(2) To avoid doubt, the rules may not do the following:
(a) create an offence or civil penalty;
(b) provide powers of:
(i) arrest or detention; or
(ii) entry, search or seizure;
(c) impose a tax;
(d) set an amount to be appropriated from the Consolidated Revenue Fund under an appropriation in this Act;
(e) directly amend the text of this Act;
(f) subject to section 57DB, authorise or require the disclosure of sensitive information.
Part V—Carbon tax price reduction obligation
60 Simplified outline of this Part
• An entity must not engage in price exploitation in relation to the carbon tax repeal.
• The Commission may monitor prices in relation to the carbon tax repeal and the carbon tax scheme.
• An entity must not make false or misleading representations about the effect of the carbon tax repeal, or the carbon tax scheme, on the price for the supply of goods or services.
• An entity that sells electricity or natural gas, or an entity that is a bulk SGG importer and sells synthetic greenhouse gas, will be required to explain and substantiate:
(a) how the carbon tax repeal has affected, or is affecting, the entity’s regulated supply input costs; and
(b) how reductions in the entity’s regulated supply input costs that are directly or indirectly attributable to the carbon tax repeal are reflected in the prices charged by the entity for regulated supplies of electricity, natural gas or synthetic greenhouse gas.
• An entity that sells electricity or natural gas to customers, or an entity that is a bulk SGG importer and sells synthetic greenhouse gas to customers, must:
(a) give a carbon tax removal substantiation statement to the Commission; and
(b) include in the statement the entity’s estimate, on an average annual percentage price basis, or an average annual dollar price basis, of the entity’s cost savings that have been, are, or will be, attributable to the carbon tax repeal and that have been, are being, or will be, passed on to customers during the financial year that began on 1 July 2014; and
(c) provide information with the statement that substantiates such an estimate; and
(d) in a case where the entity sells electricity or natural gas to customers—communicate to customers a statement that identifies, on an average annual percentage price basis, or an average annual dollar price basis, the estimated cost savings to customers that are for the financial year that began on 1 July 2014.
• Infringement notices may be issued for certain contraventions of this Part.
(1) The main objects of this Part are:
(a) to deter price exploitation in relation to the carbon tax repeal at each point in the supply chain for regulated goods; and
(b) to ensure that all cost savings attributable to the carbon tax repeal are passed through the supply chain for regulated goods.
(2) The intention of the Parliament in enacting this Part is to ensure that all cost savings attributable to the carbon tax repeal are passed on to consumers of regulated goods through lower prices.
In this Part:
applicable compliance period, for a carbon tax removal substantiation notice, has the meaning given by subsection 60FC(2).
bulk SGG importer means an entity that:
(a) holds a controlled substances licence under the Ozone Protection and Synthetic Greenhouse Gas Management Act 1989 that allows the entity to import synthetic greenhouse gases; and
(b) supplies synthetic greenhouse gas to SGG customers.
carbon charge component of levy means so much of the amount of the levy as is calculated by multiplying the number of tonnes of carbon dioxide equivalence by a per unit charge applicable under subsection 100(1) of the Clean Energy Act 2011 for the issue of a carbon unit.
carbon tax removal substantiation notice has the meaning given by subsection 60FA(3).
carbon tax removal substantiation statement has the meaning given by subsection 60FD(3).
carbon tax repeal means:
(a) the repeal of the following Acts by the Clean Energy Legislation (Carbon Tax Repeal) Act 2014:
(i) the Clean Energy Act 2011;
(ii) the Clean Energy (Charges—Customs) Act 2011;
(iii) the Clean Energy (Charges—Excise) Act 2011;
(iv) the Clean Energy (Unit Issue Charge—Auctions) Act 2011;
(v) the Clean Energy (Unit Issue Charge—Fixed Charge) Act 2011;
(vi) the Clean Energy (Unit Shortfall Charge—General) Act 2011; and
(b) the amendments of the following Acts made by the Clean Energy Legislation (Carbon Tax Repeal) Act 2014:
(i) the Fuel Tax Act 2006;
(ii) the Fuel Tax (Consequential and Transitional Provisions) Act 2006; and
(c) the amendments made by the following Acts:
(i) the Customs Tariff Amendment (Carbon Tax Repeal) Act 2014;
(ii) the Excise Tariff Amendment (Carbon Tax Repeal) Act 2014;
(iii) the Ozone Protection and Synthetic Greenhouse Gas (Import Levy) Amendment (Carbon Tax Repeal) Act 2014;
(iv) the Ozone Protection and Synthetic Greenhouse Gas (Manufacture Levy) Amendment (Carbon Tax Repeal) Act 2014.
carbon tax repeal transition period means the period:
(a) beginning at the start of 1 July 2014; and
(b) ending at the end of 30 June 2015.
carbon tax scheme means the scheme embodied in the following:
(a) the Clean Energy Act 2011, as in force at the start of 1 January 2014;
(b) the associated provisions (within the meaning of that Act as in force at that time);
(c) the following provisions of the Fuel Tax Act 2006, as in force at the start of 1 January 2014:
(i) Division 42A;
(ii) section 43‑5, so far as that section relates to a carbon reduction;
(iii) section 43‑8;
(iv) section 43‑11;
(d) section 3A of the Ozone Protection and Synthetic Greenhouse Gas (Import Levy) Act 1995, as in force at the start of 1 January 2014, so far as that section relates to carbon charge component;
(e) section 4A of the Ozone Protection and Synthetic Greenhouse Gas (Import Levy) Act 1995, as in force at the start of 1 January 2014, so far as that section relates to carbon charge component;
(f) section 3A of the Ozone Protection and Synthetic Greenhouse Gas (Manufacture Levy) Act 1995, as in force at the start of 1 January 2014, so far as that section relates to carbon charge component;
(g) sections 6FA, 6FB and 6FC of the Excise Tariff Act 1921, as in force at the start of 1 January 2014;
(h) section 19A of the Customs Tariff Act 1995, as in force at the start of 1 January 2014.
electricity customer means an entity that purchases electricity.
electricity retailer means:
(a) an entity who:
(i) is a retailer within the meaning of the National Energy Retail Law as it applies in a State or a Territory; and
(ii) sells electricity to electricity customers; or
(b) an entity who is a retailer within the meaning of the Electricity Industry Act 2000 (Vic.); or
(c) an entity who is a retail entity within the meaning of the Electricity Act 1994 (Qld); or
(d) an entity who:
(i) holds a retail licence within the meaning of the Electricity Industry Act 2004 (WA); or
(ii) holds an integrated regional licence within the meaning of the Electricity Industry Act 2004 (WA) that authorises the entity to sell electricity; or
(e) an entity who is an electricity entity within the meaning of the Electricity Reform Act 2000 (NT) and whose licence under that Act authorises the entity to sell electricity; or
(f) any other entity who produces electricity in Australia.
engages in price exploitation in relation to the carbon tax repeal: see section 60C.
entity means any of the following:
(a) a corporation (as defined by section 4);
(b) an individual;
(c) a body corporate;
(d) a corporation sole;
(e) a body politic;
(f) a partnership;
(g) any other unincorporated association or body of entities;
(h) a trust;
(i) any party or entity which can or does buy or sell electricity, natural gas or synthetic greenhouse gas.
infringement notice means an infringement notice issued under subsection 60L(1).
infringement notice compliance period: see section 60P.
infringement notice provision means section 60C or 60K.
listed corporation has the meaning given by section 9 of the Corporations Act 2001.
