Commonwealth: Treasury Laws Amendment (Consumer Data Right) Act 2024 (Cth)

Treasury Laws Amendment (Consumer Data Right) Act 2024 No. 75, 2024 An Act to amend the Competition and Consumer Act 2010, and for related purposes Contents 1 Short title 2 Commencement 3 Schedules Schedule 1—Amendments Part 1—Introductory provisions Competition and Consumer Act 2010 Part 2—Declaring types of actions that can be initiated under the consumer data rules Competition and Consumer Act 2010 Part 3—Meanings of key terms Competition and Consumer Act 2010 Part 4—Changes to the power to make consumer data rules Competition and Consumer Act 2010 Part 5—Complying with the consumer data rules etc. Competition and Consumer Act 2010 Part 6—Changes to the Privacy safeguards Competition and Consumer Act 2010 Part 7—CDR Accreditor Competition and Consumer Act 2010 Part 8—Miscellaneous amendments Competition and Consumer Act 2010 Part 9—Contingent amendments Competition and Consumer Act 2010 Treasury Laws Amendment (Consumer Data Right) Act 2024 No. 75, 2024 An Act to amend the Competition and Consumer Act 2010, and for related purposes [Assented to 26 August 2024] The Parliament of Australia enacts: 1 Short title This Act is the Treasury Laws Amendment (Consumer Data Right) Act 2024. 2 Commencement (1) Each provision of this Act specified in column 1 of the table commences, or is taken to have commenced, in accordance with column 2 of the table. Any other statement in column 2 has effect according to its terms. Commencement information Column 1 Column 2 Column 3 Provisions Commencement Date/Details 1. Sections 1 to 3 and anything in this Act not elsewhere covered by this table The day this Act receives the Royal Assent. 26 August 2024 2. Schedule 1, Parts 1 to 8 The day after this Act receives the Royal Assent. 27 August 2024 3. Schedule 1, Part 9 The later of: 27 August 2024 (a) immediately after the commencement of the provisions covered by table item 2; and (paragraph (a) applies) (b) the commencement of the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022. However, the provisions do not commence at all if the event mentioned in paragraph (b) does not occur. Note: This table relates only to the provisions of this Act as originally enacted. It will not be amended to deal with any later amendments of this Act. (2) Any information in column 3 of the table is not part of this Act. Information may be inserted in this column, or information in it may be edited, in any published version of this Act. 3 Schedules Legislation that is specified in a Schedule to this Act is amended or repealed as set out in the applicable items in the Schedule concerned, and any other item in a Schedule to this Act has effect according to its terms. Schedule 1—Amendments Part 1—Introductory provisions Competition and Consumer Act 2010 1 After paragraph 56AA(b) Insert: (ba) to enable consumers in those sectors to request accredited persons to give instructions: (i) safely, efficiently and conveniently on behalf of the consumers; and (ii) to service providers in those sectors; for the performance of actions; and 2 Paragraph 56AA(c) Omit "and (b)", substitute "to (ba)". 3 Section 56AB Omit: (c) may require these kinds of disclosures, and other things, to be done in accordance with data standards. substitute: (c) enable consumers in those sectors to request accredited persons to give instructions on behalf of the consumers to service providers in those sectors for the performance of actions; and (d) require these kinds of disclosures and other things to be done, and these kinds of instructions to be given, in accordance with data standards. This Part regulates the instruction layer associated with instructions for the performance of actions, which includes regulating requests for instructions, the giving of instructions, and how service providers process instructions. A service provider given an instruction under the rules to perform an action must do so if the provider ordinarily performs actions of that type in the course of its business. Otherwise, this Part contains little regulation of the action layer (that is, regulating how service providers perform actions they are instructed to do). For example, the provider can perform the action, and charge any fees, in the way it ordinarily does. Part 2—Declaring types of actions that can be initiated under the consumer data rules Competition and Consumer Act 2010 4 Subdivision B of Division 1 of Part IVD (heading) Repeal the heading, substitute: Subdivision B—Designating sectors, and declaring actions, to which the consumer data right applies 5 After section 56AC Insert: 56ACA Declared types of actions that can be initiated under the consumer data rules The Minister may, by legislative instrument, declare: (a) one or more types of actions for which an instruction may be given under the consumer data rules; and (b) for each of those action types—the classes of data holders, of CDR data, that are to be action service providers for that type of action. Note: The classes of data holders specified for an action type will have no choice about being action service providers for that action type. 6 Section 56AD (heading) Repeal the heading, substitute: 56AD Minister's tasks before designating a sector or declaring actions etc. 7 Subsection 56AD(1) After "subsection 56AC(2)", insert "or section 56ACA". 8 Subparagraph 56AD(1)(a)(vi) After "information", insert ", or relating to the types of actions,". 9 Paragraph 56AD(1)(b) After "information", insert ", or types of actions,". 10 Paragraph 56AD(1)(c) Before "the following matters", insert "for an instrument under subsection 56AC(2)—". 11 Paragraph 56AD(1)(d) Before "whether", insert "for an instrument under subsection 56AC(2)—". 12 Subsections 56AD(2) and (3) After "subsection 56AC(2)", insert "or section 56ACA". 13 Section 56AE (heading) Repeal the heading, substitute: 56AE Secretary must arrange for analysis, consultation and report about an instrument proposing to designate a sector or declare actions 14 Subsection 56AE(1) After "subsection 56AC(2)", insert "or section 56ACA". 15 Subparagraph 56AE(1)(b)(ii) Omit "includes", substitute "include". 16 Subparagraph 56AE(1)(c)(iii) Repeal the subparagraph, substitute: (iii) for an instrument under subsection 56AC(2)—the person or body (if any) that the Secretary believes to be the primary regulator of the sector that the instrument would designate; (iiia) for an instrument under section 56ACA—a person or body (if any) that the Secretary believes to be a regulator of a type of actions that the instrument would declare; 17 Section 56AEA (heading) Repeal the heading, substitute: 56AEA Commission must analyse an instrument proposing to designate a sector or declare actions 18 Section 56AEA Omit "56AD(1)(a) to (e)", substitute "56AD(1)(a) to (d)". 19 Section 56AF (heading) Repeal the heading, substitute: 56AF Information Commissioner must analyse and report about an instrument proposing to designate a sector or declare actions 20 Section 56AH After "subsection 56AC(2)", insert "or section 56ACA". Part 3—Meanings of key terms Competition and Consumer Act 2010 21 Before subsection 56AI(1) Insert: Meaning of CDR data 22 Subsection 56AI(1) Omit "information that". 23 Paragraph 56AI(1)(a) Before "is within", insert "information that". 24 After paragraph 56AI(1)(a) Insert: (aa) information that: (i) relates to a CDR consumer for a CDR action; and (ii) an accredited action initiator for CDR actions of that type is authorised by the consumer data rules to use, or disclose, to prepare or give a valid instruction for the performance of the CDR action on behalf of the CDR consumer; or 25 Paragraph 56AI(1)(b) Repeal the paragraph, substitute: (b) information that is not covered by paragraph (a) or (aa) of this subsection, but is wholly or partly derived from information covered by: (i) paragraph (a) or (aa) of this subsection; or (ii) a previous application of this paragraph. 