BILLS DIGEST No. 47, 2022–23
27 January 2023

Treasury Laws Amendment (Consumer Data Right) Bill 2022

The Authors

Mary Anne Neilsen

Key points

  • The Bill amends the Competition and Consumer Act 2010 to extend the consumer data right (CDR) framework to enable ‘action initiation’, a functionality aimed at allowing consumers to ‘authorise, manage and facilitate actions securely in a digital environment’.
  • Like the existing CDR legislation, the Bill is a principles-based legal framework, meaning that it provides the broad architecture for establishing the various action types. Much of the detail of how it will operate, its obligations and the regulatory burdens established are to be set by the Minister, the Treasury, and other entities through a range of legislative instruments and rules.
  • Interest groups have generally expressed support for action initiation, calling it a game changer that will drive greater participation and innovation in the CDR scheme. However, some stakeholders have also urged the Government to proceed cautiously to allow the market a level of stability and to ensure consumers’ data is secure and privacy is maintained.

Date introduced:  30 November 2022

House:  House of Representatives

Portfolio:  Treasury

Commencement:  On the day after Royal Assent.

Purpose of the Bill

The purpose of the Treasury Laws Amendment (Consumer Data Right) Bill 2022 (the Bill) is to amend the Competition and Consumer Act 2010 (CC Act; the Act) to extend the consumer data right framework to enable ‘action initiation’, a functionality aimed at allowing consumers to ‘authorise, manage and facilitate actions securely in a digital environment’.[1]

Structure of the Bill

The Bill consists of one Schedule divided into nine Parts.

Part 1 contains introductory provisions amending the objects provision and the simplified outline for Part IVD of the CC Act to take account of the amendments in the Bill.

Part 2 deals with Ministerial declarations regarding action initiation.

Part 3 inserts key terms in relation to the action initiation framework.

Part 4 contains changes to the rule making power to empower the Minister to make rules regarding the action initiation framework.

Part 5 deals with compliance.

Part 6 amends the privacy safeguards so that they will apply to the CDR data that will flow as a result of action initiation.

Part 7 contains minor amendments to change references to the term ‘Data Recipient Accreditor’ to ‘CDR Accreditor’.

Part 8 contains consequential and minor amendments.

Part 9 contains minor consequential amendments required following enactment of the
Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022.

The Bills Digest considers only the amendments in Parts 2 to 6 of Schedule 1 to the Bill.


The Consumer Data Right

The Consumer Data Right (CDR), also called ‘Australia’s national data portability initiative’, gives individuals and businesses the ability to share their data with trusted and accredited third parties, along with limited types of data with non‐accredited parties. In turn, these third parties can use this data to provide products, services and insights that benefit consumers. This includes, for example, providing a single view of a consumer’s financial position, lending product comparisons or, in the future, faster loan applications and easy switching between different products and service providers.[2]

The CDR scheme is being rolled out progressively across the Australian economy on a sector-by- sector basis. It has been in operation in the banking sector for over 2 years[3], and has recently commenced in the energy sector.[4] In January 2022, the telecommunications sector was designated as the third CDR sector[5] and in September 2022 Treasury released an Exposure Draft of the revised CDR Rules for the telecommunications sector.[6] Open Finance has been identified as the next priority area for expansion.[7]

The CDR is underpinned by the legislative framework set out in Part IVD of the CC Act. Enacted in 2019, through the Treasury Laws Amendment (Consumer Data Right) Act 2019, this enabling legislation:

'sets out the role, functions and powers of Treasury, the Australian Competition and Consumer Commission (ACCC), the Office of the Australian Information Commissioner (OAIC), the Data Standards Chair and the Data Standards Body, and outlines the overarching objectives and principles for the CDR. The Act also gives the Minister the power to designate a sector of the Australian economy to be subject to the CDR, and to make consumer data rules. A sector is designated by legislative instrument, which specifies the broad classes of data subject to the CDR and the class or classes of persons who hold the designated information (the data holders).’ [8]

‘The designation instrument itself does not impose data sharing obligations. The requirement to disclose particular data emanates from the Competition and Consumer (Consumer Data Right) Rules 2020 (the rules), which provide the framework for how the CDR operates in a particular sector.’[9]

Inquiry into the Future Directions for the Consumer Data Right

In January 2020 the Coalition Government began an inquiry into the CDR, led by Scott Farrell (Inquiry into Future Directions for the Consumer Data Right).[10]

