Username:
Password:
Submit

Australian Cyber Law Map

You are here: Cyber Law » Australian Cyber Law Map » Consumer Rights

Consumer Rights

Consumer Rights

12 December 2024 - 20:27 | Version 11 | NicholasHodgkinson

Overview

The centrepiece of consumer law in Australia is the Competition and Consumer Act 2010 (Cth), which provides for competition and fair trading among businesses and establishes a statutory regime of consumer protection. The Australian Consumer Law (a schedule to the Act) contains a series of general and specific consumer protections, a product safety regime, and regulatory enforcement mechanisms.

Background

On 26 November 2017, the Australian Government announced the introduction of a consumer data right (CDR) in Australia, to give consumers greater access to and control over their data. The purpose of the CDR regime is to improve consumers' ability to compare and switch between products and services, thereby encouraging competition and innovation. The CDR first applied to the banking sector (from 1 July 2020), followed by the energy and telecommunications sectors.
The CDR is regulated by Treasury, the Australian Competition and Consumer Commission (ACCC), the Office of the Australian Information Commissioner and Data Standards Body.

Legal Framework

Australian Consumer Law

The Australian Consumer Law (ACL) is contained in Schedule 2 of the Competition and Consumer Act 2010 (Cth).

Chapter 2 of the ACL contains general consumer protection provisions, prohibiting:
- Misleading or deceptive conduct
- Unconscionable conduct
- Unfair terms in standard form consumer contracts
Part 3-1 of the ACL provides specific protections against unfair practices, including:
- Particular instances of misleading or deceptive conduct
- Pyramid selling
- Unsolicited supplies of goods and services
- Component pricing
- The provision of bills and receipts
Part 3-2 of the ACL regulates consumer transactions by creating:
- A system of statutory consumer guarantees for goods valued below $40,000
- A national legal framework for unsolicited selling
Parts 3-3 and 3-5 of the ACL establish a national law for:
- Consumer product safety
- Product recalls
Chapter 4 introduces a criminal offences regime for particular contraventions of Chapter 3 of the ACL.
Chapter 5 provides for:
- Enforcement powers
- Civil penalties
- Consumer redress provisions.

Consumer and Data Breach Litigation

(See also Litigation)

The two consumer class actions arising out of the 2021–2022 Optus and Medibank cyber incidents allege misleading or deceptive conduct, primarily for breaching representations made in their privacy policies regarding the protection of customer data. Specifically, the claims focus on the defendants' failure to comply with regulatory obligations and policies, and their failure to secure customer information as promised.
Similar claims have been brought by the ACCC in past cases. For example, in ACCC v Google LLC (No 2) [2021] FCA 367, the Federal Court (Thawley J) found that the ACCC had partially proven its allegations that Google made misleading representations about the collection and use of personal location data through Android devices—specifically through the "Web & App Activity" and "Location History" settings. The Court ordered Google to pay $60 million in penalties.
The plaintiffs in the current class actions claim damages for distress, embarrassment, and anxiety resulting from the publication of their personal information, as well as the costs and time spent addressing the consequences of the data breach.

Consumer Data Right

Part IVD of the Competition and Consumer Act 2010 (Cth) establishes a consumer data right (CDR) regime that enables consumers in certain sectors of the Australian economy to request their data be disclosed safely, efficiently, and conveniently to them or accredited persons, subject to privacy safeguards.
The Competition and Consumer (Consumer Data Right) Rules 2020 (Cth) outline the specific procedures by which an eligible consumer can access and share their CDR data. Under the Rules, at the consumer's discretion, a data holder must share the consumer's data with either an accredited data recipient to whom the consumer has provided consent, or directly with the consumer.
The pool of accredited data recipients will evolve over time, with expectations that it will include financial technology firms (or "fintechs") and other authorised deposit-taking institutions. Fintechs, in particular, use the internet, mobile devices, software technology, and cloud services to deliver or connect with financial services.
Data shared under the CDR includes customer data (such as personal details), account data, transaction data, and product-specific data.
The CDR is accompanied by significant privacy protections designed to safeguard consumers' data. These include mandatory accreditation for data recipients, specific transfer protocols, requirements for data deletion and de-identification, an extended application of the Privacy Act 1988 (Cth), enhanced oversight by the Office of the Information Commissioner (OIAC), and avenues for redress in the event of data breaches.