Note: Where available, the PDF/Word icon below is provided to view the complete and fully formatted document
Economics Legislation Committee

LANE, Ms Kat, Vice-Chair, Australian Privacy Foundation

SOLOMON, Ms Lauren, Chief Executive Officer, Consumer Policy Research Centre

Committee met at 09:46

CHAIR ( Senator Hume ): I declare open this hearing of the Senate Economics Legislation Committee for the inquiry into the Treasury Laws Amendment (Consumer Data Right) Bill 2019. The Senate referred this inquiry to the committee on 6 December 2018 for report by 18 March 2019. That report date has since been changed to 21 March 2019. The committee has received 30 submissions so far, which are available on the committee's website. This is a public hearing, and a Hansard transcript of the proceedings is being made, although the committee may determine or agree to a request to have evidence heard in camera.

I remind all witnesses that in giving evidence to the committee they are protected by parliamentary privilege. It is unlawful for anyone to threaten or disadvantage a witness on account of evidence given to a committee and such action may be treated by the Senate as a contempt. It is also a contempt to give false or misleading evidence to a committee. If a witness objects to answering a question, the witness should state the ground upon which the objection is taken and the committee will determine whether it will insist on an answer. If the committee determines to insist on an answer, a witness may request that the answer be given in camera. Such a request may also be made at any other time.

Witnesses should speak clearly and into the microphone to assist Hansard to record proceedings, and I would ask photographers and camera persons to follow the established media guidelines and instructions of the committee secretariat. Please ensure that senators' and witnesses' laptops and personal papers are not filmed.

I now welcome representatives from the Consumer Policy Research Centre and the Australian Privacy Foundation. Thank you both for appearing before the committee today. I invite you to make a brief opening statement, should you wish to do so.

Ms Solomon : The Consumer Policy Research Centre are strong supporters of creating a trusted environment for greater sharing and use of consumer data. Through our research, we have highlighted the significant benefit to consumers of having greater access to and portability of their data to make easier comparisons of products and services and to switch to better deals. We've been supportive of the establishment of a consumer data right and other reforms for these reasons.

It's our goal to work with all sectors to deliver good data practices that in turn drive good innovation consistent with consumer and community expectations. Ultimately, it is data that will drive the Fourth Industrial Revolution, and, in many ways, Australia is playing catch up. We also need to make sure that our policies make sense within an international context for our economy to benefit, so getting our data policy setting right is therefore a matter of significant economic and social importance.

There are three things that CPRC encourages policymakers to address through current data reform processes. The first is to create a trusted data environment for data to be opened up within, and we note that in the UK and the EU there was a seven-year process that was gone through to establish the GDPR data protection framework prior to the open-banking system being implemented. The second is to address power imbalances and information asymmetries present between companies and consumers when it comes to their data. And the third is to ensure that consumers' needs and preferences are placed at the centre of data reforms generally.

To deliver an effective CDR regime, we believe it's essential that reforms deliver genuine choice and control through transparency, comprehension and agency. Transparency is critical so that consumers are clear about what data is being shared, what it's being used for and how it's being collected. For this reason, we believe it's critical that there is a high degree of specificity in the rules and the standards; however, neither have been finalised that currently stipulate that level of specificity required. There also needs to be a very clear articulation at the outset about what rights consumers have if they no longer want to participate or if they want to complain. We've not yet received specification on those matters.

The second element that we think is critical is comprehension. We have some concerns that the consumer testing is not sufficient to inform the rules surrounding the development of the consent standard. We would strongly support increased resources being allocated to consumer testing to ensure that, in the setting of the consent rules and standards, we have a high degree of confidence that consumers understand the risks and benefits of the sharing arrangements they're being asked to enter into. Usability was a key concept added to the data standards body principles and was included to ensure that consumers must be able to both comprehend and control what's happening to their data. However, it is unclear from the evidence provided to date that consumers are experiencing both of those goals.

The third element is agency and control. We need to ensure that consumers have ultimate say over what happens to their data. This includes giving consumers an explicit right to deletion not de-identification if a consumer is no longer comfortable with the company having their data. We note that 54 per cent of participants in the consumer research published by Tobias last week, who were engaged by Data61, expected that if they revoke their consent that their data would be deleted. As currently designed, that simply won't be the case. We firmly believe the CDR can be enhanced with due regard to these issues and, if implemented well, can build greater confidence and trust in the system. We believe that's exactly what a range of stakeholders are trying to achieve.