The final report of the Inquiry (Farrell inquiry report), released in December 2020, made 100 recommendations to expand the CDR by enabling greater consumer data empowerment and deeper functionality such as implementing third party action and payment initiation, an economy‐wide foundation, a more integrated data ecosystem, and realising international digital opportunities.[11]

The Coalition Government responded to the final report in December 2021 and, in supporting the recommendations regarding action initiation, stated:

The Government will expand the functionality of the CDR regime to include support for consumer-directed third-party action initiation with appropriate consumer and privacy safeguards. This will provide consumers with improved sources of assistance when interacting with their existing or prospective service providers.

Action initiation functionality will be applied in several phases. Its application to banking will prioritise enabling third party payment initiation, complementing current developments and infrastructure in the payment industry. This will enable new, competitive and consumer-focused payment services to develop. The Government will also prioritise CDR being extended to support consumers to manage their existing information and products and eventually to switch to new products and providers, which will bring major savings to households and businesses.[12]

On 26 September 2022 the Treasury released Exposure Draft legislation to enable action initiation under the CDR regime.[13] After a short period of consultation on the Exposure Draft, the Treasury Laws Amendment (Consumer Data Right) Bill 2022 was introduced to the House of Representatives on 30 November to give effect to these proposed reforms.

Brief outline of action initiation as set out in the Bill

As envisaged by the Farrell inquiry report and as set out in the Bill, action initiation, often referred to as 'write access', would provide consumers with the ability to instruct accredited organisations to initiate actions on their behalf. In contrast, under the current CDR framework, consumers can only consent to accredited entities being given access to their data in 'read only' form.[14]

These actions could include making a payment, opening and closing an account, switching providers and updating personal details (such as address) across providers.[15] The Explanatory Memorandum gives an example from the energy sector, where action initiation could allow consumers to change energy providers following receipt of information about other providers that offer more suitable or lower cost services.[16]

The Bill establishes the enabling provisions for action initiation, outlines key obligations and safeguards, and provides a pathway to bring individual action types into the CDR. The Bill has been drafted to work alongside the current data-sharing arrangements in the CDR.[17] Like the existing CDR legislation, the Bill is essentially a principles-based legal framework, meaning that it provides the broad architecture for establishing the various action types. Much of the detail of how it will operate, its obligations and the regulatory burdens established are to be set by the Minister, the Treasury, and other entities through a range of legislative instruments and rules.

Action initiation is made up of two parts: the instruction layer and the action layer:

‘The instruction layer would sit within the CDR scheme and enable a consumer to give consent for a third party, known as an Accredited Action Initiator, to send an action initiation request to an Action Service Provider. The Action Service Provider would then authenticate the consumer and carry out the action as they would if the request came directly from the consumer. The Action Service Provider would carry out the action in the action layer, which would be outside the scope of the CDR.’[18]

The advantages of CDR and action initiation are said to be:

The CDR gives consumers control over their data, helping Australians make better use of their money by making it safe to use transaction data to simplify complex financial decisions and take advantage of data-enabled innovations. Increasing functionality of the scheme to include action initiation would empower consumers to authorise, manage and facilitate actions securely in the digital economy.[19]

Further analysis of the Bill is set out in the Key issues and provisions section below.

Committee consideration

At the time of writing, the Bill has not been referred to a committee for inquiry and report.

Senate Standing Committee for the Scrutiny of Bills

At the time of writing, the Committee had not reported on the Bill.

Policy position of non-government parties/independents

It appears that there has been no public comment about the position of non-government parties or independents.

However, as noted above, the previous Coalition Government, in its response to the Farrell inquiry report, supported the recommendations regarding action initiation. It would appear therefore that the Bill may have bipartisan support in the Parliament.

Position of major interest groups

At the time of writing, there appears to be little public comment on the Bill.

However, submissions were received on the Exposure Draft of the Bill during the consultation period in 2022. While these are not available on the Treasury’s website, a small number can be found on other websites and are referred to below. Note that these may not represent the full range of views.

The Australian Communications Consumer Action Network (ACCAN)[20] expressed support for the introduction of action initiation into CDR but also suggested that the scheme should be developed and implemented in close consultation with consumers and their representatives.[21] ACCAN’s submission states:

Noting recent high-profile consumer data breaches, it is more important than ever that the CDR provides robust data protections to ensure the security of consumer data. These protections must be communicated to consumers through an appropriate public awareness campaign as well as targeted outreach with vulnerable consumer groups.