26 Subsection 56AI(1) (note 2) After "paragraph (a)", insert "or (aa)". 27 Before subsection 56AI(2) Insert: Meaning of directly or indirectly derived 28 Before subsection 56AI(3) Insert: Meaning of CDR consumer for CDR data 29 After subparagraph 56AI(3)(b)(ii) Insert: (iia) is holding the CDR data as an action service provider for a type of CDR action; or 30 Subparagraph 56AI(3)(b)(iii) Omit "or (ii)", substitute ", (ii) or (iia)". 31 Paragraph 56AI(3)(d) Omit "conditions", substitute "exclusions". 32 After subsection 56AI(3) Insert: Meaning of CDR consumer for a CDR action (3A) A person is a CDR consumer for a CDR action if: (a) the performance of the CDR action: (i) is for the person; or (ii) relates to the person because of circumstances of a kind prescribed by the regulations; and (b) the performance of the CDR action is not for the person as: (i) an accredited action initiator for CDR actions of that type; or (ii) an action service provider for CDR actions of that type; and (c) none of the exclusions (if any) prescribed by the regulations apply to the person in relation to the CDR action. Example: Assume X and Y are both accredited action initiators, and Y gives a valid instruction for the performance of a CDR action (that relates to the supply of accounting services) on X's behalf. X will be a CDR consumer for the CDR action, but Y will not be because of paragraph (b). Other definitions of consumer do not apply for this Part 33 Paragraph 56AJ(1)(d) Omit "or (4)", substitute ", (3A), (4) or (5)". 34 Subsection 56AJ(2) (heading) Repeal the heading, substitute: First case—person is specified in the designation instrument and data not disclosed to the person under the consumer data rules 35 After paragraph 56AJ(3)(b) Insert: ; and (c) the conditions (if any) specified in the consumer data rules are met. 36 After subsection 56AJ(3) Insert: Third case—reciprocity arising from the person being a voluntary action service provider for a type of CDR action (3A) This subsection applies to a person and CDR data if: (a) neither the CDR data, nor any other CDR data from which it was directly or indirectly derived, was disclosed to the person under the consumer data rules; and (b) the designation instrument (see subsection (1)) also specifies, as described in paragraph 56AC(2)(b), a class of persons (the core data holders) as holding a class of information to which the CDR data belongs; and (c) the person is not a core data holder, but is a voluntary action service provider for a type of CDR action; and (d) the classes of data holders declared in the CDR declaration for that type of CDR action include the core data holders; and (e) the conditions (if any) specified in the consumer data rules are met. Note 1: The CDR data needs to be held by (or on behalf of) the person (see paragraph (1)(b)). Note 2: The core data holders are data holders because of subsection (2). 37 Subsection 56AJ(4) (heading) Repeal the heading, substitute: Fourth case—person is an accredited person and conditions in the consumer data rules are met 38 At the end of section 56AJ Add: Fifth case—person is specified in the designation instrument and conditions in the consumer data rules are met (5) This subsection applies to a person and CDR data if: (a) the person, or a class of persons to which the person belongs, is specified, as described in paragraph 56AC(2)(b), in the designation instrument as holding a class of information to which the CDR data belongs; and (b) the CDR data, or any other CDR data from which it was directly or indirectly derived, was disclosed to the person under the consumer data rules; and (c) the conditions specified in the consumer data rules are met. 39 Section 56AK Before "A person", insert "(1)". 40 Paragraph 56AK(c) Repeal the paragraph, substitute: (c) the CDR data, or any other CDR data from which it was directly or indirectly derived, either: (i) was disclosed to the person under the consumer data rules; or (ii) is covered by subsection (2) for the person; and 41 After paragraph 56AK(d) Insert: ; and (e) the first‑mentioned CDR data is not being held by (or on behalf of) the person as an action service provider for a type of CDR action. 42 At the end of section 56AK Add: (2) This subsection covers CDR data for a person if: (a) the CDR data is information that relates to a CDR consumer for a CDR action; and (b) the person is authorised by the consumer data rules to use or disclose that information to prepare or give a valid instruction for the performance of the CDR action on behalf of the CDR consumer. Note: This CDR data is information that is CDR data because of paragraph 56AI(1)(aa). Paragraph 56BGA(1)(d) ensures the rules can give the authorisation referred to in paragraph (b) of this subsection. 43 After section 56AM Insert: 56AMA Meanings of CDR action and CDR declaration (1) A CDR action is an action of a type declared under section 56ACA. (2) A CDR declaration, for a type of CDR action, is the declaration under section 56ACA that declares actions of that type. 56AMB Meanings of action service provider and voluntary action service provider (1) A person is an action service provider, for a type of CDR action, if the person: (a) is within a class of data holders (of CDR data) declared in the CDR declaration for that type of CDR action; or (b) is a voluntary action service provider for that type of CDR action. Note 1: A data holder covered by paragraph (a) has no choice about being an action service provider for CDR actions of that type. Note 2: A data holder covered by paragraph (a) for one or more types of CDR actions will not be an action service provider for any other type of CDR action unless the data holder chooses to apply to be a voluntary action service provider. (2) A person is a voluntary action service provider, for a type of CDR action, if: (a) paragraph (1)(a) does not apply to the person for that type of CDR action; and (b) the person holds an approval, of the kind described in subsection 56BHA(1), under the consumer data rules for that type of CDR action. Note: The person will need to have applied to be approved as an action service provider for CDR actions of that type (see subsection 56BHA(1)). 56AMC Meaning of accredited action initiator A person is an accredited action initiator for a type of CDR action if: (a) the person is an accredited person; and (b) the person's accreditation authorises the person to initiate that type of CDR action. Note 1: The consumer data rules may include rules about accreditation, including about different levels of accreditation (see subsection 56BH(1)). Note 2: The Register of Accredited Persons may include information about what a person's level of accreditation authorises the person to do (see section 56CE). 56AMD Meaning of CDR action participant A CDR action participant is an action service provider, or an accredited action initiator, for one or more types of CDR actions. Part 4—Changes to the power to make consumer data rules Competition and Consumer Act 2010 44 Subsection 56BA(1) After "designated sectors", insert ", or types of CDR actions,". 45 At the end of subsection 56BA(2) Add: ; or (e) different rules for different types of CDR actions; or (f) different rules for different classes of: (i) action service providers for types of CDR actions; or (ii) accredited persons; or (iii) CDR consumers for CDR actions. 