Lastly, I'd like to acknowledge the hard work of departmental and regulatory representatives who have been working on the consumer data right. The process has been quite complex and unusual, with the legislation, rules and data standards all being drafted in parallel. This has resulted in a very challenging environment for those involved to analyse, assess and provide advice on the varying instruments, all of which interact with each other. Without seeing the interaction of these elements end to end, it has been quite difficult to provide on potential consumer outcomes. A key example of this interconnected nature particularly relates to one of our key concerns around consumer comprehension, which will be impacted not only by the design and the grouping of customer payloads or data batches but also the level of specificity required by the ACCC rules, when it comes to articulating use and the use of redundant data defined in the legislation. Without an end-to-end view of the reforms, it's very difficult to assess the consumer impact and the impact on privacy. We remain strongly committed to these reforms and supportive of their intent; however, we are encouraging policymakers to take the time to get this right, because if poorly implemented it may well undermine the confidence in future data reforms and innovation to come.

CHAIR: Thank you.

Ms Lane : The Australian Privacy Foundation is a volunteer organisation which advocates for the privacy rights of all Australians. My submission concentrates on privacy, although there have been many other issues raised which we generally support, including Ms Solomon's.

The success of the consumer data right will depend on gaining the trust and confidence of Australians. People need to be certain that the consumer data right is safe and that there are best practice privacy safeguards in place. As it stands, adequate privacy safeguards are not in place at all, and there are three main reasons. One is that we do not have adequate privacy laws in Australia. The United Kingdom, which introduced open banking and which we are attempting to follow, has the General Data Protection Regulation, the Human Rights Act and a well-resourced active privacy regulator. We do not have any of these protections. Basically, following the UK into open banking without getting basic privacy protections in place leaves us all exposed to harm. It also means we are basically building a house of cards; every time we put in more data sharing over a range of ways, we are building it on insufficient privacy protections for all Australians.

The next issue is there are now varying privacy rules and principles depending on whether you are in open banking or not. This is confusing and unfair. It is not possible for any person in Australia to get access to justice or even understand the system if the rules vary at such an extreme rate, depending on what you're doing. An example is deletion. We have no right to delete data in Australia. There is a proposal to fix this with open banking. Why on earth don't we have the same rights as UK and European citizens to delete the data, and an expectation that it will be deleted?

The examples I could go on with are endless. Having confusing legislation that varies is a very poor outcome for us all.

The privacy impact assessment process conducted by the Treasury has been a complete failure. The privacy impact assessment is absolutely critical. It identifies risks, it proposes solutions for risks, and it involves extensive consultation throughout the entire process. Getting it wrong means we haven't got it. It just isn't working. I'll go through the current process that we've just been through.

The privacy impact assessment was an afterthought. It was presented as a draft to consumer advocates in November 2018 as pretty much a fait accompli. All consumer advocates objected and asked for an independent, rigourous privacy impact assessment process. Four of those advocates sent a letter demanding those changes. We've never received a response to that letter. Then, shortly after, on 21 December 2018, the draft privacy impact assessment was published for consultation. I do need to point out the date—21 December 2018. A lot of people were already on leave. They'd taken leave from their jobs. I'm a volunteer; I don't get to go away. But everybody was involved in seeing their families and taking leave. It was dropped at that time. That shows complete disdain for consultation.

Then, interestingly enough, there was no further consultation at all. Many people, if you read the submissions on the privacy impact assessment, said that there were serious problems with it, the risks were being underestimated and that it should have been done externally and independently. That was all ignored. The Australian Privacy Foundation received no contact at all from the Treasury regarding that process. Then the legislation was introduced in mid-February. I haven't got the exact date. It was an incredible decision, in those circumstances, to introduce legislation into parliament when there were serious concerns about the privacy impact assessment process and the results of the draft privacy impact assessment. In fact, the privacy impact assessment draft didn't really make any substantive changes, despite all these problems.

Then the Australian Privacy Foundation put in a submission to this inquiry on 1 March 2019. We put it in late. It was due on 28 February. We put in our submission at 4 pm. At about 7 pm that night the final privacy impact assessment and an external consultant's report were published on the Treasury website—all published, all finalised, no further consultation. This all adds up to a privacy impact assessment that the government cannot and should not rely on. It is deeply flawed. It underestimates the risks. It does not deal with the risks and is the result of almost no consultation, as we repeatedly objected to the process. It's useless. To be blunt: it is useless. It doesn't comply with the Office of the Australian Information Commissioner guidelines. Several submissions point this out.