National Energy Retail Law means the National Energy Retail Law set out in the Schedule to the National Energy Retail Law (South Australia) Act 2011 (SA).
natural gas has the same meaning as in the National Gas (Commonwealth) Law (as defined by the Australian Energy Market Act 2004).
natural gas customer means an entity that purchases natural gas.
natural gas retailer means:
(a) an entity who:
(i) is a retailer within the meaning of the National Energy Retail Law as it applies in a State or a Territory; and
(ii) sells natural gas to natural gas customers; or
(b) an entity who is a gas retailer within the meaning of the Gas Industry Act 2001 (Vic.); or
(c) an entity who is a retailer within the meaning of the Gas Supply Act 2003 (Qld); or
(d) an entity who holds a trading licence under the Energy Coordination Act 1994 (WA); or
(e) an entity who holds a licence under the Gas Act 2000 (Tas.) to sell gas by retail.
price, in relation to a supply, includes:
(a) a charge of any description for the supply; and
(b) any pecuniary or other benefit, whether direct or indirect, received or to be received by a person for or in connection with the supply.
regulated goods: see section 60B.
regulated supply means a supply that:
(a) occurs during the carbon tax repeal transition period; and
(b) is of regulated goods.
regulated supply input costs of an entity means the entity’s input costs in relation to the making by the entity of regulated supplies of electricity, natural gas or synthetic greenhouse gas.
Royal Assent day means the day on which the Act that inserted this Part receives the Royal Assent.
SGG customer means an entity that purchases synthetic greenhouse gas.
SGG equipment has the same meaning as in the Ozone Protection and Synthetic Greenhouse Gas Management Act 1989.
synthetic greenhouse gas has the same meaning as in the Ozone Protection and Synthetic Greenhouse Gas Management Act 1989.
(1) For the purposes of this Part, regulated goods means:
(a) natural gas; or
(b) electricity; or
(c) synthetic greenhouse gas; or
(d) SGG equipment; or
(e) other goods of a kind specified in a legislative instrument under subsection (2).
(2) The Minister may, by legislative instrument, specify one or more kinds of goods for the purposes of paragraph (1)(e).
Division 2—Carbon tax price reduction obligation
60C Price exploitation in relation to the carbon tax repeal
(1) An entity must not engage in price exploitation in relation to the carbon tax repeal.
(2) For the purposes of this Part, an entity engages in price exploitation in relation to the carbon tax repeal if, and only if:
(a) it makes a regulated supply; and
(b) the price for the supply does not pass through all of the entity’s cost savings relating to the supply that are directly or indirectly attributable to the carbon tax repeal.
(3) For the purposes of this Part, in determining whether the price for a supply made by an entity does not pass through all of the entity’s cost savings relating to the supply that are directly or indirectly attributable to the carbon tax repeal, have regard to the following matters:
(a) the entity’s cost savings that are directly or indirectly attributable to the carbon tax repeal;
(b) how the cost savings mentioned in paragraph (a) can reasonably be attributed to the different supplies that the entity makes;
(c) the entity’s costs;
(d) any other relevant matter that may reasonably influence the price.
60CA Failure to pass on cost savings—250% penalty
(1) If:
(a) either:
(i) an entity contravenes subsection 60C(1) in relation to a particular supply of electricity or natural gas; or
(ii) an entity that is a bulk SGG importer contravenes subsection 60C(1) in relation to a particular supply of synthetic greenhouse gas; and
(b) the contravention involved a failure to pass through all of the entity’s cost savings relating to the supply that are directly or indirectly attributable to the carbon tax repeal;
there is payable by the entity to the Commonwealth, and the entity shall pay to the Commonwealth, by way of penalty, an amount equal to 250% of those cost savings that were not passed through.
When penalty becomes due and payable
(2) An amount payable by an entity under subsection (1) is due and payable on 1 July 2015.
Late payment penalty
(3) If an amount payable by an entity under subsection (1) remains unpaid after the time when it became due for payment, there is payable by the entity to the Commonwealth, and the entity shall pay to the Commonwealth, by way of penalty, an amount calculated at the rate of 6% per annum on the amount unpaid, computed from that time.
Recovery of penalties
(4) An amount payable by an entity under subsection (1) or (3):
(a) is a debt due to the Commonwealth; and
(b) shall be recovered by the Commission, on behalf of the Commonwealth, by action in a court of competent jurisdiction, unless the cost of doing so exceeds the amount.
Report to Parliament
(5) Within 13 months after the Royal Assent day, the Commission must report to Parliament in respect of penalties payable by entities.
(1) The Commission may give an entity a written notice under this section if the Commission considers that the entity has engaged in price exploitation in relation to the carbon tax repeal.
(2) The notice must:
(a) be expressed to be given under this section; and
(b) identify:
(i) the entity that made the supply; and
(ii) the kind of supply made; and
(iii) the circumstances in which the supply was made; and
(c) state that, in the Commission’s opinion, the price for the supply did not pass through all of the entity’s cost savings relating to the supply that were directly or indirectly attributable to the carbon tax repeal.
(3) In any proceedings:
(aa) under section 60CA; or
(a) under section 76 for a pecuniary penalty order relating to section 60C; or
(b) under section 80 for an injunction relating to section 60C; or
(c) under section 80A, 82, 86C, 86D or 87 for an order relating to section 60C;
the notice is prima facie evidence that the price for the supply did not pass through all of the entity’s cost savings relating to the supply that were directly or indirectly attributable to the carbon tax repeal.
(4) The Commission may vary or revoke the notice on its own initiative or on application made by the entity. The Commission must give the entity written notice of the variation or revocation.
(5) A notice under this section is not a legislative instrument.
(1) The Commission may give an entity a written notice under this section if the Commission considers that doing so will aid the prevention of the entity engaging in price exploitation in relation to the carbon tax repeal.
(2) The notice must:
(a) be expressed to be given under this section; and
(b) be expressed to relate to any supply that the entity makes that is:
(i) of a kind specified in the notice; and
(ii) made in circumstances specified in the notice; and
(iii) made during the period specified in the notice (which must not be a period ending after the end of the carbon tax repeal transition period); and
(c) specify the maximum price that, in the Commission’s opinion, may be charged for a supply to which the notice is expressed to relate.