46 After paragraph 56BB(c) Insert: (ca) initiating CDR actions (see also section 56BGA); 47 Paragraph 56BB(d) Omit "accreditation of data recipients", substitute "accreditation for the purposes of this Part". 48 After paragraph 56BB(d) Insert: (da) approving persons to be voluntary action service providers for types of CDR actions (see also section 56BHA); 49 At the end of paragraph 56BC(1)(a) Add: or (iii) a data holder of other CDR data; 50 Subsection 56BD(1) (heading) Omit "designated", substitute "certain". 51 Paragraph 56BD(1)(a) Repeal the paragraph, substitute: (a) the CDR data is covered by paragraph 56AI(1)(a) or (aa); and 52 After subparagraph 56BD(1)(b)(iv) Insert: (iva) a data holder of other CDR data; or (ivb) an action service provider for a type of CDR action; or 53 Subparagraph 56BD(1)(b)(v) Omit "subparagraph (ii), (iii) or (iv)", substitute "any of subparagraphs (ii) to (ivb)". 54 Subsection 56BD(1) (note 1) Repeal the note, substitute: Note 1: This means CDR data cannot be required to be disclosed if it is only CDR data because it is directly or indirectly derived from: (a) other CDR data within a class specified, as described in paragraph 56AC(2)(a), in an instrument designating a sector under subsection 56AC(2); or (b) other CDR data, about a CDR consumer for a CDR action, that an accredited action initiator is authorised to use to prepare or give a valid instruction for the performance of the CDR action. 55 Subsection 56BD(3) Repeal the subsection, substitute: Rules affecting data holders that relate to the use, accuracy, storage, security or deletion of CDR data (3) For a data holder of CDR data for which there are one or more CDR consumers, the consumer data rules: (a) can only include rules affecting the data holder that relate to the deletion of the CDR data if: (i) the CDR data; or (ii) any other CDR data from which it was directly or indirectly derived; was disclosed to the data holder under the consumer data rules; and (b) can only include rules affecting the data holder that relate to the use, accuracy, storage or security of the CDR data if such rules also relate to the disclosure of the CDR data under the consumer data rules. 56 After section 56BG Insert: 56BGA Rules about initiating CDR actions Instructions may be given to initiate types of CDR actions (1) Without limiting paragraph 56BB(ca), the consumer data rules may include the following rules: (a) requirements on an accredited action initiator for a type of CDR action relating to giving a valid instruction: (i) for the performance of a CDR action of that type; and (ii) to an action service provider for a CDR action of that type; and (iii) on behalf of a CDR consumer for the CDR action, and in response to that consumer's valid request; and (iv) after a series of specified kinds of interactions between that initiator, provider, consumer or other persons (whether involving all or any 2 of them); (b) rules about how an instruction must be prepared for it to be a valid instruction of the kind described in paragraph (a), what matters a valid instruction may cover, and when an instruction ceases to be a valid instruction; (c) rules about: (i) how a CDR consumer for a CDR action may make a valid request of the kind described in subparagraph (a)(iii); and (ii) what must be included in a request for it to be valid, what matters a valid request may cover, and when a request ceases to be a valid request; (d) for an accredited action initiator for a type of CDR action who is acting as described in paragraph (a) to give a valid instruction on behalf of a CDR consumer for a CDR action—rules authorising the initiator to use or disclose information relating to the consumer that: (i) is disclosed to the initiator; or (ii) is otherwise held by the initiator; to prepare or give the valid instruction; (e) requirements on an action service provider for a type of CDR action relating to how the provider processes a valid instruction of the kind described in paragraph (a); (f) rules relating to the interactions described in subparagraph (a)(iv); (g) rules relating to the privacy safeguards in relation to an instruction or request relating to a CDR action; (h) rules relating to information that is not CDR data, but that relates to a CDR action. Note 1: The requirements described in paragraph (a) could, for example, include a requirement that the instruction be prepared and given in accordance with the relevant data standards. Note 2: The rules may deal with similar or additional matters to those in the privacy safeguards. When doing so, the rules will need to be consistent with those safeguards (see subsections 56EC(1) and (2)). Allowing providers to charge fees at the instruction layer (2) Without limiting paragraph 56BB(ca), the consumer data rules may include rules declaring that action service providers for a type of CDR action may charge (or cause to be charged) fees for processing valid instructions of the kind described in paragraph (1)(a) for CDR actions of that type. Note 1: The action service providers will not be able to charge fees for processing valid instructions in the absence of such a declaration (see subsection 56BZD(1) and paragraph 56BZD(2)(a)). Note 2: This subsection has no effect on what fees the providers decide to charge at the action layer for performing the CDR actions. Authorised disclosures or use of related CDR data in accordance with valid consents (3) Without limiting paragraph 56BB(ca), the consumer data rules may include the following rules: (a) rules authorising a CDR action participant to disclose all or part of specified CDR data to a person in accordance with a valid consent of a CDR consumer for the CDR data; (b) rules authorising a person to use CDR data in accordance with a valid consent of a CDR consumer for the CDR data; (c) rules about: (i) how a CDR consumer for the CDR data may make a valid consent of the kind described in paragraph (a) or (b); and (ii) what must be included in a consent for it to be valid, what disclosures, uses or other matters a valid consent may cover, and when a consent ceases to be a valid consent. Rules must not apply at the action layer (4) Despite any other provision of this Division, the consumer data rules cannot include rules requiring an action service provider for a type of CDR action to perform (or not perform) a CDR action of that type in a particular way. Note 1: The consumer data rules focus on the instruction layer not the action layer. Note 2: The action service provider will need to ensure it does not discriminate against a valid instruction given under the consumer data rules (see sections 56BZC and 56BZD). Rules affecting CDR action participants that relate to the use, accuracy, storage, security or deletion of CDR data (5) For CDR data that: (a) is information referred to in paragraph (1)(d), or is directly or indirectly derived from other information referred to in that paragraph; and (b) is disclosed to a CDR action participant under the consumer data rules (whether the disclosure is directly or indirectly from the accredited action initiator referred to in that paragraph); the consumer data rules can include rules affecting that CDR action participant that relate to the use, disclosure, accuracy, storage, security or deletion of the CDR data. 57 Section 56BH (heading) Repeal the heading, substitute: 56BH Rules about accreditation for the purposes of this Part 58 After subparagraph 56BH(1)(d)(ii) Insert: (iia) specified types of CDR actions; or 59 After paragraph 56BH(1)(d) Insert: (da) rules specifying what a person accredited at a particular level is authorised to do (or not authorised to do); 60 Before the note to subsection 56BH(1) Insert: Note 1: The rules described in paragraph (d) could, for example, include a level of accreditation for initiating CDR actions under the consumer data rules. 