The foundation fervently hopes that this committee recognises the serious risks that flow from not getting the privacy safeguards in place. We cannot proceed without getting this right. We also point to the experiences with My Health Record and the census, which demonstrate that Australians are concerned about their privacy. They do want the government to make sure that privacy safeguards are in place and they don't want people proceeding with things that are unsafe for people in Australia. We urge the committee to recommend that this legislation does not proceed until we review the privacy laws to make sure that they are adequate and, as an absolute minimum, that we have a rigourous, credible, independent privacy impact assessment process put in place so that all Australians can be sure that, if they're going to use open banking or the consumer data right, they are adequately protected and that it will be safe. As it stands, it is not.

CHAIR: Thank you, Ms Lane and Ms Solomon. I'll kick off with some questions. I might start with you, Ms Solomon. There was one issue in your submission where you noted that the bill allows for some consumer data to be available on a chargeable basis. You objected to this. You said:

Consumers should be provided with their CDR information for free without restrictions.

Given the great cost associated with holding and retrieving these very large amounts of data, why isn't it reasonable to ask for a contribution from customers for certain types of more complex data?

Ms Solomon : I think the concern we raise at this point is that we haven't gone through a process to establish what that actually is and, in that case, it's very difficult to actually put any sort of cost on it without that process being gone through. We'd encourage a thoughtful process that's been gone through to achieve something like that, but we're also concerned that, without a thorough process, consumers may experience a barrier to accessing their data, depending on how that pricing regime is structured.

Ms Lane : Just to add to that: the Privacy Act has had in place a principle of access to your own personal information for many, many years now. It involves a fee. They're entitled to charge a fee. The number of people in Australia who actually access their own information is very small. So there is already evidence in place that this is a pre-existing right that nobody uses because (1) there's a possible fee and it's not really clear what 'reasonable' is in relation to the fee, and (2), which is the other issue that comes out of this, you can just make it difficult to access the data. I've repeatedly tried to access my own data and I've encountered zillions of roadblocks, including fees. In other words, the whole system could fail if it's—

CHAIR: Once this legislation passes, Ms Lane, you shouldn't have that problem anymore.

Ms Lane : I would like to believe you but I'm not convinced that that's correct. It should have been in place before. Automating it doesn't make it easy. Fees do stop people accessing their information—costs stop people doing it—but also roadblocks of any kind stop people from doing it.

CHAIR: That's exactly what we're trying to achieve here. Can I ask about competition in markets—and I'll direct this to Ms Solomon—particularly in the credit market, which, of course, is the first one we're tackling here. How does your organisation see the CDR improving competition in markets?

Ms Solomon : When we think about competition as it relates to data, we agree with the ACCC Digital Platforms Inquiry that Australia's current market and regulatory structures have resulted in a failure of consumers being able to understand what is happening with their data, who it's being shared with and what's being collected. The CDR itself is a very narrow portability right. It won't deal with those broader issues that the ACCC has identified. What the right will do is enable a portability right support from one company to another. However, it does not address the significant competition issues, or failure of competition issues, that have been identified in Australia's current Privacy Act and our current framework, which is why we've been recommending a complementary process to address that as well as a process to open up data within that.

CHAIR: What about the lowering of barriers to entry for new players? Is that something that your organisation has considered?

Ms Solomon : We'd strongly encourage not addressing competition issues by loosening protections. We'd strongly encourage a lifting of standards across the board. We want a competitive environment for data practices but we also need to ensure that we actually have a system where consumers are not, on a daily basis, encountering significant information asymmetries and are not able to make informed choices about what happens with their personal information. Therefore, we think that these reforms would be strengthened by complementary reforms of our Privacy Act and our data protection framework so that there is a clear benefit to consumers using the CDR process.

CHAIR: There was a bit of discussion yesterday about having parallel privacy systems and standards—I suppose I should direct this to you too, Ms Lane—and the confusion and ambiguity that that could potentially create. Some of that, it was suggested, would be solved by mirroring wording—that that removes ambiguity. Do you have any comments on that?

Ms Lane : My first comment is that that would be an excuse to lower the standards. There is some positive out of this, because the government wants people to trust this process. The quid pro quo was improving the privacy safeguards a little bit—things like being able to delete your information or an automatic deletion. Those sorts of things currently don't exist in the current laws. If you mirrored them, the real risk is that we'd be going backwards. The little bits and pieces we're getting are an improvement to protect the privacy of Australians. It would be a real shame to go backwards. What we should be doing is dragging the entire law up to a higher standard. So, yes, I completely agree it's confusing and absurd, and lawyers like me are going to struggle to follow it. Ordinary people in Australia have no hope of working out their privacy rights depending on what's going on. But what we don't want to do is go backwards; we've got to go up. I'd give up mirroring to get further help, further protections for Australians.