(3) The Commission may, on its own initiative or on application made by the entity:
(a) vary the notice to:
(i) change the period specified as required by subparagraph (2)(b)(iii); or
(ii) change the price specified in the notice as required by paragraph (2)(c); or
(b) revoke the notice.
The Commission must give the entity written notice of the variation or revocation.
(4) The Commission may publish the notice, or particulars of any variation or revocation of the notice, in such manner as the Commission considers appropriate.
(5) A notice under this section is not a legislative instrument.
Scope
(1) This section applies to the following provisions of this Act:
(a) section 60C;
(b) any other provision to the extent to which it relates to section 60C.
Effect of provision
(2) The provision has no effect to the extent (if any) to which its operation would result in the acquisition of property (within the meaning of paragraph 51(xxxi) of the Constitution) otherwise than on just terms (within the meaning of that paragraph).
Division 2A—Carbon tax removal substantiation notices
60FA Carbon tax removal substantiation notices
Scope
(1) This section applies to an entity if the entity:
(a) is an electricity retailer that sells electricity to electricity customers; or
(b) is a natural gas retailer that sells natural gas to natural gas customers; or
(c) is a bulk SGG importer that sells synthetic greenhouse gas to SGG customers.
Carbon tax removal substantiation notice
(2) The Commission must, within 30 days after the Royal Assent day, by written notice given to the entity, require the entity:
(a) to give to the Commission, within the period specified in the notice, a written statement that explains:
(i) how the carbon tax repeal has affected, or is affecting, the entity’s regulated supply input costs; and
(ii) how reductions in the entity’s regulated supply input costs that are directly or indirectly attributable to the carbon tax repeal are reflected in the prices charged by the entity for regulated supplies of electricity, natural gas or synthetic greenhouse gas; and
(b) to do either or both of the following:
(i) give to the Commission, within the period and in the manner and form specified in the notice, information that substantiates the explanation set out in the statement;
(ii) produce to the Commission, within the period and in the manner specified in the notice, documents that substantiate the explanation set out in the statement.
(3) A notice under subsection (2) is to be known as a carbon tax removal substantiation notice.
(4) A period specified in a carbon tax removal substantiation notice must be 21 days after the notice is given.
(5) A carbon tax removal substantiation notice must explain the effect of:
(a) section 60FB; and
(b) section 60FC; and
(c) sections 137.1 and 137.2 of the Criminal Code.
Section does not limit section 60H
(6) This section does not limit section 60H (which is about the price‑related information‑gathering powers of the Commission).
Section does not limit section 155
(7) This section does not limit section 155 (which is about the general information‑gathering powers of the Commission).
60FB Extending periods for complying with carbon tax removal substantiation notices
(1) An entity that has been given a carbon tax removal substantiation notice may, at any time within 14 days after the notice was given to the entity by the Commission, apply in writing to the Commission for an extension of the period for complying with the notice.
(2) The Commission may, by written notice given to the entity, extend the period within which the entity must comply with the notice, so long as the extension is for a period of not more than 28 days.
60FC Compliance with carbon tax removal substantiation notices
(1) An entity that is given a carbon tax removal substantiation notice must comply with it within the applicable compliance period for the notice.
(2) The applicable compliance period for a carbon tax removal substantiation notice is:
(a) the period of 21 days specified in the notice; or
(b) if the period for complying with the notice has been extended under section 60FB—the period as so extended;
and includes (if an application has been made under section 60FB for an extension of the period for complying with the notice) the period up until the time when the applicant is given notice of the Commission’s decision on the application.
(3) An entity commits an offence if:
(a) the entity is subject to a requirement under subsection (1); and
(b) the entity is capable of complying with the requirement; and
(c) the entity omits to do an act; and
(d) the omission breaches the requirement.
Penalty: 200 penalty units.
(4) Subsection (3) is an offence of strict liability.
Note: For strict liability, see section 6.1 of the Criminal Code.
(5) If subsection (3) of this section applies to an individual (whether or not because of subsection 6(2)), subsection (3) of this section has effect, in relation to the individual, as if the reference to 200 penalty units were a reference to 40 penalty units.
(6) If subsection (1) of this section applies to an individual (whether or not because of subsection 6(2)), the individual is excused from giving information or producing a document in accordance with a carbon tax removal substantiation notice on the ground that the information or the production of the document might tend to incriminate the individual or expose the individual to a penalty.
Division 2B—Carbon tax removal substantiation statements
60FD Carbon tax removal substantiation statements
Scope
(1) This section applies to an entity if the entity:
(a) is an electricity retailer that sells electricity to electricity customers; or
(b) is a natural gas retailer that sells natural gas to natural gas customers; or
(c) is a bulk SGG importer that sells synthetic greenhouse gas to SGG customers.
Carbon tax removal substantiation statement
(2) Within 30 days after the Royal Assent day, the entity must give to the Commission:
(a) a written statement that sets out:
(i) if the entity has electricity customers—the entity’s estimate, on an average annual percentage price basis, or an average annual dollar price basis, of the entity’s cost savings that have been, are, or will be, directly or indirectly attributable to the carbon tax repeal and that have been, are being, or will be, passed on to each class of electricity customers during the financial year that began on 1 July 2014; and
(ii) if the entity has natural gas customers—the entity’s estimate, on an average annual percentage price basis, or an average annual dollar price basis, of the entity’s cost savings that have been, are, or will be, directly or indirectly attributable to the carbon tax repeal and that have been, are being, or will be, passed on to each class of natural gas customers during the financial year that began on 1 July 2014; and
(iii) if the entity has SGG customers—the entity’s estimate, on an average annual percentage price basis, or an average annual dollar price basis, of the entity’s cost savings that have been, are, or will be, directly or indirectly attributable to the carbon tax repeal and that have been, are being, or will be, passed on to each class of SGG customers during the financial year that began on 1 July 2014; and
(b) information that substantiates the estimate or estimates set out in the statement.
Note: Section 137.1 of the Criminal Code creates an offence of providing false or misleading information.
(3) A statement under paragraph (2)(a) is to be known as a carbon tax removal substantiation statement.
(4) If the entity has given a carbon tax removal substantiation statement to the Commission, the entity must ensure that a copy of the statement is available on the entity’s website, in a way that is readily accessible by the public, until the end of 30 June 2015.
Compliance
(5) An entity commits an offence if:
(a) the entity is subject to a requirement under subsection (2) or (4); and
(b) the entity is capable of complying with the requirement; and
(c) the entity omits to do an act; and
(d) the omission breaches the requirement.
Penalty: 500 penalty units.
(6) Subsection (5) is an offence of strict liability.
Note: For strict liability, see section 6.1 of the Criminal Code.
(7) If subsection (5) of this section applies to an individual (whether or not because of subsection 6(2)), subsection (5) of this section has effect, in relation to the individual, as if the reference to 500 penalty units were a reference to 40 penalty units.