61 Subsection 56BH(1) (note) Omit "Note", substitute "Note 2". 62 Subsection 56BH(3) Repeal the subsection, substitute: (3) Without limiting paragraph (1)(e), the grounds for varying, suspending or revoking an accreditation could include failing to comply with a requirement in this Part or in the consumer data rules. Note 1: The requirements in this Part include the privacy safeguards. Note 2: An example of a variation could be the imposition of a condition, or changing the level of an accreditation. 63 Subsection 56BH(4) Repeal the subsection, substitute: (4) If the consumer data rules include rules enabling decisions to be made: (a) to vary, suspend or revoke an accreditation; or (b) to refuse to make a decision described in paragraph (a); the rules must permit the making of applications to the Administrative Appeals Tribunal for review of those decisions. Note 1: The consumer data rules can also provide for internal review of these decisions, and internal and AAT review of other decisions (see section 56BJ). Note 2: The decisions could be decisions of the Minister or of another person (see paragraph 56BJ(c)). 64 After section 56BH Insert: 56BHA Rules about approving persons to be voluntary action service providers for types of CDR actions (1) Without limiting paragraph 56BB(da), the consumer data rules may include the following rules: (a) rules for the approval of persons who apply to be action service providers for one or more types of CDR actions; (b) the criteria for a person to be so approved; (c) rules providing that such approval may be granted subject to conditions, and that conditions may be imposed on such an approval after it has been granted; (d) rules providing that such approvals may be granted at different levels corresponding to different risks, including the risks associated with: (i) specified types of CDR actions; or (ii) specified classes of CDR data; or (iii) specified classes of applicants for such approvals; (e) rules specifying what a person approved at a particular level is authorised to do (or not authorised to do); (f) rules for the period, renewal, transfer, variation, suspension, revocation or surrender of such approvals; (g) notification requirements on persons whose such approvals have been granted, renewed, transferred, varied, suspended, revoked or surrendered; (h) rules about publishing details of such approvals, renewals, transfers, variations, suspensions, revocations or surrenders; (i) transitional rules for when such an approval is varied, is suspended or ends, including about the disclosure, collection, use, accuracy, storage, security or deletion of CDR data; (j) rules conferring functions or powers on the Minister for any of the matters described in this subsection. Note: The Minister may delegate the functions or powers referred to in paragraph (j) (see section 56GAA). (2) Without limiting paragraph (1)(b): (a) the criteria may differ for different classes of persons; and (b) the criteria may permit a person to be approved even if the person: (i) is not a body corporate established by or under a law of the Commonwealth, of a State or of a Territory; and (ii) is neither an Australian citizen, nor a permanent resident (within the meaning of the Australian Citizenship Act 2007); and (c) the criteria may include the payment of a fee. Any fee must not be such as to amount to taxation. (3) Any such approval is granted on the basis that no compensation is payable if the approval is varied, transferred, suspended, revoked or surrendered in any way. (4) Without limiting paragraph (1)(f), the grounds for varying, suspending or revoking such an approval could include failing to comply with a requirement in this Part or in the consumer data rules. Note 1: The requirements in this Part include the privacy safeguards. Note 2: An example of a variation could be the imposition of a condition, or changing the level of an approval. (5) If the consumer data rules include rules enabling decisions to be made: (a) to grant, vary, suspend or revoke such an approval; or (b) to refuse to make a decision described in paragraph (a); the rules must permit the making of applications to the Administrative Appeals Tribunal for review of those decisions. Note: The consumer data rules can also provide for internal review of these decisions, and internal and AAT review of other decisions (see section 56BJ). (6) Without limiting paragraph (1)(h), the rules may provide that: (a) a person able to make any of the kinds of decisions described in subsection (5) may supply to another person a copy or extract that: (i) is from a publication of details described in paragraph (1)(h), where those details are matters of fact; and (ii) is certified by the person to be a true copy or a true extract (as applicable); and (b) such a certified copy or extract (the certificate) is admissible in any proceedings as prima facie evidence of the original; and (c) the certificate must not be admitted in evidence in proceedings relating to a person unless: (i) the person; or (ii) a barrister or solicitor who is representing the person in the proceedings; has, at least 14 days before the certificate is sought to be so admitted, been given a copy of the certificate together with notice of the intention to produce the certificate as evidence in the proceedings. 65 After paragraph 56BI(1)(c) Insert: (ca) a power for a CDR consumer for a CDR action to direct an accredited action initiator for CDR actions of that type to give the consumer, or an accredited person, reports about: (i) the consumer's valid request made to the initiator, under rules like those described in subsection 56BGA(1), for the giving of a valid instruction for the performance of the CDR action; or (ii) a valid instruction given by the initiator, under rules like those described in subsection 56BGA(1), on behalf of the consumer and for the performance of the CDR action; (cb) a power for a CDR consumer for a CDR action to direct an action service provider for CDR actions of that type to give the consumer, or an accredited person, reports about the provider's processing of any valid instruction given to the provider: (i) on behalf of the consumer under rules like those described in subsection 56BGA(1); and (ii) for the performance of the CDR action; 66 Paragraph 56BI(1)(d) After "CDR participants for CDR data", insert ", or CDR action participants,". 67 Subsection 56BI(2) Omit "Without limiting paragraph 56BB(e)", substitute "Without limiting subsection (1)". 68 Subsection 56BI(2) Omit "or accredited persons,", substitute "CDR action participants or accredited persons". 69 Subparagraph 56BJ(f)(i) After "CDR participants for CDR data", insert ", or CDR action participants,". 70 Paragraph 56BJ(g) After "CDR data", insert ", or CDR action participants,". 71 After subparagraph 56BJ(ia)(iii) Insert: (iv) an action service provider for a type of CDR action; 72 After paragraph 56BK(2)(d) Insert: ; or (e) is an action service provider for a type of CDR action. 73 Subsection 56BK(3) Repeal the subsection. 74 Subsection 56BK(4) Omit "Subsections (1) and (3) apply", substitute "Subsection (1) applies". 75 After paragraph 56BP(a) Insert: (aa) consider the following kinds of matters in relation to making a rule described in subsection 56BGA(2) (about fees at the instruction layer) for a type of CDR action: (i) whether performers of actions of that type currently charge fees for processing instructions to perform such actions; (ii) whether the incentive to perform actions of that type would be reduced if fees could not be charged for processing such instructions; (iii) the marginal cost of processing such instructions in accordance with the consumer data rules; and 76 Paragraph 56BQ(a) Omit "56AD(1)(a) and (b)", substitute "56BP(a) and (aa)". 