Ms Solomon : I think also with regard to mirroring the point we would make is that the ACCC digital platforms inquiry did recommend that consumers should be afforded a right to delete their information and that that has been a current preliminary recommendation of the ACCC in that regard. And that would apply to all entities covered by the Privacy Act. If we were mirroring that sort of protection then we would see a right to erasure and deletion also in the CDR legislation.

CHAIR: I suppose one of the great concerns when you're weighing up the interests of competition and bringing prices down and having people get access to their own data and privacy is that it doesn't necessarily need to be an 'and/or'; it can be an 'and', and we do want both improved. But you wouldn't want to stifle progress on one until you got everything else just exactly right. My concern particularly with your testimony, Ms Lane, is that, unless we have the ultimate system, the perfect system, set up, we shouldn't progress any legislation, which is unrealistic. In particular you mentioned that in the UK and Europe they have things like the General Data Protection Regulation, the Human Rights Act and a privacy regulator. Is the equivalent regime something you would like to see set up here?

Ms Lane : Yes. Just to deal with your issue about putting things in place before we do other things, with the privacy stuff this is not some minor issue; this is the bedrock of an entire pile of work and innovation that's going to happen in Australia. What's happened—it's now over a decade—is that we continue to innovate and change things without getting our fundamentals correct. This isn't a matter of stifling innovation. This is where Australia has fallen behind on something incredibly fundamental like basic human rights, and we need to fix it. It's not just this; it's a whole range of things, a whole range of innovations that risk being a problem with them failing simply because of scandals and where the data goes missing. There is inadequate consumer redress simply because we didn't get these fundamentals right. I'm not saying I want to stifle innovation. I want to support innovation. The Privacy Foundation definitely wants to support innovation. We think it's inevitable. We want these things to happen. But we are behind the UK and Europe and a lot of other countries, like Canada. We are on our foundation stuff. Let's get the foundations right so that people in Australia can be sure that, when they're dealing with these things, they're safe.

CHAIR: I would have thought, particularly with the GDPR, it has stifled innovation; it has been a roadblock to progress. Is that not your understanding?

Ms Lane : Other people disagree. The issue is that, whatever the situation is, getting human rights in place is the necessary prior cost for us to make sure that Australians are protected while the innovation occurs. Innovation just needs to be innovative enough to deal with people's rights being protected. To be honest, there are a few people in industry now, particularly international companies, saying: 'We're sick of having to deal with different rules. We'd rather benchmark it up to the UK and Europe so that we can have standards that just go across our whole business.' The interesting thing is it's not just privacy advocates. You can see this from the submissions. It is not just privacy advocates and consumer advocates who are expressing concerns about getting this right. It is industry. The Australian Banking Association put in a submission talking about the problems with the privacy impact assessment. There are people in the media talking about it. Banks are contacting me and saying they've got concerns. Energy companies are in the media talking about it. Let's get this right and not have a My Health Record debacle or a census debacle. Let's just avoid the debacles. I'm keen to not be in a debacle, because I get called—

CHAIR: Okay, thank you. Can I just ask about the ACCC. You said in your submission that the ACCC is a strong regulator. Obviously that's the key regulator in this legislation. Your concern is with the OAIC; is that correct? All right. Thank you. Ms Solomon, one of the things you said in your submission—which I thought was quite interesting but didn't fully understand, so you might need to explain it to me—was that legislating CDR participants to participate in a centralised dashboard would greatly assist consumers in managing their consent and data portability over time, especially as new sectors are brought into the CDR system. What do you mean when you say a centralised dashboard? What does that look like?

Ms Solomon : The way the current system has been set up is that, within each single entity that a consumer might have an account with, they can go in and access how the data that they might have enabled through the CDR legislation is being shared. Our concern at the moment is that, because this reform is being set up to work across multiple sectors ultimately, what we would really like to see is some sort of centralised place, if you're thinking about it from a consumer experience perspective, where consumers can go in and see where all of their various data is being shared across the various sectors and who it's being shared with. If consumers are required to go into each and every single entity and adjust those settings, it is very difficult for a consumer to have comprehension about who they've shared with, at what point, when they might want to turn it off and how it's currently working. So that's why—

CHAIR: Who would manage something like that—the ACCC?

