Consumer Data Right compliance and enforcement policy released – Are you ready for 1 July 2020?

Key takeaways

• The Consumer Data Right regime is designed to give consumers greater control over their data and allow their data to be transferred between businesses or to accredited data recipients;
• The Consumer Data Right regime will commence on 1 July 2020 in the banking industry, with further industries to follow;
• The ACCC and OAIC have released their compliance and enforcement policy for the Consumer Data Right regime; and
• The Consumer Data Right regime provides additional privacy safeguards in respect of Consumer Data Right data.

The Australian Competition and Consumer Commission (ACCC), together with the Office of the Australian Information Commissioner (OAIC), recently released their compliance and enforcement policy for the Consumer Data Right (Policy). 

Consumer Data Right

By way of brief recap, the Consumer Data Right (CDR) is designed to:

1. give consumers greater access to and control over their data that is held by businesses within certain industries;
2. enable consumers to safely transfer their data between businesses when they compare and switch between products; and 
3. request their data to be provided to a third party who is an accredited data recipient.

The CDR regime is being introduced on 1 July 2020 to the banking industry, with the energy and telecommunications industries to follow, before further expansion of the regime to other industries. 

Key rights comprised in the CDR regime

The CDR regime provides for three ways in which CDR data can be requested:

1. Consumer data requests made by CDR consumers: the CDR regime enables a consumer to directly request a data holder to disclose the CDR data that relates to them; 
2. Product data requests: this enables anyone to request that a data holder disclose their product data, which includes information like interest rates, fees and charges, and other information which relates to the products in question. The CDR regime provides that this is to be made available using an online service. This is intended to increase transparency and competition between providers by making available information that was sometimes hard to obtain previously; and
3. Consumer data requests made on behalf of CDR consumers: this enables certain accredited persons to request, on behalf of a consumer, that a data holder disclose the CDR data that relates to that consumer.

The data holder must comply with these requests, subject to very limited exceptions.

Compliance and enforcement approach

The ACCC and the OAIC will jointly monitor the compliance and conduct the enforcement of the CDR regime. The approach adopted by both entities is underpinned by the objective of ensuring the security and integrity of the CDR regime. 

The OAIC, in conjunction with the Data Standards Board, has published guidelines to assist those businesses subject to the CDR regime to understand the nature of their obligations. These publications include the data standards, CX standards and associated guidelines and the privacy safeguard guidelines. 

Both the ACCC and the OAIC are seeking to foster a culture of compliance, focused on preventing consumer harm and working with stakeholders to implement a compliance culture. If consumers do suffer harm, both entities intend to address such harm by seeking to enforce the law through the use of administrative action or formal enforcement action. 

Some of the compliance monitoring tools that will be used by the ACCC and the OAIC include:

• stakeholder complaints;
• mandatory, periodic reports from data holders and accredited data recipients;
• conducting audits and assessments of data holders and accredited data recipients; and
• issuing information requests and compulsory notices to data holders and accredited data recipients.

Whilst the approach adopted by the ACCC and OAIC is one of a compliance culture directed at preventing consumer harm, the Policy indicates that the ACCC will take regulatory action proportionate to the seriousness of any breach of the CDR regime and the level of harm or potential harm. 

The Policy provides that a risk-based approach to taking enforcement action will be utilised with a focus on circumstances that will, or have the potential to, cause significant harm to the CDR regime or widespread consumer detriment. Other factors that will be considered when determining appropriate enforcement action include:

• the size of the business engaging in the conduct;
• whether the conduct involved, or was directed or overseen by, senior management;
• whether the conduct indicates systemic issues that may pose ongoing compliance or enforcement problems; and
• the actions of the business in relation to the conduct, including whether the conduct was self-reported, the timing of the self-report and whether the business has taken any action to rectify the breach and avoid reoccurrence.

The enforcement options that are available to the ACCC and the OAIC include:

• accepting written commitments from businesses to address non-compliance issues;
• issuing infringement notices;
• accepting enforceable undertakings and taking Court action where such undertakings are not complied with by businesses;
• suspending or revoking a business’ accreditation under the CDR regime; and
• formal Court action. 

The Policy identifies that the ACCC and OAIC have prioritised addressing conduct which is likely to result in significant detriment to consumers or the integrity of the CDR regime. The types of conduct identified by the Policy as the priority focus of the ACCC and the OAIC include:

• intentional circumvention of the applicable rules or data standards by data holders in response to valid consumer requests (e.g. repeatedly refusing to disclose consumer data where a refusal to disclose is not permitted);
• misleading and deceptive conduct (e.g. conduct by a data recipient involving a false or misleading representation regarding the nature or benefits of the CDR service provided or conduct that misleads or deceives a person into believing that another person is a CDR consumer or that a valid request or consent has been made);
• accredited data recipients collecting CDR data without valid consent;
• intentional misuse or improper disclosure of CDR consumer data by an accredited data recipient, which is inconsistent with the consent provided by a CDR consumer and particularly where such consent has been withdrawn; and
• CDR participants who have insufficient controls and processes to protect CDR data from misuse, interference and loss, and unauthorised access, modification or disclosure.  

While businesses which are subject to the CDR regime will need to ensure that they comply with legislative requirements as a whole, undertaking any conduct which falls within the priority areas is likely to lead to enforcement action being taken by one of the regulators. 

The ACCC has also recently launched the CDR Register and Accreditation Application Platform (RAAP) and the CDR Participant Portal, which enable businesses to apply to become accredited data recipients. At this time the RAAP is open to fintech and banking businesses to apply for accreditation under the CDR regime. The RAAP will also create an environment where encrypted data is shared only between approved participants to the RAAP.

Rules relating to privacy safeguards

The CDR regime also provides additional privacy safeguards for CDR data that relates to a consumer (pure product data, for instance, is not subject to the privacy safeguards). These are in addition to obligations under related legislation such as the Privacy Act 1988 (Cth).

These privacy safeguards include:

• obligations in respect of open and transparent management of CDR data, including having a published policy about the management of CDR data;
• obligations for accredited persons who collect CDR data to give notice of the collection via the person’s consumer dashboard;
• rules on how CDR data can be used and disclosed;
• rules setting out the minimum steps for the security of CDR data; and
• rules for the de-identification of redundant data.

Given that the legislation relating to the Consumer Data Right regime is only recent, if you have any questions in respect of the regime, including accreditation, compliance or the priority focus of the regulators, please do not hesitate to contact our Privacy and Data Protection or Dispute Resolution teams.