(8) If subsection (2) of this section applies to an individual (whether or not because of subsection 6(2)), the individual is excused from giving an estimate or information under subsection (2) of this section on the ground that the estimate or information might tend to incriminate the individual or expose the individual to a penalty.
Section does not limit section 60H
(9) This section does not limit section 60H (which is about the price‑related information‑gathering powers of the Commission).
Section does not limit section 155
(10) This section does not limit section 155 (which is about the general information‑gathering powers of the Commission).
Report to Parliament
(11) Within 13 months after the Royal Assent day, the Commission must report to Parliament in respect of compliance by all entities.
Division 2C—Statements for customers
Scope
(1) This section applies to an entity if the entity:
(a) is an electricity retailer that sells electricity to electricity customers; or
(b) is a natural gas retailer that sells natural gas to natural gas customers.
Preparation of statement
(2) Within 30 days after the Royal Assent day, the entity must prepare a statement that:
(a) if the entity has electricity customers—identifies, on an average annual percentage price basis, or an average annual dollar price basis, the estimated cost savings, to each class of electricity customers, that:
(i) have been, are, or will be, directly or indirectly attributable to the carbon tax repeal; and
(ii) are for the financial year that began on 1 July 2014; and
(b) if the entity has natural gas customers—identifies, on an average annual percentage price basis, or an average annual dollar price basis, the estimated cost savings, to each class of natural gas customers, that:
(i) have been, are, or will be, directly or indirectly attributable to the carbon tax repeal; and
(ii) are for the financial year that began on 1 July 2014.
Communication of contents of statement to customers
(3) During the period:
(a) beginning 30 days after the Royal Assent day; and
(b) ending 60 days after the Royal Assent day;
the entity must ensure that the contents of the statement prepared by it under subsection (2) that relates to a class of electricity customers or natural gas customers is communicated to each customer of that class.
Note: Section 137.1 of the Criminal Code creates an offence of providing false or misleading information.
Compliance
(4) An entity commits an offence if:
(a) the entity is subject to a requirement under subsection (2) or (3); and
(b) the entity is capable of complying with the requirement; and
(c) the entity omits to do an act; and
(d) the omission breaches the requirement.
Penalty: 400 penalty units.
(5) Subsection (4) is an offence of strict liability.
Note: For strict liability, see section 6.1 of the Criminal Code.
(6) If subsection (4) of this section applies to an individual (whether or not because of subsection 6(2)), subsection (4) of this section has effect, in relation to the individual, as if the reference to 400 penalty units were a reference to 40 penalty units.
(7) If subsection (2) or (3) of this section applies to an individual (whether or not because of subsection 6(2)), the individual is excused from:
(a) preparing a statement under subsection (2) of this section; or
(b) communicating the contents of a statement under subsection (3) of this section;
on the ground that the information in the statement might tend to incriminate the individual or expose the individual to a penalty.
Division 3—Price monitoring in relation to the carbon tax repeal etc.
60G Commission may monitor prices in relation to the carbon tax repeal etc.
Price monitoring—carbon tax repeal transition period
(1) The Commission may monitor prices to assess the general effect of the carbon tax repeal on prices charged by entities for supplies, in the carbon tax repeal transition period, of relevant goods.
Note: For relevant goods, see subsection (11).
(2) The Commission may monitor prices to assess the general effect of the carbon tax repeal on prices:
(a) advertised; or
(b) displayed; or
(c) offered;
for supplies, in the carbon tax repeal transition period, of relevant goods by entities.
Note: For relevant goods, see subsection (11).
(3) The Commission may monitor prices to assess the general effect of the carbon tax repeal on prices charged for supplies, in the carbon tax repeal transition period, of goods by an entity for which there is an entry in the Information Database (within the meaning of the Clean Energy Act 2011).
(4) The Commission may monitor prices to assess the general effect of the carbon tax repeal on prices:
(a) advertised; or
(b) displayed; or
(c) offered;
for supplies, in the carbon tax repeal transition period, of goods by an entity for which there is an entry in the Information Database (within the meaning of the Clean Energy Act 2011).
Price monitoring—price exploitation
(5) The Commission may monitor prices to assist the Commission’s consideration of whether an entity has engaged, is engaging, or may in the future engage, in price exploitation in relation to the carbon tax repeal.
Price monitoring—pre‑repeal transition period
(6) The Commission may monitor prices to assess the general effect of the carbon tax scheme on prices charged by entities for supplies, in the pre‑repeal transition period, of relevant goods.
Note 1: For pre‑repeal transition period, see subsection (13).
Note 2: For relevant goods, see subsection (11).
(7) The Commission may monitor prices to assess the general effect of the carbon tax scheme on prices:
(a) advertised; or
(b) displayed; or
(c) offered;
for supplies, in the pre‑repeal transition period, of relevant goods by entities.
Note 1: For pre‑repeal transition period, see subsection (13).
Note 2: For relevant goods, see subsection (11).
(8) The Commission may monitor prices to assess the general effect of the carbon tax scheme on prices charged for supplies, in the pre‑repeal transition period, of goods by an entity for which there is an entry in the Information Database (within the meaning of the Clean Energy Act 2011).
Note: For pre‑repeal transition period, see subsection (13).
(9) The Commission may monitor prices to assess the general effect of the carbon tax scheme on prices:
(a) advertised; or
(b) displayed; or
(c) offered;
for supplies, in the pre‑repeal transition period, of goods by an entity for which there is an entry in the Information Database (within the meaning of the Clean Energy Act 2011).
Note: For pre‑repeal transition period, see subsection (13).
Section does not limit Part VIIA
(10) This section does not limit Part VIIA (which is about prices surveillance).
Relevant goods
(11) For the purposes of this section, the following are relevant goods:
(a) regulated goods;
(b) other goods of a kind specified in a legislative instrument under subsection (12).
(12) The Minister may, by legislative instrument, specify one or more kinds of goods for the purposes of paragraph (11)(b).
Pre‑repeal transition period
(13) For the purposes of this section, pre‑repeal transition period means the period:
(a) beginning at the commencement of this section; and
(b) ending at the end of 30 June 2014.
60H Information‑gathering powers
(1) A member of the Commission may, by written notice given to a person, require the person:
(a) to give the Commission specified information in writing signed by:
(i) the person; or
(ii) if the person is a body corporate—a competent officer of the body corporate; or
(b) to produce to the Commission specified documents;
if:
(c) the information, or information contained in the documents, relates to prices or the setting of prices; and
(d) the member reasonably believes that the information, or information contained in the documents, will or may be useful to the Commission in monitoring prices as mentioned in any of subsections 60G(1) to (9).
Note: Sections 137.1 and 137.2 of the Criminal Code create offences for providing false or misleading information or documents.