Ms Solomon : We would encourage the ACCC or the OAIC to think through that, but our concern at the moment is that it could be quite complex if it's located within each individual entity for each individual account or each set of data that might have been shared. So it does make sense to us.

CHAIR: So you're suggesting that every accredited entity should be registered on that dashboard and an individual should be able to—

Ms Solomon : For every entity that a consumer has decided to port their data to, a consumer should have access to a dashboard that would show them, 'You've enabled this sharing with this agency' so that you can actually have a consistent overall view about what's going on with your data.

CHAIR: Interesting. Thank you.

Senator KETTER: Firstly, Ms Lane, I share a lot of the concerns that you've expressed. You made the comment that the privacy impact assessment was released—you called it the final version—three hours after you had put in your submission. We heard yesterday from the Australian Banking Association that they consider the Privacy Act assessment as a work in progress and that they're working on some of these areas where they have concerns with Treasury's assessment of the risks. Is that your understanding?

Ms Lane : They said clearly in their submission that they wanted to work with Treasury. We also said clearly in our submission that we wanted to work with Treasury. We haven't been working with Treasury. Treasury published the final, got an external consultant's report, which is far as I'm concerned is what you do when you don't want to do consultation properly, and pulled it out. They didn't even follow the consultant's report. I haven't had a chance to read the whole lot, but I checked the recommendations. They didn't follow the external consultant's report. They ignored a whole heap of recommendations. I have no idea why any of those decisions were made. So I'm a stakeholder. I'm representing people. Lauren is a stakeholder. We're all stakeholders, as is the Australian Banking Association. I haven't heard. If they're talking to the Banking Association and not privacy and consumer advocates, that's a real problem. Yes, a PIA is supposed to be an iterative process, but this hasn't been an iterative process. This has been: 'We released a draft just before Christmas and we put out a final with an external consultant's report.' That is not how it's supposed to work. It's supposed to be where you are really capturing and engaging stakeholders and forming an impact assessment and considering all of the stakeholders' views, which include what a lot of us have now put forward in concerns, and none of that has happened.

The privacy impact assessment—yes, it can be fixed. The way it should be fixed is by getting somebody in to do it properly. Treasury didn't have the expertise. They have never done one before. They didn't consult properly. They did it as an afterthought. They breached the OAIC guideline on this point, on several points. People put submissions in on it. It's a failed process. We're obviously not giving up, but we need to get it right. People in Australia need to know we looked at the privacy safeguards and put them in place properly. If they were hard or difficult to put in place, then we did it properly. That's the point of an impact assessment process. So it would be good if Treasury started consulting on that. But they rang me and told me there was no way, no day, they were ever doing an independent privacy impact assessment. They absolutely had no intention, and they haven't talked to me since November. So this process rolls on and—

Senator KETTER: Going back to that point, what led to that conversation that you had with a Treasury official?

Ms Lane : I wrote an email in November objecting strongly, and they rang me twice to basically tell me to give up my objections. Then a letter was sent saying those objections again, and further objections, and there was no response. So, we haven't got a process that's working here. It could be resolved—some of it—by getting it done properly by an external, credible, independent person who is going to do it properly and get that consultation done. It should have been done correctly in the first place. That can still be fixed, and it should be.

Senator KETTER: Your organisation would normally be involved in consultations in respect of privacy changes to privacy rules?

Ms Lane : Yes. That's what we consider our job—the job of our volunteer organisation. We are inundated with work on this type of stuff. We put in submissions to all privacy related matters as a matter of course, unless we've just run out of puff and have collapsed due to the volunteer workload that we're under.

Senator KETTER: Did you get a sense from your discussion with the Treasury official that their reason for why an independent assessment was not going to be done was because of the time lines?

Ms Lane : No, they were explicit: they wanted to build expertise in Treasury on doing this process. I have to say, having seen the first go, they should never do it again. It's a good reason why the OAIC guide says really clearly that where there are going to be serious privacy impacts on people in Australia then it should be done independently and externally. I might add, just at the moment the data sharing legislation is getting an independent, rigorous privacy impact assessment, so I can't understand for the life of me why this is less important privacy-wise, when we're porting tonnes and tonnes of data. I can't understand the decision in any sense. I'd love to know how that decision was reached.

Senator KETTER: Ms Solomon, your submission talks about the fragmented policy approach here, but you don't make too much comment in relation to the privacy impact assessment process. Do you share similar concerns to Ms Lane?