77 Section 56BR Omit "56AD(1)(a) and (b)", substitute "56BP(a) and (aa)". Part 5—Complying with the consumer data rules etc. Competition and Consumer Act 2010 78 After subparagraph 56BN(1)(c)(ii) Insert: ; or (iii) a person is a CDR consumer for a CDR action; or (iv) a person has satisfied any criteria under the consumer data rules for the making of a request, the giving of a valid instruction, or the processing of a valid instruction, for the performance of a CDR action. 79 Subsection 56BN(1) (note) Omit "or (ii)", substitute ", (ii), (iii) or (iv)". 80 After paragraph 56BO(1)(b) Insert: ; or (c) a person is a CDR consumer for a CDR action; or (d) a person has satisfied any criteria under the consumer data rules for: (i) the making of a request; or (ii) the giving of a valid instruction; or (iii) the processing of a valid instruction; for the performance of a CDR action. 81 Subsection 56BO(1) (note 1) Omit "or (b)", substitute ", (b), (c) or (d)". 82 Subparagraphs 56BU(2)(a)(i) and (ii) After "subsection 56BV(1)", insert "or (2)". 83 Section 56BV Repeal the section, substitute: 56BV Commission may intervene if fee for disclosing or using chargeable CDR data is unreasonable etc. Intervening for a class of CDR participants (1) The Commission may, by legislative instrument, determine: (a) the amount of a fee, or a method for working out the amount of a fee, that a specified class of CDR participants for specified chargeable CDR data may charge (or cause to be charged) for either or both of the following matters (the chargeable matters): (i) the disclosure of the chargeable CDR data in chargeable circumstances because of a requirement under the consumer data rules to do so; (ii) the use of the chargeable CDR data in chargeable circumstances as the result of such a disclosure; and (b) the specified persons who are liable to pay that fee; if the Commission is satisfied that the fee that the CDR participants would otherwise charge (or cause to be charged) is unreasonable having regard to the criteria in subsection (4). Intervening for a particular CDR participant (2) The Commission may, by written notice given to a CDR participant for specified chargeable CDR data, determine: (a) the amount of a fee, or a method for working out the amount of a fee, that the CDR participant may charge (or cause to be charged) for either or both of the following matters (the chargeable matters): (i) the disclosure of the chargeable CDR data in chargeable circumstances because of a requirement under the consumer data rules to do so; (ii) the use of the chargeable CDR data in chargeable circumstances as the result of such a disclosure; and (b) the specified persons who are liable to pay that fee; if the Commission is satisfied that the fee that the CDR participant would otherwise charge (or cause to be charged) is unreasonable having regard to the criteria in subsection (4). Note: The determination is reviewable (see Subdivision F). Matters and criteria when intervening (3) When determining an amount or method under subsection (1) or (2), the Commission must seek to ensure that the resulting fee: (a) reflects the reasonable costs (including capital costs) necessary for the CDR participants or CDR participant to comply with this Part and the consumer data rules in relation to the chargeable matters; and (b) is reasonable having regard to the criteria in subsection (4). (4) The criteria for the purposes of subsections (1), (2) and paragraph (3)(b) are: (a) the matters in subparagraphs 56AD(1)(a)(i), (ii), (iv) to (vi) and (c)(ii) and (iv); and (b) whether a lower fee could result in an acquisition of property (within the meaning of paragraph 51(xxxi) of the Constitution) otherwise than on just terms (within the meaning of that paragraph); and (c) whether a lower fee would reduce the incentive to generate, collect, hold or maintain CDR data of that kind; and (d) any other matters the Commission considers relevant. Other matters (5) The Commission may publish a determination under subsection (2) on the Commission's website. (6) A fee determined under subsection (1) or (2) must not be such as to amount to taxation. 84 Sections 56BW to 56BY Repeal the sections. 85 At the end of Division 2 of Part IVD Add: Subdivision E—Effective initiation and non‑discriminatory performance of CDR actions 56BZA Accredited persons must act efficiently, honestly and fairly when initiating CDR actions etc. A person contravenes this section if: (a) the person is an accredited person; and (b) the person's accreditation authorises the person to initiate a type of CDR action; and (c) the person engages in conduct that includes: (i) proposing to a potential CDR consumer for a CDR action of that type that the person give a valid instruction under the consumer data rules for the performance of the CDR action; or (ii) giving a valid instruction under the consumer data rules for the performance of a CDR action of that type; and (d) the person fails to act efficiently, honestly and fairly in relation to a matter described in subparagraph (c)(i) or (ii). Note: For enforcement, see Part VI (including section 76 for an order for payment of a pecuniary penalty). 56BZB Accredited persons must only initiate CDR actions in accordance with CDR consumers' valid requests etc. A person contravenes this section if: (a) the person is an accredited person; and (b) the person's accreditation authorises the person to initiate a type of CDR action; and (c) the person purports to give a valid instruction: (i) for the performance of a CDR action of that type; and (ii) to an action service provider for a CDR action of that type; and (iii) on behalf of a CDR consumer for the CDR action; and (d) when purporting to give that instruction: (i) there was no valid request by the consumer, made in accordance with the consumer data rules, for the giving of that instruction; or (ii) the person had failed to comply with a requirement in the consumer data rules for giving a valid instruction for a CDR action of that type. Note: For enforcement, see Part VI (including section 76 for an order for payment of a pecuniary penalty). 56BZC No discrimination against CDR action instructions—service provider fails to perform CDR actions when it ordinarily performs actions of that type A person contravenes this section if: (a) the person is an action service provider for a type of CDR action; and (b) the person is given a valid instruction under the consumer data rules to perform a CDR action of that type; and (c) the person fails to perform the CDR action in accordance with the valid instruction; and (d) having regard to criteria in the consumer data rules, the person would ordinarily perform actions of that type in the course of the person's business. Note: For enforcement, see Part VI (including section 76 for an order for payment of a pecuniary penalty). 