(2) Information or documents that may be required under subsection (1) may relate to prices, or the setting of prices:
(a) before or after the carbon tax repeal; and
(b) before or after the start of the carbon tax repeal transition period; and
(c) in a situation, or during a period, specified in the notice.
(3) Subsection (2) does not limit subsection (1).
(4) A person commits an offence if:
(a) the person is subject to a requirement under subsection (1); and
(b) the person is capable of complying with the requirement; and
(c) the person omits to do an act; and
(d) the omission breaches the requirement.
Penalty: 20 penalty units.
(5) An individual is excused from giving information or producing a document in accordance with a requirement under subsection (1) on the ground that the information or the production of the document might tend to incriminate the individual or expose the individual to a penalty.
Section does not limit section 60FA
(5A) This section does not limit section 60FA (which is about carbon tax removal substantiation notices).
Section does not limit section 155
(6) This section does not limit section 155 (which is about the general information‑gathering powers of the Commission).
(1) The Commission must, within 28 days after the end of each quarter, give the Minister a written report about the operations of the Commission under this Part during the quarter.
(2) A report under subsection (1) must include particulars of:
(a) all notices given under section 60E during the quarter; and
(b) all variations or revocations during the quarter of notices given under section 60E.
(3) Subsection (2) does not limit subsection (1).
(4) For the purposes of this section, a quarter is a period of 3 months:
(a) that occurs wholly or partly during the carbon tax repeal transition period; and
(b) that starts on any of the following days in a year:
(i) 1 January;
(ii) 1 April;
(iii) 1 July;
(iv) 1 October.
(5) As soon as practicable after the Minister receives a report under subsection (1), the Minister must make the report public by such means as the Minister considers appropriate.
(6) If this section commences during a quarter (but not on the first day of a quarter):
(a) no report is to be made at the end of the quarter; but
(b) the report made at the end of the next quarter is also to include the information required by subsections (1) and (2) in relation to the previous quarter.
60K False or misleading representations about the effect of the carbon tax repeal etc. on prices
An entity must not, in trade or commerce, in connection with:
(a) the supply or possible supply of goods or services; or
(b) the promotion by any means of the supply or use of goods or services;
make a false or misleading representation, during the carbon tax repeal transition period, concerning the effect of:
(c) the carbon tax repeal or a part of the carbon tax repeal; or
(d) the carbon tax scheme or a part of the carbon tax scheme;
on the price for the supply of the goods or services.
Division 5—Infringement notices
60L Issuing an infringement notice
Issuing an infringement notice
(1) If the Commission has reasonable grounds to believe that a person has contravened an infringement notice provision, the Commission may issue an infringement notice to the person.
(2) The Commission must not issue more than one infringement notice to the person for the same alleged contravention of the infringement notice provision.
(3) The infringement notice does not have any effect if the notice:
(a) is issued more than 12 months after the day on which the contravention of the infringement notice provision is alleged to have occurred; or
(b) relates to more than one alleged contravention of an infringement notice provision by the person.
Matters to be included in an infringement notice
(4) An infringement notice must:
(a) be identified by a unique number; and
(b) state the day on which it is issued; and
(c) state the name and address of the person to whom it is issued; and
(d) identify the Commission; and
(e) state how the Commission may be contacted; and
(f) give details of the alleged contravention by the person, including:
(i) the date of the alleged contravention; and
(ii) the particular infringement notice provision that was allegedly contravened; and
(g) state the maximum pecuniary penalty that the court could order the person to pay under section 76 for the alleged contravention; and
(h) specify the penalty that is payable in relation to the alleged contravention; and
(i) state that the penalty is payable within the infringement notice compliance period for the notice; and
(j) state that the penalty is payable to the Commission on behalf of the Commonwealth; and
(k) explain how payment of the penalty is to be made; and
(l) explain the effect of sections 60M, 60N, 60P and 60Q.
Amount of penalty
(5) The penalty to be specified in an infringement notice that is to be issued to a person in relation to an alleged contravention of an infringement notice provision must be:
(a) if the person is a listed corporation—600 penalty units; or
(b) if the person is a body corporate other than a listed corporation—60 penalty units; or
(c) if the person is not a body corporate—12 penalty units.
60M Effect of compliance with an infringement notice
Scope
(1) This section applies if:
(a) an infringement notice for an alleged contravention of an infringement notice provision is issued to a person; and
(b) the person pays the penalty specified in the infringement notice within the infringement notice compliance period and in accordance with the notice; and
(c) the infringement notice is not withdrawn under section 60Q.
Effect
(2) The person is not, merely because of the payment, regarded as:
(a) having contravened the infringement notice provision; or
(b) having been convicted of an offence constituted by the same conduct that constituted the alleged contravention of the infringement notice provision.
(3) No proceedings (whether criminal or civil) may be started or continued against the person, by or on behalf of the Commonwealth, in relation to:
(a) the alleged contravention of the infringement notice provision; or
(b) an offence constituted by the same conduct that constituted the alleged contravention.
60N Effect of failure to comply with an infringement notice
If:
(a) an infringement notice for an alleged contravention of an infringement notice provision is issued to a person; and
(b) the person fails to pay the penalty specified in the infringement notice within the infringement notice compliance period and in accordance with the notice; and
(c) the infringement notice is not withdrawn under section 60Q;
the person is liable to proceedings under Part VI in relation to the alleged contravention of the infringement notice provision.
60P Infringement notice compliance period for infringement notice
(1) The infringement notice compliance period for an infringement notice is the period of 28 days beginning on the day after the day on which the infringement notice is issued by the Commission.
(2) Subsection (1) has effect subject to subsection (7).
(3) The Commission may extend, by notice in writing, the infringement notice compliance period for the notice if the Commission is satisfied that it is appropriate to do so.
(4) Only one extension may be given, and the extension must not be for longer than 28 days.
(5) Notice of the extension must be given to the person who was issued the infringement notice.
(6) A failure to comply with subsection (5) does not affect the validity of the extension.
(7) If the Commission extends the infringement notice compliance period for an infringement notice, a reference in this Division to the infringement notice compliance period for an infringement notice is taken to be a reference to the infringement notice compliance period as so extended.
60Q Withdrawal of an infringement notice
Representations to the Commission
(1) A person to whom an infringement notice has been issued for an alleged contravention of an infringement notice provision may make written representations to the Commission seeking the withdrawal of the infringement notice.
(2) Evidence or information that the person, or a representative of the person, gives to the Commission in the course of making representations under subsection (1) is not admissible in evidence against the person or representative in any proceedings (other than proceedings for an offence based on the evidence or information given being false or misleading).
Withdrawal by the Commission
(3) The Commission may, by written notice (the withdrawal notice) given to the person to whom an infringement notice was issued, withdraw the infringement notice if the Commission is satisfied that it is appropriate to do so.
(4) Subsection (3) applies whether or not the person has made representations seeking the withdrawal.
