Announced in November 2017, the Consumer Data Right (CDR) is designed to enable consumers in certain sectors of the Australian economy to require their information to be disclosed in a safe, efficient and convenient manner.1 From 1 July 2020, major banks will be required to make available to accredited persons consumer data relating to credit and debit cards, deposit accounts and transaction accounts.2 This marks the date when the first types of consumer data are required to be shared under the CDR regime.
As part of the CDR’s rollout, on 8 May 2020 the Office of the Australian Information Commissioner (OAIC) and the Australian Competition and Consumer Commission (ACCC) jointly published a Compliance and Enforcement Policy for the CDR (the Policy).3 This Policy relates to the monitoring and enforcement of the CDR regime, which will be carried out jointly by both the OAIC and the ACCC, and outlines the approach that the OAIC and the ACCC will adopt to ensure compliance with the CDR regulatory framework.
What is the Consumer Data Right?
On a general level, the CDR is intended to allow consumers to have more control over their data. Subject to applicable privacy safeguards, the CDR facilitates the disclosure of information relating to individuals to the individuals themselves or to accredited persons.4 In other words, the CDR allows consumers to direct their “supplier” (ie. their bank) to provide the consumers’ information to other suppliers, such as price comparison services. Increasing the portability of data in this way will, presumably, lead to increased competition and will drive innovation. The CDR was introduced into the banking sector in July 2019 with a phased roll-out to occur throughout 2020 (called ‘Open Banking’), followed later by the energy and telecommunications sectors.
The CDR applies to “CDR data”. For the Open Banking roll-out, this includes information such as customer data which identifies consumers and those authorised to act on the consumer’s account (eg. name, ABN, ACN, contact details), account data (eg. account numbers, account names, opening and closing balances, direct debit deductions), transaction data (including dates, amounts and descriptions of the transactions) and generic product data.5
Entities wishing to collect or receive CDR data must be accredited by the ACCC. Since 26 May 2020, businesses have been able to apply through the ACCC’s Consumer Data Right Register and Accreditation Application Platform (RAAP) to be eligible to collect CDR data.6
The Government has acknowledged that allowing the open disclosure of data in such a way requires stringent safeguards to protect the privacy of consumer information. As such, the OAIC and the ACCC have released privacy safeguards which set out how privacy will be protected and how confidential data will be dealt with under the CDR framework. Importantly, the privacy safeguards in relation to the CDR apply to both individual and business consumers, unlike the Australian Privacy Principles under the Privacy Act 1988 (Cth) which govern the use of personal information only.7 Most notably, these privacy safeguards require data holders to:8
- manage CDR data in an open and transparent way;
- give CDR consumers the option of using a pseudonym or other non-identifying information in relation to their CDR data;
- not collect CDR data unless a consumer has requested;
- disclose data only when required by law and destroy CDR data which is obtained contrary to the consumer data rules;
- notify consumers whose CDR data is collected;
- not disclose CDR data to overseas recipients unless the recipient is an accredited person under Australian legislation or is subject to an overseas law that provides substantially similar protection for CDR data as the Australian privacy safeguards;
- ensure that CDR data which is required to be disclosed is accurate, up to date and complete;
- ensure that CDR data is protected from misuse, interference, loss and unauthorised access, modification or disclosure; and
- correct CDR data when requested to do so.
The privacy safeguards cover similar subject matter to the Australian Privacy Principles but apply specifically to CDR data and offer arguably broader protection given the safeguards’ applicability to a wider array of consumers (ie. both individuals and businesses).
Given the stringent regulation of data privacy, the involvement of third parties in the data collection process has unsurprisingly been a key concern of the ACCC and stakeholders. In December 2019, the ACCC consulted on the most efficient way to facilitate the collection of CDR data by third parties. On 22 June 2020, the draft Competition and Consumer (Consumer Data Right) Rules 2020 (Draft Rules) allowing for the collection of data by third party intermediaries were released. Broadly, these Draft Rules allow CDR data to be collected by third parties provided that the third party intermediary:
- is accredited to collect CDR data; and
- is collecting CDR data on behalf of another accredited person.