56BZD No discrimination against CDR action instructions—service provider's fees relating to CDR actions No discrimination against CDR action instructions via fees (1) A person contravenes this subsection if: (a) the person is an action service provider for a type of CDR action; and (b) the person is given a valid instruction under the consumer data rules to perform a CDR action of that type; and (c) the person charges (or causes to be charged) one or more fees for either or both of the following matters: (i) processing the valid instruction; (ii) performing the CDR action in accordance with the valid instruction; and (d) either subsection (2) or (3) applies to those fees. Note: For enforcement, see Part VI (including section 76 for an order for payment of a pecuniary penalty). First case—charging inappropriate fees at the instruction layer (2) This subsection applies to fees, to the extent they are for processing the valid instruction, if: (a) the consumer data rules have not declared, as described in subsection 56BGA(2), that fees may be charged (or caused to be charged) for processing valid instructions for CDR actions of that type; or (b) the fees for processing the valid instruction exceed any fees: (i) determined under subsection 56BZE(1) or (2) for the person; or (ii) worked out from a method determined under subsection 56BZE(1) or (2) for the person; for processing the valid instruction. Note: This protects the integrity of the CDR action regime by discouraging the person from charging inappropriate fees at the instruction layer. Second case—charging higher than ordinary fees at the action layer (3) This subsection applies to fees, to the extent they are for performing the CDR action in accordance with the valid instruction, if those fees exceed the fees that the person would ordinarily charge for performing actions of that type in the course of the person's business. Note: This confirms that the person can continue to charge what the person ordinarily charges at the action layer, but no more than this. (4) To work out the fees that the person would ordinarily charge for performing actions of that type in the course of the person's business, have regard to any criteria specified in the consumer data rules. 56BZE Commission may intervene if fee for processing a valid instruction for a CDR action is unreasonable Intervening for a class of action service providers (1) The Commission may, by legislative instrument, determine: (a) the amount of a fee that a specified class of action service providers for a type of CDR action may charge (or cause to be charged) for processing a valid instruction for a CDR action of that type; or (b) a method for working out the amount of such a fee; if subsection (3) applies for the fee and CDR actions of that type. Intervening for a particular action service provider (2) The Commission may, by written notice given to an action service provider for a type of CDR action, determine: (a) the amount of a fee that the provider may charge (or cause to be charged) for processing a valid instruction for a CDR action of that type; or (b) a method for working out the amount of such a fee; if subsection (3) applies for the fee and CDR actions of that type. Note: The determination is reviewable (see Subdivision F). Conditions in order to intervene (3) This subsection applies for a fee and a type of CDR action if: (a) the consumer data rules have declared, as described in subsection 56BGA(2), that fees may be charged (or caused to be charged) for processing valid instructions for CDR actions of that type; and (b) the Commission is satisfied that the fee that would otherwise be charged (or caused to be charged) is unreasonable having regard to the criteria in subsection (5). Matters and criteria when intervening (4) When determining an amount or method under subsection (1) or (2), the Commission must seek to ensure that the resulting fee: (a) reflects the reasonable costs (including capital costs) necessary for the providers or provider to comply with this Part and the consumer data rules in relation to processing the valid instruction; and (b) is reasonable having regard to the criteria in subsection (5). (5) The criteria for the purposes of subsection (3) and paragraph (4)(b) are: (a) the matters in subparagraphs 56AD(1)(a)(i), (ii) and (iv) to (vi); and (b) the marginal cost of processing the valid instruction in accordance with the consumer data rules; and (c) whether a lower fee could result in an acquisition of property (within the meaning of paragraph 51(xxxi) of the Constitution) otherwise than on just terms (within the meaning of that paragraph); and (d) whether a lower fee would reduce the incentive to perform actions of that type; and (e) any other matters the Commission considers relevant. Other matters (6) The Commission may publish a determination under subsection (2) on the Commission's website. (7) A fee determined under subsection (1) or (2) must not be such as to amount to taxation. Subdivision F—Review by the Tribunal of determinations about certain fees 56BZF Review by the Tribunal of determinations about fees of particular participants or providers (1) If the Commission makes a determination under subsection 56BV(2) or 56BZE(2): (a) the CDR participant or action service provider specified in the determination; or (b) a person whose interests are affected by the determination; may apply in writing to the Tribunal for a review of the determination. (2) An application under this section for a review of a determination must be made within 21 days after the day the Commission made the determination. (3) If the Tribunal receives an application under this section for a review of a determination, the Tribunal must review the determination. 56BZG Functions and powers of Tribunal (1) On a review of a determination made under subsection 56BV(2) or 56BZE(2), the Tribunal: (a) may make a decision affirming, setting aside or varying the determination; and (b) for the purposes of the review, may perform all the functions and exercise all the powers of the Commission. (2) A decision by the Tribunal affirming, setting aside or varying such a determination is taken for the purposes of this Act (other than this Subdivision) to be a determination of the Commission. (3) For the purposes of a review by the Tribunal, the member of the Tribunal presiding at the review may require the Commission to give such information, make such reports and provide such other assistance to the Tribunal as the member specifies. (4) For the purposes of a review, the Tribunal may have regard to any information given, documents produced or evidence given to the Commission in connection with the making of the determination to which the review relates. Note: Division 2 of Part IX applies to proceedings before the Tribunal. 56BZH Provisions that do not apply in relation to a Tribunal review Division 1 of Part IX does not apply in relation to a review by the Tribunal of a determination made under subsection 56BV(2) or 56BZE(2). Subdivision G—Prohibitions on holding out 56BZI Prohibition on holding out that a person is something they are not—offence (1) A person commits an offence if the person holds out that: (a) the person is an accredited person; or (b) the person is an accredited person holding an accreditation that has been granted at a particular level (see paragraph 56BH(1)(d)); or (c) the person is an accredited person holding an accreditation that authorises the person to do something (see paragraph 56BH(1)(da)); or (d) the person is an accredited data recipient of CDR data; or (e) the person is an accredited action initiator for a type of CDR action; or (f) the person is an action service provider for a type of CDR action; or (g) the person is approved as an action service provider at a particular level (see paragraph 56BHA(1)(d)); or (h) the person's approval as an action service provider authorises the person to do something (see paragraph 56BHA(1)(e)); if that is not the case. Penalty—body corporate (2) An offence against subsection (1) committed by a body corporate is punishable on conviction by a fine of not more than the greater of the following: (a) $10,000,000; (b) if the court can determine the value of the benefit that the body corporate, and any body corporate related to the body corporate, have obtained directly or indirectly and that is reasonably attributable to the commission of