Another key concern with the action initiation scheme is its potential to contribute to domestic and family violence (DFV). We encourage Treasury to consider the implementation of further safeguards, to preclude DFV perpetrators from using the CDR, including the proposed action initiation scheme, to engage in controlling behaviour or to commit financial abuse. We recommend careful consideration of these issues and further consultation with domestic and family violence services on potential safeguards as the CDR is expanded to the telecommunications sector.[22]

The Australian Banking Association (ABA) – whose 20 members include the four major banks[23] – urges caution in moving towards action initiation. ABA argues:

Ahead of the expansion of the CDR through action initiation, the ABA encourages the Government to carefully consider and address the scams, fraud and cyber risks, while the CDR is still in its early stages. Now is the time to ensure regulatory settings prioritise the protection of consumers.[24]

Referring to the recent significant cyber incidents which have highlighted the cyber risk environment[25], the ABA’s submission argues:

It is critical that the safety and security of the CDR ecosystem is retained and strengthened, and that a careful consideration of the phasing of the rollout of action types based on use value, risk and complexity is undertaken.[26]

The ABA submits that the CDR ‘needs more time to grow naturally and that increasing functionality at this stage may not result in more customers using the CDR’[27]. The submission continues:

On the contrary, adding these functionalities without allowing the market a level of stability to enable use case development could impede the development of a competitive market for use cases.

Adding action initiation in the near term may also compromise the intended outcome by adding considerable strain on finite resources and staff.

In light of these factors, the ABA recommends the government allow a period of at least 18–24 months ahead of declaring actions for implementation.[28]

An independent Statutory Review of the Consumer Data Right report containing 16 recommendations and 15 findings was released by Assistant Treasurer Stephen Jones on 29 September 2022. The 96–page report described the CDR as being at a ‘critical point in its implementation’.[29] It states (Recommendation 2.5):

The current pace of CDR rollout into new sectors has not allowed enough time for the system to mature and capitalise on the lessons learnt. Focussing on improving CDR functionality and data quality within already designated sectors should be prioritised, balanced with overall forward momentum into new sectors over time.[30]

The report refers to action initiation as a ‘game-changer’, which is expected to drive greater participation and innovation in the CDR scheme.[31] The review also found (Finding 3.6):

There is significant enthusiasm for the delivery of action initiation under the CDR, with many submissions noting the opportunities for the CDR to capitalise on concurrent work being undertaken within payments systems, such as PayTo. Where possible, the CDR should work in conjunction with other initiatives to minimise potential friction points and reduce regulatory compliance for participants, with the objective to create more streamlined consumer experiences.[32]

Academics Natalia Jevglevskaja and Ross Buckley, in a detailed analysis, write very positively about action initiation. They state:

The most important of the next steps in the development of the CDR is the implementation of action initiation. […] the CDR regime without action initiation is inchoate. Action initiation gives the regime its capacity to effect change in commercial behaviour, and we are delighted its implementation is underway.[33]

They also suggest that CDR will progress slowly but stressed the importance of consumer education. They acknowledge William Russell, former Lord Mayor of the City of London who said the CDR ‘is not something that happens overnight. And it is also not something that customers acknowledge in a short space of time. Sometimes, there is a catch-up phase.’[34] Jevglevskaja and Buckley conclude:

The progress of CDR in Australia is likely to mirror that of open banking in the UK and requires time to become broadly popular. Nonetheless, from a consumer perspective, the suggestion of 'more control' of one's data, involving it being opened to a larger circle of interested parties, may seem counterintuitive. Targeted consumer education about the regime should not therefore be delayed for too long.[35]

The Australian Energy Council submission argues that expanding the CDR to incorporate action initiation is exciting, although not without risk.[36] It states:

Giving third parties the power to make decisions on behalf of customers requires two core protections

1. Protections to ensure a customer and their data is secure and privacy maintained.

2. Protections to ensure third parties act in the best interests of the customer.

There has been cautious messaging in the past, via the Future Directions Inquiry, and in the present, via the CDR Statutory Review, that CDR must reach a certain level of maturity before action initiation commences. The Exposure Draft’s proposal to unroll action initiation via ministerial designation does, in theory, create a workable process for action designation based on each designated sector’s maturity and readiness for an action type.