If implemented, the Draft Rules would allow two accredited data recipients – the “principal” and the “provider” – to enter into a “combined accredited person” arrangement. This would enable providers to collect and/or use and disclose CDR data to the principal, who would provide the requested goods or services to the consumer. Importantly, providers under such arrangements would only be permitted to use CDR data if a principal would also be authorised to use the data, provided the privacy safeguard requirements above are met. The consultation process for these Draft Rules is set to close on 20 July 2020.9
Compliance and Enforcement Policy
The success of the CDR requires the regime to function as intended. As such, the OAIC and the ACCC have been granted compliance and enforcement powers to ensure that data holders and CDR participants comply with the relevant rules and legislation.
From a compliance perspective, the OAIC and the ACCC are focused on preventing consumer harm and ensuring the efficient operation of the CDR framework. To do this, the OAIC and the ACCC will:10
- receive information from CDR consumers, businesses and other stakeholders regarding the operation of the CDR framework;
- for the banking sector, receive reports from the Australian Financial Complaints Authority to address any concerns within the relevant sector (which will later be expanded to energy and telecommunications dispute resolution bodies);
- receive mandatory periodic reports from both data holders and recipients concerning CDR information, including any CDR complaint data relating to a reporting period;11
- undertake audits and assessments of data holders to ensure compliance with the consumer data rules, legislation and privacy standards; and
- issue data requests to data recipients and, if required, utilise statutory powers to compel the production of information or documents where there has been a possible breach of the CDR regime.
Where breaches of the CDR regime have occurred, the OAIC and the ACCC are able to take enforcement action, the gravity of which depends on the seriousness of the breach. In determining the appropriate enforcement action to be taken, the OAIC and the ACCC will consider factors such as the nature and extent of the breach, the size of the business engaging in the contravention, the impact of the breach on CDR participants and whether the breach was due to intentional or reckless conduct. If action has already been taken to address the breach by other bodies, such as the Australian Financial Complaints Authority, this will also be considered.12 Given that the action which may be taken by the OAIC and the ACCC is largely discretionary, it would be prudent for businesses and data holders to cooperate with regulators and to ensure that their privacy policies and breach notification procedures are adequate and up to date.
Under the Policy, the OAIC and the ACCC are granted a range of enforcement options. These include:13
- administrative resolutions, such as accepting voluntary commitments from businesses to address non-compliance issues;
- issuing infringement notices to data holders or recipients where a contravention of the CDR framework has occurred;
- accepting written court-enforceable undertakings from CDR participants who commit to refraining from certain action or to take action to remedy a breach or prevent future breaches. If these undertakings are not upheld, the OAIC or the ACCC may seek a court order declaring the substance of the undertaking or seek an injunction or monetary penalty against the CDR participant;
- suspending or revoking a recipient’s accreditation to receive CDR data;
- making a declaration concerning the breach; and
- initiating court proceedings for a breach of the legislation or consumer data rules which could result in potential injunctions, monetary awards or orders disqualifying certain persons from being directors of corporations.
Court proceedings are more likely to be initiated where the conduct is widespread, repeated or is likely to cause substantial consumer detriment.
The OAIC and the ACCC have identified certain conduct which is likely to result in enforcement action being taken, such as refusing to disclose CDR data, collecting CDR data without consent, engaging in misleading or deceptive conduct, misusing or improperly disclosing CDR data and failing to implement appropriate security controls.14
Given the novel nature of the CDR framework in Australia, the OAIC and the ACCC intend to continue consulting with industry and consumer groups and government bodies as the phased roll-out of the CDR continues. We will keep you informed of developments in this space, including the implementation of the CDR in the energy and telecommunication sectors.