the offence—3 times the value of that benefit; (c) if the court cannot determine the value of that benefit—10% of the adjusted turnover of the body corporate during the 12‑month period ending at the end of the month in which the commission of the offence happened or began. Penalty—other persons (3) An offence against subsection (1) committed by a person other than a body corporate is punishable on conviction by imprisonment for not more than 5 years, a fine of not more than $500,000, or both. 56BZJ Prohibition on holding out that a person is something they are not—civil penalty A person must not hold out that: (a) the person is an accredited person; or (b) the person is an accredited person holding an accreditation that has been granted at a particular level (see paragraph 56BH(1)(d)); or (c) the person is an accredited person holding an accreditation that authorises the person to do something (see paragraph 56BH(1)(da)); or (d) the person is an accredited data recipient of CDR data; or (e) the person is an accredited action initiator for a type of CDR action; or (f) the person is an action service provider for a type of CDR action; or (g) the person is approved as an action service provider at a particular level (see paragraph 56BHA(1)(d)); or (h) the person's approval as an action service provider authorises the person to do something (see paragraph 56BHA(1)(e)); if that is not the case. Note: For enforcement, see Part VI (including section 76 for an order for payment of a pecuniary penalty). 86 Sections 56CC and 56CD Repeal the sections. 87 Application of repeals The repeal of sections 56CC and 56CD of the Competition and Consumer Act 2010 by this Part applies in relation to acts or omissions on or after the commencement of this Part. Part 6—Changes to the Privacy safeguards Competition and Consumer Act 2010 88 Section 56EA Omit: The privacy safeguards apply mainly to accredited persons, but also to data holders and designated gateways, in relation to their handling or future handling of the CDR data. substitute: The privacy safeguards apply mainly to accredited persons, but also to data holders, designated gateways and action service providers, in relation to their handling or future handling of the CDR data. The circumstances in which these safeguards can apply to an accredited person include where the person is an accredited action initiator for a type of CDR action who is or may become an accredited data recipient of CDR data. 89 Paragraphs 56EC(4)(aa), (b) and (c) Repeal the paragraphs, substitute: (aa) if section 56ED or 56EE applies to an accredited person in relation to CDR data—the corresponding Australian Privacy Principle does not apply to the accredited person in relation to the CDR data; and (ab) if section 56EF or 56EG applies to a person: (i) who is an accredited person; or (ii) as a CDR action participant; in relation to CDR data—the corresponding Australian Privacy Principle does not apply to the person in relation to the CDR data; and (b) if section 56EN applies to a disclosure of CDR data by a person: (i) who is a data holder of the CDR data; or (ii) as an action service provider for a type of CDR action; then Australian Privacy Principle 10 does not apply to the person in relation to that disclosure of the CDR data; and (c) if subsection 56EP(1) applies to CDR data and a person: (i) who is a data holder of the CDR data; or (ii) as an action service provider for a type of CDR action; then Australian Privacy Principle 13 does not apply to the person in relation to the CDR data; and 90 After paragraph 56EC(4)(d) Insert: ; and (e) if a small business operator (within the meaning of the Privacy Act 1988) is an action service provider for a type of CDR action, the Privacy Act 1988 applies: (i) subject to paragraphs (ab) to (c) of this subsection; and (ii) in relation to personal information disclosed to the provider under the consumer data rules; as if the provider were an organisation (within the meaning of the Privacy Act 1988). 91 After paragraph 56EC(5)(b) Insert: ; or (c) a person as an action service provider, for a type of CDR action, in relation to CDR data. 92 Subsection 56EC(5) (note 1) Omit "or designated gateway", insert ", designated gateway or action service provider". 93 Subsection 56ED(1) Repeal the subsection, substitute: Object (1) The object of this section is to ensure that each person (a CDR entity) who: (a) is a data holder of CDR data; or (b) is an accredited person who is or who may become an accredited data recipient of CDR data; or (c) is a designated gateway for CDR data; or (d) as an action service provider for a type of CDR action, has been or may be disclosed CDR data under the consumer data rules; manages the CDR data in an open and transparent way. 94 Paragraph 56ED(3)(c) Omit "and (6)", substitute ", (6) and (6A)". 95 After subsection 56ED(6) Insert: (6A) If the CDR entity is a person who, as an action service provider for a type of CDR action, has been or may be disclosed CDR data under the consumer data rules, the CDR entity's policy must contain the following information: (a) how a CDR consumer for the CDR data may access the CDR data and seek the correction of the CDR data; (b) how a CDR consumer for the CDR data may complain about a failure of the CDR entity to comply with this Part or the consumer data rules, and how the CDR entity will deal with such a complaint. 96 Sections 56EF and 56EG Repeal the sections, substitute: 56EF Privacy safeguard 3—soliciting CDR data from participants under the consumer data rules (1) A person covered by column 1 of an item of the following table must not seek to collect CDR data under the consumer data rules from another person covered by column 2 of that item unless: (a) a CDR consumer for the CDR data has validly requested this under the consumer data rules for the purposes described in column 3 of that item; and (b) the person complies with all other requirements in the consumer data rules for the collection of the CDR data from that other person. Soliciting CDR data from participants under the consumer data rules Item Column 1 Column 2 Column 3 A person who: must not seek to collect CDR data from: unless a CDR consumer for the CDR data has requested this for the purposes of: 1 is an accredited person a CDR participant for the CDR data a use or disclosure under the consumer data rules 2 is acting as one of the kinds of CDR action participant the other kind of CDR action participant a valid instruction to be given: (a) by one of the CDR action participants (as an accredited action initiator for a type of CDR action) to the other; and (b) under the consumer data rules; and (c) for the performance of a CDR action of that type Note 1: For item 2, the kinds of CDR action participants are accredited action initiators and action service providers (see section 56AMD). Note 2: For column 3 of item 2, the CDR consumer for the CDR data would need to have requested the collection of the CDR data as a CDR consumer for the CDR action. Note 3: This subsection is a civil penalty provision (see section 56EU). (2) Subsection (1) applies whether the collection is directly or indirectly from the person covered by column 2 of the table. Note: The collection (whether direct or indirect) would need to be under the consumer data rules for subsection (1) to apply. Example: The valid request referred to in column 3 of item 1 of the table could be given under the consumer data rules through a designated gateway (see section 56BG). 