Ms Solomon : Probably with the process, yes, in terms of compressed time lines, but also the main point that we've raised is that it's very difficult to make a privacy impact assessment without having a full end-to-end view of the standards, the rules and the legislation in unison, for the reasons we raised earlier. For example, the standards will set the batches of the data, the rules will design the consent standard, or the design of the consent and disclosure requirements required, but the legislation also sets things like the right to delete or the process once data becomes redundant. So, without all of those things coming together, it's quite difficult to assess how a consumer will experience the intent of the reform end to end.

Senator KETTER: One of the witnesses yesterday talked about cascading drafts and amendments with all these processes going on simultaneously. I can't understand how that can actually work, although Data61 representatives talked about the fact that it was useful to be doing these things in tandem. But your concern is that unless you see the end result it's hard to actually make a proper assessment, and the assessment should be the starting point. Is that your position?

Ms Solomon : Yes, and we're also supportive of the proposal to run some consumer testing to understand the impact. But the challenge is that we're implementing a legislation before that research has been completed to understand the level of consumer comprehension and agency that would be achieved from the reform. So that is the challenge. As we said, we always want this to be a good process for consumers and we want this to be a good reform. It's just challenging to assess—as I said—the lived experience that consumers are going to receive without seeing these things integrated.

Senator KETTER: You pointed out in your submission, and you were cautioning us:

… that leakage of Open Banking data to entities not covered by the CDR will not be covered by the CDR Privacy Safeguards and in some cases, will offer no protection under the Privacy Act (e.g. for businesses with a turnover of under $3 million).

Ms Solomon : That's correct. If a customer chooses to share their CDR data with an entity outside the CDR system then the Privacy Act or existing Privacy Principles apply, which offer no protection for consumers with a turnover of under $3 million. But that is probably more Kat's area of expertise. Is that correct?

Ms Lane : Yes. You're not required to comply with the Privacy Act if the turnover is less than $3 million. It is complex, difficult-to-follow legislation and rules and so forth. That's why the privacy impact assessment is so critically—that's why there's stuff missing. Every time we turn around, we find leakages where people aren't protected. The bare minimum should be that it's a closed system and you can't deal with somebody unless they're accredited and in dispute resolution. And there have to be really tough penalties—an axe needs to come down on your head if any data is ever breached; you're out—and those sorts of things. That isn't in place properly. Again, I keep coming back to the same problem.

We aren't in a rush here, I've got to say. The UK has been very slow to uptake. It's a very slow process, so there's no need for a rush. We should get it right and learn from the UK, because they're only seeing it happening now. I think we can confidently say it's not going to deliver any substantial competition benefits for consumers for some years to come.

Senator KETTER: Treasury would say that we have learnt from the UK in the sense that the model we're using is based on the UK approach.

Ms Lane : Yes, but the UK is still implementing. There's been a slow uptake. You've got to see how it's going to go. It will be interesting, I admit. They've got the foundation right, so it will be interesting to see how the innovation works. But it's been slow, and every commentator in the UK has agreed it's been slow. The UK is continuing to learn. We can learn from the UK. But it's hard to compare with the UK because we haven't got our foundation the same. The way it's going to play out in the UK with strong privacy safeguards versus in Australia with weaker privacy safeguards is anybody's guess. The obvious answer is it's going to play out not as well in Australia in terms of data breaches, problems with data and consumer dissatisfaction, but I don't know. I do know that, if we're comparing with the UK, let's get our foundation right. And let's not rush. Let's see how it works out in case there are any tweaks we need to make. Treasury does admit that it is an evolving space. Yes, we've learnt a about how the UK has implemented it, but we didn't implement the foundation they did. And we've still got lots to learn on how it rolls out.

Ms Solomon : The other thing I would say with regard to the UK comparison is that there is that broader data protection regulation in place so that, if data does port outside the open banking system, there are other additional protections in place for consumers. As we phrased, that's not what we have in Australia, so we're really supportive of the reforms officials have made to strengthen the privacy safeguards, specifically the CDR bill and rules. However, we don't have that border protection framework in place, and that's the important difference that we need to think through when we're designing a system here.

Senator KETTER: Some people argue that we don't want the perfect to be the enemy of the good and we don't want to stifle innovation. People are saying there are some upsides with the CDR. But, if people don't take up their right to access the CDR because of trust issues, there's not going to be any progress. This legislation will be a bit of a white elephant—would you agree with that?