Content of withdrawal notices
(5) The withdrawal notice must state:
(a) the name and address of the person; and
(b) the day on which the infringement notice was issued to the person; and
(c) that the infringement notice is withdrawn; and
(d) that proceedings under Part VI may be started or continued against the person in relation to:
(i) the alleged contravention the infringement notice provision; or
(ii) an offence constituted by the same conduct that constituted the alleged contravention.
Time limit for giving withdrawal notices
(6) To be effective, the withdrawal notice must be given to the person within the infringement notice compliance period for the infringement notice.
Refunds
(7) If the infringement notice is withdrawn after the person has paid the penalty specified in the infringement notice, the Commission must, on behalf of the Commonwealth, refund to the person an amount equal to the amount paid.
Note: For the appropriation for the refund, see section 77 of the Public Governance, Performance and Accountability Act 2013.
This Division does not:
(a) require an infringement notice to be issued to a person for an alleged contravention of an infringement notice provision; or
(b) affect the liability of a person to proceedings under Part VI in relation to an alleged contravention of an infringement notice provision if:
(i) an infringement notice is not issued to the person for the alleged contravention; or
(ii) an infringement notice issued to a person for the alleged contravention is withdrawn under section 60Q; or
(c) prevent a court from imposing a higher penalty than the penalty specified in the infringement notice if the person does not comply with the notice.
Part VI—Enforcement and remedies
(1) A reference in this Part to a person involved in a contravention of a provision of Part IV, IVB, IVBA, IVBB or IVE, or of section 55B, subsection 56BN(1), 56BO(1) or 56BU(1), section 56BZA, 56BZB or 56BZC, subsection 56BZD(1) or 56BZI(1), section 56BZJ, 60C, 60K or 92, a civil penalty provision of a gas market instrument or a civil penalty provision of the consumer data rules, shall be read as a reference to a person who:
(a) has aided, abetted, counselled or procured the contravention;
(b) has induced, whether by threats or promises or otherwise, the contravention;
(c) has been in any way, directly or indirectly, knowingly concerned in, or party to, the contravention; or
(d) has conspired with others to effect the contravention.
(2) In this Part, unless the contrary intention appears:
(a) a reference to the Court in relation to a matter is a reference to any court having jurisdiction in the matter;
(b) a reference to the Federal Court is a reference to the Federal Court of Australia; and
(c) a reference to a judgment is a reference to a judgment, decree or order, whether final or interlocutory.
(1) If the Court is satisfied that a person:
(a) has contravened any of the following provisions:
(i) a provision of Part IV (other than section 45AF or 45AG);
(iaa) a provision of Part IVBA specified in subsection (4A);
(iab) subsection 53ZQ(1), (2) or (3), section 53ZV, subsection 53ZW(1) or a civil penalty provision of a gas market instrument; or
(ia) section 55B;
(ib) subsection 56BO(1) or 56BU(1), section 56BZA, 56BZB or 56BZC, subsection 56BZD(1), section 56BZJ or a civil penalty provision of the consumer data rules;
(ic) a provision of Part IVE;
(ii) section 60C;
(iia) section 60K;
(iii) section 92;
(iiia) a provision of Division 2 of Part XICA;
(iiib) subsection 153ZEL(2);
(iv) a civil penalty provision of an industry code; or
(b) has attempted to contravene such a provision; or
(c) has aided, abetted, counselled or procured a person to contravene such a provision; or
(d) has induced, or attempted to induce, a person, whether by threats or promises or otherwise, to contravene such a provision; or
(e) has been in any way, directly or indirectly, knowingly concerned in, or party to, the contravention by a person of such a provision; or
(f) has conspired with others to contravene such a provision;
the Court may order the person to pay to the Commonwealth such pecuniary penalty, in respect of each act or omission by the person to which this section applies, as the Court determines to be appropriate having regard to all relevant matters including the nature and extent of the act or omission and of any loss or damage suffered as a result of the act or omission, the circumstances in which the act or omission took place and whether the person has previously been found by the Court in proceedings under this Part or Part XIB to have engaged in any similar conduct.
Note: Section 87AA provides that, if boycott conduct is involved in proceedings, the Court must have regard to certain matters in exercising its powers under this Part. (Boycott conduct is defined in subsection 87AA(2).)
(1A) The pecuniary penalty payable by a person under subsection (1) is not to exceed the amount worked out using the following table.
Amount of pecuniary penalty | |||
Item | For each act or omission to which this section applies that relates to … | if the person is a body corporate—the pecuniary penalty is not to exceed … | if the person is not a body corporate—the pecuniary penalty is not to exceed … |
1 | section 45AJ or 45AK | the greater of the amounts mentioned in subsection (1B) | $2,500,000 |
2 | section 45D, 45DB, 45E or 45EA | $750,000 | (see subsection (2)) |
3 | any provision of Part IV not covered by items 1 and 2 of this table (see note 1) | the greater of the amounts mentioned in subsection (1B) | $2,500,000 (for acts or omissions relating to section 45DA, see subsection (2)) |
4 | a civil penalty provision of an industry code | the amount set out in the civil penalty provision of the industry code | the amount set out in the civil penalty provision of the industry code |
5 | a provision of Division 4 of Part IVBA | 6,000 penalty units | $500,000 |
6 | section 52ZC, 52ZH, 52ZS or 52ZZE | the greater of the amounts mentioned in subsection (1B) | $2,500,000 |
7 | any provision of Part IVBA not covered by items 5 and 6 of this table | 600 penalty units | $500,000 |
subsection 53ZQ(1), (2) or (3) | the greater of the amounts mentioned in subsection (1B) | $2,500,000 | |
7B | section 53ZV or subsection 53ZW(1) | 3,000 penalty units | 600 penalty units |
7C | a civil penalty provision of a gas market instrument not covered by item 7D of this table | the greater of the amounts mentioned in subsection (1B) | $2,500,000 |
7D | a civil penalty provision of a gas market instrument that sets out at its foot a pecuniary penalty indicated by the words “Civil penalty” | the lesser of: (a) the amount of the pecuniary penalty for a body corporate set out at the foot of the provision; and (b) the greater of the amounts mentioned in subsection (1B) | the lesser of: (a) the amount of the pecuniary penalty for a person other than a body corporate set out at the foot of the provision; and (b) $2,500,000 |
8 | section 55B, 60C or 60K | 6,471 penalty units | 1,295 penalty units |
subsection 56BO(1) or 56BU(1), section 56BZA, 56BZB or 56BZC, subsection 56BZD(1), section 56BZJ or a civil penalty provision of the consumer data rules not covered by item 10 of this table | the greater of the amounts mentioned in subsection (1C) | $500,000 | |
10 | a civil penalty provision of the consumer data rules that sets out at its foot a pecuniary penalty indicated by the words “Civil penalty” | the amount of the pecuniary penalty for a body corporate set out at the foot of the provision | the amount of the pecuniary penalty for a person other than a body corporate set out at the foot of the provision |
11 | a civil penalty provision of Part IVE described by section 57GA | the number of penalty units for a body corporate set out at the foot of the provision | the number of penalty units for a person other than a body corporate set out at the foot of the provision |
12 | section 92 | $33,000 | $6,600 |
13 | a provision of Division 2 of Part XICA | the greater of the amounts mentioned in subsection (1B) | $2,500,000 (see note 2) |
13A | subsection 153ZEL(2) | 600 penalty units | $500,000 |
14 | any other provision to which this section applies | $10,000,000 | $500,000 |
Note 1: Item 3 also applies to pecuniary penalties ordered under subsection (1) in respect of an act or omission that relates to subsection 10.49A(1), 10.60(1) or 10.65(1): see subsection 10.49A(2), 10.60(2) or 10.65(2).