In practice, however, the AEC considers it likely that there will be significant stakeholder pressure placed on Treasury to begin designating actions immediately regardless of system maturity. This is not ideal and the AEC is of the view that the CDR framework, especially in non-banking sectors, is still too nascent to evaluate whether action types can occur safely and securely. The energy sector is yet to commence and even then, it will take several months, if not years, to see any meaningful uptake and interaction from customers. [37]

Financial implications

The Explanatory Memorandum states that the Bill will have no financial impact.[38]

Statement of Compatibility with Human Rights

As required under Part 3 of the Human Rights (Parliamentary Scrutiny) Act 2011 (Cth), the Government has assessed the Bill’s compatibility with the human rights and freedoms recognised or declared in the international instruments listed in section 3 of that Act. The Government considers that the Bill is compatible.[39]

Parliamentary Joint Committee on Human Rights

At the time of writing the Committee had not reported on the Bill.

Key issues and provisions

Ministerial declarations: actions initiated under the consumer data rules

Part IVD of the CC Act establishes the existing CDR legislative framework and within that Part, Subdivision B of Division 1 contains provisions setting out the process required for the Minister to declare the CDR to apply to various sectors of the economy over time. Items 4 to 20 of the Bill amend Subdivision B in order to establish a similar Ministerial declaration process for establishing actions that can be initiated under the consumer data rules.

Item 5 inserts proposed section 56ACA to provide that the Minister may by legislative instrument declare one or more types of actions for which an instruction may be given under the consumer data rules. For each of those action types, the instrument would also declare classes of data holders of CDR data[40], that are to be action service providers.[41] A note to this section explains that the classes of data holders specified for an action type will have no choice about being action service providers for that action type.

For the purposes of the scheme, such a declaration by the Minister is a CDR declaration, and such an action a CDR action (proposed section 56AMA, item 43).

Prior to making an action declaration, the Minister must undertake a period of consultation and consider a range of matters.[42] These matters include the likely effect of such an action declaration on:

  • the interests of consumers
  • the privacy of consumers’ information
  • promoting competition and innovation
  • any intellectual property in the covered information
  • the public interest
  • any other factors the Minister considers relevant.[43]

As with designating a sector of the economy, the Secretary of Treasury has a role in an action declaration and must arrange for:

  • an analysis of the same matters that the Minister must consider
  • public consultation for at least 28 days
  • consultation with the ACCC, the Australian Information Commissioner and any other person or body prescribed in regulations, and
  • the preparation of a report for the Minister (which must be published) about the analysis and consultation.[44]

In addition, for an action type declaration, the Secretary must arrange for consultation with a person or body (if any) that the Secretary believes to be a regulator of the action type in question.[45]

The Minister can only proceed to make the action type declaration once satisfied the Secretary has complied with all these requirements and at least 60 days after the Secretary publishes their report.[46]

Separately, the Minister must also consult the Australian Information Commissioner about the likely effect of making the action type declaration on the privacy or confidentiality of consumers’ information.[47]

An action type declaration is not invalid due to failure to fulfill any of these requirements.[48]

Participants in the CDR system

The CC Act currently outlines three key participants in the CDR system: data holders, CDR consumers and accredited data recipients:

  • data holders are original holders of the data that the right of transfer applies to[49]
  • CDR consumers for CDR data can be either individuals or businesses who holds the ‘rights’ to access the data held by a data holder and to direct that this data be shared with an accredited person[50]
  • an accredited data recipient for CDR data is a person or entity that has been accredited[51], and who has received CDR data as a result of a disclosure made in accordance with the consumer data rules.[52]

The Bill introduces two new roles in the CDR system:

  • action service providers: entities that carry out an action initiated by an accredited action initiator on a consumer’s behalf (proposed section 56AMB, item 43); and
  • accredited action initiators: entities that, with the consumer’s consent, initiate an action by instructing the action service provider on the consumer’s behalf (proposed section 56AMC, item 43).

The term CDR action participant applies to both action service providers and accredited action initiators for one or more types of CDR actions (proposed section 56AMD, item 43).