Ms Lane : That's my concern, and I don't want that outcome. I've been very disappointed. We support the right concept. We're the Privacy Foundation. Our whole thing is about people getting control of their own personal information—it's our raison d'etre—so obviously we want this to work. We want people to have really good control of their personal information. But we're building a house of cards, and the UK didn't do that. So I think we should learn from the UK and do it properly.

Senator KETTER: I presume what you're saying is that we should be amending the Privacy Principles to strengthen those rather than set up a separate safeguard regime, which is not only confusing for business but also confusing for consumers—is that correct?

Ms Lane : Yes. What we should do right now—and it can be complementary—is strengthen our privacy regime to benchmark against the GDPR so that we're properly comparing like with like from the UK and so we can build on their innovation. We do that all the time with the UK. We take great ideas and make them better. I want us to do that. But we should be starting the process now of getting the privacy safeguards right, admitting we should have done it better and getting a review in place now. There's been a cracking pace of doing this legislation and getting the rules in place, with endless cascades of drafts. But we can do that same cracking pace on getting the privacy safeguards in place for this, and every other innovation we want to do, so that people like me can sit there going: 'Yes, but at least the privacy safeguards are in place. People can use this system with confidence and trust.' Unfortunately for us, we spend a lot of time saying, 'We're really concerned.' We look overseas and they've got a much better human rights framework than we do, and it would be a lot better if we had that in place. We need to have our basic human rights in place so that people can engage with the government, engage with industry with trust.

Ms Solomon : I think consistency works on two levels. It's the experience that the consumers have, when they're engaging with different systems and processes, that there is a consistent experience with what's happening with their data. There is also consistency in the extent to which that also achieves sustainable innovation. So for companies who are often compliant or required to be compliant to multiple different regimes, that actually adds significant business costs and we're increasingly hearing businesses say that the costs of these differing regimes are causing problems. From our perspective, we would want a consistent approach. These are not problems that are unique to Australia. There is a massive debate underway internationally about competition, consumer protection and privacy. It was raised at the World Economic Forum in Davos. It's something that we believe we need to move forward with if Australia is going to reap the benefits of innovation to come from the new data and digital economy.

Senator KETTER: And so in terms of benchmarking our privacy protections against those of Europe, some of the things—I might perhaps throw a couple of these out to see if you agree with some of these issues. You've already talked about the right to deletion or erasure.

Ms Solomon : Yes.

Ms Lane : Could I point out that's a fundamental control. We don't have it in Australia; it's currently not here. The most fundamental control of your own personal information is the right for it to go away. It's the safest thing you can do to protect your data. Data breaches happen all the time. It's not if, it's when. The safest thing you can do to protect your data—and we need to educate people about this—is to delete it, but we don't even have the right, so, yes.

Senator KETTER: So if it sits there, there's always a potential for reidentification?

Ms Lane : There's always a potential for it to be misused or leaked or just any sort of mistake made in the use of it.

Senator KETTER: And a legislated right to restrict purposes for data use? So just say if you agree with these or not.

Ms Lane : Yes, I do.

Senator KETTER: A legislated right to object to processing?

Ms Lane : Yes.

Senator KETTER: And a legislated right to not be evaluated on the basis of automated processing?

Ms Lane : Yes, absolutely. And I do want to point out the automated processing thing came to the fore in Australia with the Centrelink robo-debt mess. There's now legal action by Legal Aid in Victoria on that issue, and so there should be. It's something that needs to be sorted out, because automation can seriously impinge on people's human rights and because it can just be completely wrong and inaccurate. It can be a really distressing breach of people's rights.

Senator KETTER: Ms Solomon, in the course of your opening statement you talked about addressing the power imbalance. Can you just refresh my memory? Are you seeing in this process promising signs that we're going to be able to address the power imbalance that exists?

Ms Solomon : I think it's going to all come down to whether or not consumers trust the system, and ultimately that will drive whether or not they do choose to port their data or not. I think it will go some way to addressing those power imbalances; however, as we said, this relates to only a very small, narrow set of data that can be ported on a voluntary basis. It doesn't address the broad 98 per cent—I don't want to put a percentage on it, but the other range of data that's actually flowing around and being shared across the Australian system. I guess I just go back to the ACCC digital platform inquiry's preliminary findings that did find significant market and regulatory failure of Australia's current system, where consumers are not able to make informed choices about the services and products that they are entering into when it comes to their data practices because there simply aren't enough requirements for disclosure and not enough control when it comes to things like deletion. I would just urge us to think really closely about what that means for us when we're trying to move forward with this sort of reform. As I said, we're very strongly supportive of reforms to enable greater customer portability and the CDR that will enable greater comparison of services and products; however, we're just encouraging that it be done right.