Note 2: Pecuniary penalties may not be ordered under subsection (1) against certain individuals in relation to contraventions of section 153E, 153F, 153G or 153H in certain circumstances: see section 153ZD.
(1B) For the purposes of items 1, 3, 6, 7A, 7C, 7D and 13 of the table in subsection (1A), the amounts are as follows:
(a) $50,000,000;
(b) if item 1 or 13 of the table applies, and the Court can determine the total value of the benefits that have been obtained (within the meaning of Division 1 of Part IV) by one or more persons and that are reasonably attributable to the act or omission—3 times that total value;
(c) if item 3, 6, 7A, 7C or 7D of the table applies, and the Court can determine the value of the benefit that the body corporate, and any body corporate related to the body corporate, have obtained directly or indirectly and that is reasonably attributable to the act or omission—3 times the value of that benefit;
(d) if the Court cannot determine the value of those benefits or that benefit—30% of the body corporate’s adjusted turnover during the breach turnover period for the act or omission.
(1C) For the purposes of item 9 of the table in subsection (1A), the amounts are as follows:
(a) $10,000,000;
(b) if the Court can determine the value of the benefit that the body corporate, and any body corporate related to the body corporate, have obtained directly or indirectly and that is reasonably attributable to the act or omission—3 times the value of that benefit;
(c) if the Court cannot determine the value of that benefit—10% of the body corporate’s adjusted turnover during the 12‑month period ending at the end of the month in which the act or omission occurred or started to occur.
(2) Nothing in subsection (1) authorises the making of an order against an individual because the individual has contravened or attempted to contravene, or been involved in a contravention of, section 45D, 45DA, 45DB, 45E or 45EA.
(3) If conduct constitutes a contravention of two or more provisions of Part IV (other than section 45AF or 45AG), or two or more provisions of section 53ZQ, a proceeding may be instituted under this Act against a person in relation to the contravention of any one or more of the provisions but a person is not liable to more than one pecuniary penalty under this section in respect of the same conduct.
(4) The single pecuniary penalty that may be imposed in accordance with subsection (3) in respect of conduct that contravenes provisions to which 2 or more of the limits in items 1, 2 and 3 of the table in subsection (1A) apply is an amount up to the highest of those limits.
Specified provisions of Part IVBA
(4A) For the purposes of subparagraph 76(1)(a)(iaa), the following provisions of Part IVBA are specified:
(a) section 52J;
(b) section 52ZI;
(c) a provision of Division 4 of Part IVBA;
(d) section 52ZC;
(e) section 52ZH;
(f) section 52ZS;
(g) subsection 52ZT(5);
(h) subsection 52ZV(3);
(i) section 52ZZE;
(j) subsection 52ZZF(1).
76A Defence to proceedings under section 76 relating to a contravention of section 92
(1) In this section:
contravention, in relation to a section, includes conduct referred to in paragraph 76(1)(b), (c), (d), (e) or (f) that relates to a contravention of the section.
(2) In proceedings against a person (the respondent) under section 76 in relation to an alleged contravention of section 92, it is a defence if the respondent establishes:
(a) that the contravention in respect of which the proceedings were instituted was due to reasonable mistake; or
(b) that the contravention in respect of which the proceedings were instituted was due to reasonable reliance on information supplied by another person; or
(c) that:
(i) the contravention in respect of which the proceedings were instituted was due to the act or default of another person, to an accident or to some other cause beyond the respondent’s control; and
(ii) the respondent took reasonable precautions and exercised due diligence to avoid the contravention.
(3) In paragraphs (2)(b) and (c), another person does not include a person who was:
(a) a servant or agent of the respondent; or
(b) if the respondent is a body corporate—a director, servant or agent of the respondent;
at the time when the alleged contravention occurred.
(1) In this section:
contravention, in relation to a section or Part, includes conduct referred to in paragraph 76(1)(b), (c), (d), (e) or (f) that relates to a contravention of the section or Part.
pecuniary penalty order means an order under section 76 for the payment of a pecuniary penalty.
(2) The Court must not make a pecuniary penalty order against a person in relation to a contravention of Part IV, subsection 56BO(1) or section 56BZJ or 92 if the person has been convicted of an offence constituted by conduct that is substantially the same as the conduct constituting the contravention.
(3) Proceedings for a pecuniary penalty order against a person in relation to a contravention of Part IV, subsection 56BO(1) or section 56BZJ or 92 are stayed if:
(a) criminal proceedings are started or have already been started against the person for an offence; and
(b) the offence is constituted by conduct that is substantially the same as the conduct alleged to constitute the contravention.
The proceedings for the pecuniary penalty order may be resumed if the person is not convicted of the offence. Otherwise, the proceedings are dismissed.
(4) Criminal proceedings may be started against a person for conduct that is substantially the same as conduct constituting a contravention of Part IV, subsection 56BO(1) or section 56BZJ or 92 regardless of whether a pecuniary penalty order has been made against the person in respect of the contravention.
(5) Evidence of information given, or evidence of production of documents, by an individual is not admissible in criminal proceedings against the individual if:
(a) the individual previously gave the evidence or produced the documents in proceedings for a pecuniary penalty order against the individual for a contravention of Part IV, subsection 56BO(1) or section 56BZJ or 92 (whether or not the order was made); and
(b) the conduct alleged to constitute the offence is substantially the same as the conduct that was claimed to constitute the contravention.
However, this does not apply to a criminal proceeding in respect of the falsity of the evidence given by the individual in the proceedings for the pecuniary penalty order.
(6) In this section:
offence means an offence against a law of the Commonwealth, a State or a Territory.
77 Civil action for recovery of pecuniary penalties
(1) The Commission may institute a proceeding in the Court for the recovery on behalf of the Commonwealth of a pecuniary penalty referred to in section 76.
(2) A proceeding under subsection (1) may be commenced within 6 years after the contravention.
77A Indemnification of officers
(1) A body corporate (the first body), or a body corporate related to the first body, must not indemnify a person (whether by agreement or by making a payment and whether directly or through an interposed entity) against any of the following liabilities incurred as an officer of the first body:
(a) a civil liability;
(b) legal costs incurred in defending or resisting proceedings in which the person is found to have such a liability.