Participant obligations

Part 5 of Schedule 1 to the Bill imposes a number of obligations on CDR action participants. Certain obligations are introduced to deal with wrongdoing specific to CDR action initiation whereas others are modelled on existing requirements applicable to CDR participants for CDR data.[53]

Items 78 to 81 amend sections 56BN and 56BO, the existing provisions that prohibit misleading and deceptive conduct, to extend their application to CDR action initiation. The additional prohibited conduct is conduct that misleads a person into believing that:

  • a person is a CDR consumer for a CDR action, or
  • a person has satisfied the criteria under the consumer data rules for making a request, or giving or processing a valid instruction, for the performance of a CDR action.

The penalties remain the same as for the existing misleading and deceptive conduct offences.

Item 85 inserts provisions establishing obligations on accredited persons and CDR participants. These include:

  • accredited persons must act efficiently, honestly and fairly when initiating CDR actions (proposed section 56BZA)
  • accredited persons must only initiate CDR actions in accordance with CDR consumers’ valid requests (proposed section 56BZB).

Failure to act in accordance with these obligations is a contravention of the CC Act and may incur a civil penalty.

The existing civil and criminal prohibitions on holding out are repealed[54] and replaced with similar provisions that will apply to both CDR participants for CDR data and CDR action participants (item 85, proposed sections 56BZI and 56BZJ). For example, it is a criminal offence for a person to hold themselves out to be any of the following if that is not the case:

  • an accredited person
  • an accredited data recipient of CDR data
  • an accredited action initiator for a type of CDR action
  • an action service provider for a type of CDR action
  • authorised to do something by their approval as an action service provider.

The penalties remain the same as those for the existing holding out offences.

Item 85 also inserts proposed sections 56BZC and 56BZD which require action service providers to uphold the non-discrimination principle. The non-discrimination principle operates in relation to performing actions and charging fees:

  • Proposed section 56BZC provides that action service providers must not discriminate against an instruction merely because it arrives via the CDR. They must perform a validly requested action in relation to a CDR consumer if, having regard to criteria to be set out in the consumer data rules, they would ordinarily perform actions of that type in the course of their business
  • Proposed section 56BZD provides that when performing CDR actions, action service providers must not impose charges higher than their ordinary fees (worked out by reference to criteria in the consumer data rules). They must not charge any fees for processing CDR action instructions unless permitted to do so by the consumer data rules.

Under certain circumstances the ACCC may set fees that specified providers may charge for processing an instruction, and providers’ fees must not exceed that amount (item 85, proposed section 56BZE).

The power to make consumer data rules

Currently Division 2 of Part IVD of the CC Act contains provisions establishing the framework for the Minister to make consumer data rules for designated sectors. Items 44 to 77 in Part 4 of the Bill amend these provisions to establish a similar framework for the Minister to make consumer data rules to deal with the specific steps involved in initiating actions, accreditation of action initiators and other related matters. The provisions are detailed and technical. A sample of those provisions is described here. For further explanation see pages 22–30 of the Explanatory Memorandum.

Item 45 amends section 56BA(2) with the effect that the Minister may make rules for different types of CDR actions and different classes of CDR action participants and CDR consumers.

Proposed section 56BGA (inserted by item 56) provides for rules about participant roles and activities. Amongst other things it provides that the consumer data rules may include:

  • rules imposing requirements on accredited action initiators in relation to giving valid instructions in specified circumstances (paragraphs 56BGA(1)(a) and (c))
  • rules that prescribe how such instructions are to be prepared and delivered (paragraph 56BGA(1)(b))
  • rules relating to the privacy safeguards in relation to an instruction or request relating to a CDR action (paragraphs 56BGA(1)(g))
  • rules about how an action service provider for a type of CDR action processes a valid instruction (paragraph 56BGA(1)(e))
  • rules on the authorisation of disclosure or use of CDR data in accordance with a valid consent (paragraphs 56BGA(3)(a) and (b))
  • rules affecting the use, disclosure, accuracy, storage, security or deletion of information that is disclosed to a CDR action participant under the consumer data rules (subsection 56BGA(5)).

Proposed subsection 56BGA(4) explicitly provides that the consumer data rules cannot include rules requiring an action service provider for a type of CDR action to perform (or not perform) a CDR action of that type in a particular way. The Explanatory Memorandum explains the purpose of this provision:

The initiation of an action and its performance are two separate processes. The CDR framework is not intended to regulate how actions are performed. Each sector is already governed by laws and regulations specifically designed for that sector.[55]

The rules may also allow an action service provider to charge fees for processing instructions (proposed subsection 56BGA(2)). A note clarifies that fees are not allowed in the absence of such a declaration. A second note clarifies that the rules regarding fees would have no effect on what fees are charged at the action layer of performing the CDR functions.

