The Consumer Data Right scheme came into effect for the banking sector earlier this year. It will evolve as it expands into the energy and telecommunications sectors until it applies economy-wide.
While the focus has been on the data sharing obligations, the CDR scheme extends beyond this. Record-keeping, the Privacy Safeguards and mandatory reporting obligations may already apply to organisations that hold data which has been designated as CDR data. Keeping abreast of developments is essential to remaining compliant.
The key provisions of the CDR were introduced in August 2019 as Part IVD to the Competition and Consumer Act. The CDR is designed to increase consumer data portability, sector by sector, improving consumers’ ability to compare and switch between products and services, thus increasing competition and innovation within affected sectors.
Part IVD sets out the scope of data sharing obligations, the process by which data may be shared, data security requirements and some privacy safeguards. Data covered by the CDR scheme is designated by legislative instruments and relates to products offered by service providers (Product Data) and personal data about the consumers (Consumer Data). Further nuances to the application of the CDR (including when obligations to share Product Data and Consumer Data become mandatory) are set out in the CDR Rules and data standards.
The persons affected by the CDR scheme are:
The success of the CDR will depend on whether consumers trust the security and integrity of the sharing of their Consumer Data. For that reason, there is a strong focus on the data security and privacy of consumers, including:
Recently, the Consumer Data Right was amended to facilitate outsourced service providers joining as accredited intermediaries to collect information on behalf of other accredited data recipients. Among other things, the amendments revised the application of certain Privacy Safeguards to re-allocate some responsibilities (such as for notification) from the accredited outsourced service provider back to the principal.
The ACCC has also published additional resources to support prospective data recipients’ accreditation, including:
The intent of these changes is to expand the market for developers of compliant, secure infrastructure who can reduce the barriers to entry to the CDR Scheme for smaller participants who cannot afford to build a platform themselves.
Importantly, data holders in the Banking and affected Energy sectors are already bound by:
even though data sharing obligations may not yet have become mandatory for many of the data holders in that sector.
A joint compliance and enforcement policy published by the ACCC and OAIC emphasised the importance of fostering a culture of compliance and the responsibility of each CDR participant to be fully aware of their obligations. Enforcement priorities include data holder obstruction to the CDR scheme and insufficient security controls over CDR data.
In addition to investigating complaints from consumers, the agencies may also undertake audits and information requests to compel disclosure of information relevant to compliance. Infringement actions include enforceable undertakings, determinations and declarations and suspension of accreditation (and thereby from the CDR scheme).
Notably, a breach of the Privacy Safeguards may result in a pecuniary penalty being determined, and the maximum penalties here are higher than those under the Privacy Act. For corporations, the penalty may be up to the greater of $10 million, 10% of annual turnover of the entity or 3x the benefit received by the corporate group.
As the scope of the CDR scheme expands, the number of entities that will hold CDR data will expand. Ultimately, the CDR scheme is intended to operate economy-wide.
Organisations within affected sectors should consider:
Organisations may also want to check if existing vendors are developing CDR-compliant solutions, or may want to partner with a vendor to develop a solution that can be used and taken to market.
Be the first to receive the latest articles, news and publications.