Penalty: 25 penalty units.
(2) For the purposes of subsection (1), the outcome of proceedings is the outcome of the proceedings and any appeal in relation to the proceedings.
Definitions
(3) In this section:
civil liability means a liability to pay a pecuniary penalty under section 76 for a contravention of a provision of Part IV or Part V.
officer has the same meaning as in the Corporations Act 2001.
77B Certain indemnities not authorised and certain documents void
(1) Section 77A does not authorise anything that would otherwise be unlawful.
(2) Anything that purports to indemnify a person against a liability is void to the extent that it contravenes section 77A.
77C Application of section 77A to a person other than a body corporate
If, as a result of the operation of Part 2.4 of the Criminal Code, a person other than a body corporate is:
(a) convicted of an offence (the relevant offence) against subsection 77A(1) of this Act; or
(b) convicted of an offence (the relevant offence) against section 11.4 of the Criminal Code in relation to an offence referred to in subsection 77A(1) of this Act;
the relevant offence is taken to be punishable on conviction by a fine not exceeding 5 penalty units.
78 Criminal proceedings not to be brought for contraventions of Part IV
Criminal proceedings do not lie against a person by reason only that the person:
(a) has contravened a provision of Part IV (other than section 45AF or 45AG); or
(b) has attempted to contravene such a provision;
(c) has aided, abetted, counselled or procured a person to contravene such a provision;
(d) has induced, or attempted to induce, a person, whether by threats or promises or otherwise, to contravene such a provision;
(e) has been in any way, directly or indirectly, knowingly concerned in, or party to, the contravention by a person of such a provision; or
(f) has conspired with others to contravene such a provision.
79 Offences against section 45AF or 45AG
(1) A person who:
(aa) attempts to contravene; or
(a) aids, abets, counsels or procures a person to contravene; or
(b) induces, or attempts to induce, a person (whether by threats or promises or otherwise) to contravene; or
(c) is in any way, directly or indirectly, knowingly concerned in, or party to, the contravention by a person of; or
(d) conspires with others to contravene;
a cartel offence provision is taken to have contravened that provision and is punishable:
(e) in a case where:
(i) the provision is a cartel offence provision; and
(ii) the person is not a body corporate;
by a term of imprisonment not exceeding 10 years or a fine not exceeding 2,000 penalty units, or both; or
(f) in any other case—accordingly.
(1AA) For the purposes of the application of subsection (1) to a case where:
(a) the provision is a cartel offence provision; and
(b) the person is a body corporate other than a corporation;
assume that each reference in paragraph 45AF(3)(c) or 45AG(3)(c) to a corporation were read as a reference to a body corporate.
(1AB) Subsections 11.1(2) to (6) (inclusive) of the Criminal Code apply in relation to paragraph (1)(aa) in the same way that they apply in relation to the offence of attempt under subsection 11.1(1) of the Criminal Code.
(1A) Subsections 11.2(2) to (5) (inclusive) of the Criminal Code apply in relation to paragraph (1)(a) in the same way that they apply in relation to subsection 11.2(1) of the Criminal Code.
(1B) Subsections 11.5(2) to (5) (inclusive) of the Criminal Code apply in relation to paragraph (1)(d) in the same way that they apply in relation to the offence of conspiracy under subsection 11.5(1) of the Criminal Code.
(5) Subsections 11.1(1), 11.2(1), 11.2A(1), 11.4(1) and 11.5(1) of the Criminal Code do not apply in relation to an offence against a cartel offence provision.
(7) In this section:
cartel offence provision means section 45AF or 45AG.
79A Enforcement and recovery of certain fines
(1) If:
(a) a fine has been imposed on a person for:
(i) an offence against section 44AAFB, 45AF or 45AG, subsection 56BN(1) or 56BZI(1) or section 154Q or 155; or
(ii) an offence against section 149.1 of the Criminal Code that relates to Part XID; and
(b) the person defaults in payment of the fine;
a Court may:
(c) exercise any power that the Court has apart from this section with respect to the enforcement and recovery of fines imposed by the Court; or
(d) make an order, on the application of the Minister, the Commission or (in the case of an offence against section 44AAFB) the AER declaring that the fine is to have effect, and may be enforced, as if it were a judgment debt under a judgment of the Court.
(2) Where a person in relation to whom an order is made under subsection (1) in respect of a fine gives security for the payment of the fine, the Court shall cancel the order in respect of the fine.
(3) Where the Court makes an order in relation to a person in respect of a fine, the Court may, at any time before the order is executed in respect of the fine, allow the person a specified time in which to pay the fine or allow the person to pay the fine by specified instalments, and, in that case:
(a) the order shall not be executed unless the person fails to pay the fine within that time or fails to pay an instalment at or before the time when it becomes payable, as the case may be; and
(b) if the person pays the fine within that time or pays all the instalments, as the case may be, the order shall be deemed to have been discharged in respect of the fine.
(4) Subject to subsection (7), an order under subsection (1) in respect of a fine ceases to have effect:
(a) on payment of the fine; or
(b) if the fine is not paid—on full compliance with the order.
(5) The term of a sentence of imprisonment imposed by an order under a law of a State or Territory applied by section 15A of the Crimes Act 1914 (including an order described in subsection 15A(1AA) of that Act) in respect of a fine shall be calculated at the rate of one day’s imprisonment for each $25 of the amount of the fine that is from time to time unpaid.
(6) Subject to subsection (7), where a person is required to serve periods of imprisonment by virtue of an order or orders under subsection (1) in respect of 2 or more fines, those periods of imprisonment shall be served consecutively.
(7) Subject to subsection (8), where:
(a) a person would, but for this subsection, be required by virtue of an order or orders under subsection (1) in respect of 3 or more fines to serve periods of imprisonment in respect of those fines exceeding in the aggregate 3 years; and
(b) those fines were imposed (whether or not in the same proceedings) for offences constituted by contraventions that occurred within a period of 2 years, being contraventions that appear to the Court to have been of the same nature or a substantially similar nature;
the Court shall, by order, declare that the order or orders shall cease to have effect in respect of those fines after the person has served an aggregate of 3 years’ imprisonment in respect of those fines.
(8) Where subsection (7) would, but for this subsection, apply to a person with respect to offences committed by the person within 2 or more overlapping periods of 2 years, the Court shall make an order under that subsection with respect to one only of those periods, being whichever period would give the person the maximum benefit from the application of that subsection.
(9) For the purposes of subsection (8), the Court may vary or revoke an order made under subsection (7).
(11) This section applies only in relation to fines imposed for offences committed after the commencement of this section.
79B Preference must be given to compensation for victims
If the Court considers that:
(a) it is appropriate to order a person (the defendant):
(i) to pay a pecuniary penalty under section 76; or