Ms Lane : Agreed.

Senator KETTER: Do you have a view as to what we should be doing with the time frames for consideration of this bill?

Ms Lane : I've said that we need to stop. I don't think it should have been introduced into parliament in a situation where you're put in a position to look at a bill when you're missing the rules. You don't get to see the entire thing and how it might work and what's missing from the legislation because the rules aren't clear. You're basically looking at half a thing. The privacy impact assessment processes haven't been completed properly. It doesn't meet community expectations. It can be fixed, but we need to fix it.

I think it's a really difficult position you're in, and the parliament is in, looking at legislation that's anchoring the top of this thing, and the rules are actually—it's a car. You've got the car, you don't have the engine. The engine is the rules. It's not just like regulations, with little bits and pieces; the big things that are going to affect consumers are all in the rules. I'm really concerned about the process and the position you're in looking at only half of it. And I'm concerned—I haven't been able to get to the bottom of this, because it's complicated—that there are some things that should be in the legislation that are currently in the rules. I haven't seen a proper analysis on how that decision was made, but there are quite a few things with privacy that I think just have to be legislation. Some things with consumer redress and those sorts of things should be in the legislation and not in the rules, but it's so complicated. I'm sure you heard people saying this yesterday: the process to get that in place so that you can be sure that we've got the mix right is so complicated that I don't think it's been completed. My central thing is we shouldn't rush this; we should get it right. The innovation will flow if we get it right.

Senator KETTER: Ms Solomon, Ms Lane's been pretty forthright about her views on the consultation process, particularly the timing of the draft impact assessment. Do you have similar concerns? I think Ms Lane used the phrase 'complete disdain for the consultation process'. What's your view, Ms Solomon?

Ms Solomon : Our view would be that there are very well-intentioned processes here that have gone possibly off-track due to a very compressed time line. I'm not sure that I necessarily agree that there was intent there; however, there was possibly an issue with execution and the compressed time lines within which we're being expected to review and provide advice on documents.

Senator KETTER: What's your understanding of the compressed time line?

Ms Solomon : We only really saw the privacy impact assessment, as Kat said, in December. We're here now, and it's gone through quite a few iterations since the first one. I think there was a late update as of—

Ms Lane : I haven't seen anything. I'm in a consultation mushroom situation. I'm in the dark. I don't know anything. If you know something, I'd be thrilled to know that that was something.

Ms Solomon : I think that more time would be useful.

Senator KETTER: But has anyone explained to you what's the imperative to get this done so quickly and to sacrifice good consultation processes and transparency?

CHAIR: For consumer outcomes.

Senator KETTER: But what's your understanding of the—

Ms Solomon : I don't have an understanding of the imperative.

Senator KETTER: That has not been explained to you?

Ms Solomon : I guess the view that is being put forward is that it will increase consumer comparison capability and those sorts of things, but I don't see the difference that taking a few more weeks or months might be to actually get that right.

Senator KETTER: And if the trust isn't there in the process and the outcome then it's not going to be utilised anyway.

Ms Solomon : That is the concern. The key issues that really need to be resolved are probably the right to erasure. We have heard companies raise valid concerns about where they have other existing legal obligations to hold that data, and that's a problem for them, which we agree with, and that's been dealt with in GDPR law by allowing that piece of the framework not to apply where other existing legal obligations are there on companies, and so we don't see any reason why we wouldn't apply a similar sort of approach here. We understand that that is a challenge and a problem. There are ways to deal with that. I think that's something that probably should be resolved.

The other thing that we would really encourage is sufficient resourcing to be provided to Data61 and others conducting consumer research so that we can be really sure that consumers comprehend what they're being asked to sign up to and, as I said, perhaps setting some sort of comprehension benchmark and making sure that that research is nationally representative as well and that it has a sufficient sample size so that we can have some confidence that, yes, consumers understand it; yes, they engage with it; it's not a clunky process; it's a good experience. Those sorts of things could be quite useful, I think, in the ACCC rules process to make sure that that's integrated. As I said before, I think there does need to be some really heavy thought put into the implications of the ACCC Digital Platforms Inquiry within this context. It is recommending the strengthening of the Privacy Act because of the significant market and regulatory failure that currently exists. I think they are some of the things we really need to deal with quite quickly to move forward with the reform.

Senator KETTER: Thank you very much.

CHAIR: Thank you very much for joining us today, Ms Lane and Ms Solomon. We'll let you go.