The Explanatory Memorandum justifies this heavy reliance on consumer data rules stating:

Setting out requirements in the consumer data rules allows the scheme to be responsive to changes in technology as well as consumer demand for certain types of CDR actions. The scheme must adapt to these changes if it is to effectively regulate participants and benefit and protect consumers.[56]

Privacy safeguards

Currently privacy and security of CDR data is governed by 13 CDR-specific privacy safeguards contained in the CC Act and supplemented by the rules. These safeguards are modelled on the Australian Privacy Principles (APPs) in the Privacy Act 1988 but with some additional obligations.[57]

The Explanatory Memorandum states that the privacy safeguards include:

  • ‘restrictions on the use, collection and disclosure of information received through the consumer data rules to circumstances where the consumer has given consent
  • obligations on data holders and accredited data recipients to correct information, and
  • obligations on data holders and accredited data recipients to notify the consumer when information is disclosed’.[58]

Part 6 of the Bill proposes amendments that extend the privacy safeguards to CDR action initiation, applying in full to accredited action initiators, and in some cases to action service providers.

As the Explanatory Memorandum explains, accredited action initiators are brought within the ambit of the privacy safeguards by virtue of the amended definition of CDR data.[59]

The Bill extends the following privacy safeguards to action service providers:

  • privacy safeguard 1: open and transparent management of data (items 93–95, section 56ED)
  • privacy safeguard 3: requirements on when an entity can solicit CDR data from CDR participants (item 96, section 56EF)
  • privacy safeguard 4: dealing with unsolicited CDR data from participants in the CDR (item 96, section 56EG)
  • privacy safeguard 10: notifying of the disclosure of CDR data (items 99–102, section 56EM)
  • privacy safeguard 11: ensuring quality of the data (item 103–104, section 56EN), and
  • privacy safeguard 13: correction of CDR data (items 105–109, section 56EP).

The privacy safeguards are generally intended to apply to action service providers in relation to the instruction layer rather than the action layer. The APPs and the Privacy Act will apply to the action layer. The Explanatory Memorandum explains the rationale for this division:

Action service providers are likely to collect data externally to the CDR framework because of pre-existing, everyday business practices involving the use and disclosure of information. If the privacy safeguards and the Australian Privacy Principles applied to action service providers concurrently in relation to the action layer, this would create unnecessary duplication, increasing the risk of confusion. The existing Australian Privacy Principles, and the Privacy Act 1988 more broadly, are intended to apply to action service providers in respect of the action layer.

The privacy safeguards were introduced to facilitate further protection of information being used within the CDR framework. The purpose of extending these privacy safeguards to action service providers is to manage risks associated with the flow of CDR data in the instruction layer, and where information and privacy risks are specifically attributable to the CDR.[60]

Table 1.2 on pages 31–32 in the Explanatory Memorandum provides a summary of the changes to the application of the privacy safeguards.

Section 56EC of the CC Act sets out how the privacy safeguards interact with the consumer data rules and the Privacy Act. Subsections 56EC(4) and (5) deal with the interaction between the APPs and the privacy safeguards. Currently under this provision, if a particular privacy safeguard applies to a specified person in relation to CDR data, the corresponding APP generally does not apply.

The Bill amends this section so that the privacy safeguards are intended to apply to action service providers in the same manner that the privacy safeguards currently apply to data holders. The Explanatory Memorandum sets out the effect of these amendments:

  • if privacy safeguards 1 or 2[61] apply to an accredited person in relation to CDR data—the corresponding Australian Privacy Principle does not apply
  • if privacy safeguards 3 or 4[62] applies to an accredited person or a CDR action participant in relation to CDR data—the corresponding Australian Privacy Principle does not apply
  • if privacy safeguards 11 or 13[63] apply to a disclosure of CDR data by a data holder or action service provider—the corresponding Australian Privacy Principle does not apply.[64]

One modification to this arrangement relates to small businesses. With some exceptions the Privacy Act does not bind small businesses. However, this exemption will not apply in the case of a small business that is an action service provider for a type of CDR action. Rather the small business will be treated as if it were an ‘organisation’ within the meaning of the Privacy Act and the APPs will apply (item 90, proposed paragraph 56EC(4)(e)).