56EG Privacy safeguard 4—dealing with unsolicited CDR data from participants in CDR (1) A person must destroy CDR data as soon as practicable after collecting it if: (a) the person (the collector) collected the CDR data while covered by column 1 of an item of the following table, and from a person covered by column 2 of that item; and (b) the collector collected the CDR data: (i) purportedly under the consumer data rules; but (ii) not as the result of seeking to collect the CDR data under the consumer data rules; and (c) the collector is not required to retain the CDR data by or under an Australian law or a court/tribunal order; and (d) in the case where item 3 of the table applies, the circumstances specified in the consumer data rules do not apply. Dealing with unsolicited CDR data from participants in CDR Item Column 1 Column 2 A collector who: collects the CDR data from: 1 is an accredited person a CDR participant for the CDR data 2 as an accredited action initiator for a type of CDR action an action service provider for that type of CDR action 3 as an action service provider for a type of CDR action an accredited action initiator for that type of CDR action Note: This subsection is a civil penalty provision (see section 56EU). (2) Subsection (1) applies whether the collection is directly or indirectly from the person mentioned in column 2 of the table. Example: For item 1 of the table, the collection could be from the CDR participant through a designated gateway (see section 56BG). 97 Section 56EH (before the note) Insert: Note 1: The accredited data recipient could have collected the CDR data in accordance with section 56EF as an accredited action initiator, and from an action service provider, for the purposes of giving a valid instruction of the kind described in item 2 of the table in that section. 98 Section 56EH (note) Omit "Note", substitute "Note 2". 99 Before subsection 56EM(1) Insert: Disclosures by data holders 100 Before subsection 56EM(2) Insert: Disclosures by accredited data recipients 101 Before subsection 56EM(3) Insert: Disclosures to designated gateways 102 At the end of section 56EM Add: Disclosures by action service providers (4) If a person as an action service provider for a type of CDR action is required or authorised under the consumer data rules to disclose CDR data to another person, the action service provider must: (a) take the steps specified in the consumer data rules to notify CDR consumers for the CDR data of the disclosure; and (b) ensure that this notification: (i) is given to those of the CDR consumers (if there are more than one) that the consumer data rules require to be notified; and (ii) covers the matters specified in those rules; and (iii) is given at or before the time specified in those rules. Note: This subsection is a civil penalty provision (see section 56EU). 103 Subsections 56EN(3) and (4) Repeal the subsections, substitute: Disclosures by action service providers (2A) If a person as an action service provider for a type of CDR action is required or authorised under the consumer data rules to disclose CDR data, the action service provider must take reasonable steps to ensure that the CDR data is, having regard to the purpose for which it is held, accurate, up to date and complete. Note: This subsection is a civil penalty provision (see section 56EU). Becoming aware after disclosure that the CDR data was incorrect—advising CDR consumer (3) If a person: (a) makes a disclosure referred to in subsection (1), (2) or (2A) for a CDR consumer for CDR data; and (b) later becomes aware that some or all of the CDR data was incorrect when it was disclosed because, having regard to the purpose for which it was held, it was inaccurate, out of date or incomplete; the person must advise the CDR consumer accordingly in accordance with the consumer data rules. Note: This subsection is a civil penalty provision (see section 56EU). Becoming aware after disclosure that the CDR data was incorrect—disclosing corrected CDR data (4) A person, who is required by subsection (3) to advise a CDR consumer for CDR data that some or all of the CDR data was incorrect when it was earlier disclosed, must: (a) correct the CDR data; and (b) disclose the corrected CDR data, in accordance with the consumer data rules, to the recipient of the earlier disclosure; if the person: (c) is requested to do so by the CDR consumer in accordance with the consumer data rules; or (d) is required to do so by the consumer data rules. Note: This subsection is a civil penalty provision (see section 56EU). 104 Subsection 56EN(5) (note) Omit "and (2)", substitute ", (2) and (2A)". 105 Subsection 56EP(1) Repeal the subsection, substitute: Obligation on data holders and action service providers (1) If: (a) a CDR consumer for CDR data gives a request to the following person (the CDR entity): (i) a data holder of the CDR data (including a request given through a designated gateway for the CDR data); (ii) a person as an action service provider for a type of CDR action; and (b) the request is for the CDR entity to correct the CDR data, and is not given in response to advice from the CDR entity under subsection 56EN(3); and (c) the CDR entity was earlier required or authorised under the consumer data rules to disclose the CDR data; the CDR entity must respond to the request to correct the CDR data by taking such steps as are specified in the consumer data rules to deal with each of the matters in subsection (3) of this section. Note 1: This subsection is a civil penalty provision (see section 56EU). Note 2: Subsection 56EN(4) applies instead of this subsection if the request is given in response to advice from the CDR entity under subsection 56EN(3). 106 Paragraph 56EP(2)(b) After "CDR data", insert ", and is not given in response to advice from the accredited data recipient under subsection 56EN(3)". 107 Subsection 56EP(2) After "subsection (3)", insert "of this section". 108 Subsection 56EP(2) (note) Omit "Note", substitute "Note 1". 109 At the end of subsection 56EP(2) Add: Note 2: Subsection 56EN(4) applies instead of this subsection if the request is given in response to advice from the accredited data recipient under subsection 56EN(3). 110 After subsection 56ER(1A) Insert: (1B) The Information Commissioner may assess whether an action service provider for a type of CDR action, who has been or may be disclosed CDR data under the consumer data rules, is maintaining and handling the CDR data in accordance with: (a) the privacy safeguards; or (b) the consumer data rules to the extent that those rules relate to: (i) the privacy safeguards; or (ii) the privacy or confidentiality of the CDR data. 111 Subsections 56ER(2) and (3) Omit "or (1A)", substitute ", (1A) or (1B)". 112 Subsection 56ES(2) (table, heading to column headed "For a reference in Part IIIC to …") Repeal the heading, substitute: Subject to subsection (4), for a reference in Part IIIC to … 113 At the end of section 56ES Add: (4) For the purposes of the table in subsection (2): (a) for item 1 of the table, disregard the following references to information in Part IIIC of the Privacy Act 1988: (i) the last reference in paragraph 26WG(h); (ii) the reference in the note to section 26WG; and (b) for item 2 of the table, disregard each reference to entity in paragraphs 26WF(1)(f), (2)(f), (3)(f), (4)(f) and (5)(f) of the Privacy Act 1988. 114 Paragraph 56ET(3)(a) Omit "or accredited person", substitute ", accredited person or action service provider for a type of CDR action". 115 After paragraph 56ET(4)(c) Insert: or (d) an action service provider for a type of CDR action, who has been or may be disclosed CDR data under the consumer data rules; 116 Subsection 56ET(4) (table, heading to column headed "For a reference in Part V to …") Repeal the heading, substitute: Subject to subsection (6), for a reference in Part V to … 117 Subsection 56ET(4) (at the