An update on the Consumer Data Right

The Consumer Data Right scheme came into effect for the banking sector earlier this year.  It will evolve as it expands into the energy and telecommunications sectors until it applies economy-wide.  

While the focus has been on the data sharing obligations, the CDR scheme extends beyond this. Record-keeping, the Privacy Safeguards and mandatory reporting obligations may already apply to organisations that hold data which has been designated as CDR data.  Keeping abreast of developments is essential to remaining compliant.

What is the Consumer Data Right?

The key provisions of the CDR were introduced in August 2019 as Part IVD to the Competition and Consumer Act. The CDR is designed to increase consumer data portability, sector by sector, improving consumers’ ability to compare and switch between products and services, thus increasing competition and innovation within affected sectors. 

Part IVD sets out the scope of data sharing obligations, the process by which data may be shared, data security requirements and some privacy safeguards. Data covered by the CDR scheme is designated by legislative instruments and relates to products offered by service providers (Product Data) and personal data about the consumers (Consumer Data). Further nuances to the application of the CDR (including when obligations to share Product Data and Consumer Data become mandatory) are set out in the CDR Rules and data standards.

The persons affected by the CDR scheme are:

• the entities holding Product Data and Consumer Data (i.e. “data holders”), who may be specifically identified (such as the four largest banks and energy retailers) or have received designated Product Data or Consumer Data under the CDR Rules,
• the consumers about whom the Consumer Data relates (“CDR Consumers”);
• persons who meet the security and other requirements and become accredited to collect or receive Consumer Data on behalf of a CDR Consumer (“accredited data recipients”) or on behalf of another accredited data recipient (such as an outsourced service provider); and
• the entity that acts as a conduit for CDR data between other data holders (“designated gateway”), which is only currently being considered for the Energy sector. 

What industries are affected by the CDR?

Data security and the Privacy Safeguards

The success of the CDR will depend on whether consumers trust the security and integrity of the sharing of their Consumer Data. For that reason, there is a strong focus on the data security and privacy of consumers, including:

1. Privacy Safeguards: CDR data is subject to a set of 12 Privacy Safeguards that are at least equivalent to, or stronger than, the 12 Australian Privacy Principles (APPs). The Safeguards include obligations for entities to:
   • make available a compliant CDR Policy (distinct from its privacy policy)
   • provide compliant notifications when CDR data is used or disclosed within the scheme; and
   • take reasonable steps to ensure CDR data is accurate, up to date and complete.
2. Data security accreditation: If an entity wants to participate in the CDR, it must be able to prove to the ACCC that:
   • it holds adequate insurance to cover the risks of managing CDR data;
   • the infrastructure holding CDR data is sufficiently secure, including having data security features that are equivalent or better than those listed in the CDR Rules; and
   • it has an internal dispute resolution process and is a member of the Australian Financial Complaints Authority.

Changes to accreditation

Recently, the Consumer Data Right was amended to facilitate outsourced service providers joining as accredited intermediaries to collect information on behalf of other accredited data recipients. Among other things, the amendments revised the application of certain Privacy Safeguards to re-allocate some responsibilities (such as for notification) from the accredited outsourced service provider back to the principal.

The ACCC has also published additional resources to support prospective data recipients’ accreditation, including:

1. Supplementary guidelines have clarified that organisations certified to international standards like ISO27001 and SSAE SOC 2 can leverage those reports to streamline accreditation;
2. an on-boarding guide provides information about the process for registration on the CDR Register such as the steps, documentation and pre-requisites; and
3. support packages and checklists for entities seeking accreditation.

The intent of these changes is to expand the market for developers of compliant, secure infrastructure who can reduce the barriers to entry to the CDR Scheme for smaller participants who cannot afford to build a platform themselves.

Holders of CDR data already bound

Importantly, data holders in the Banking and affected Energy sectors are already bound by:

1. the Privacy Safeguards, which include obligations such as having available a compliant CDR Policy that is separate and independent to the organisations’ privacy policy, and
2. mandatory reporting obligations under the Competition and Consumer Act 2010,

even though data sharing obligations may not yet have become mandatory for many of the data holders in that sector.

Enforcement

A joint compliance and enforcement policy published by the ACCC and OAIC emphasised the importance of fostering a culture of compliance and the responsibility of each CDR participant to be fully aware of their obligations. Enforcement priorities include data holder obstruction to the CDR scheme and insufficient security controls over CDR data.

In addition to investigating complaints from consumers, the agencies may also undertake audits and information requests to compel disclosure of information relevant to compliance. Infringement actions include enforceable undertakings, determinations and declarations and suspension of accreditation (and thereby from the CDR scheme).

Notably, a breach of the Privacy Safeguards may result in a pecuniary penalty being determined, and the maximum penalties here are higher than those under the Privacy Act. For corporations, the penalty may be up to the greater of $10 million, 10% of annual turnover of the entity or 3x the benefit received by the corporate group.

What you can do now?

As the scope of the CDR scheme expands, the number of entities that will hold CDR data will expand. Ultimately, the CDR scheme is intended to operate economy-wide.

Organisations within affected sectors should consider:

Organisations may also want to check if existing vendors are developing CDR-compliant solutions, or may want to partner with a vendor to develop a solution that can be used and taken to market.

Important Disclaimer: The material contained in this article is comment of a general nature only and is not and nor is it intended to be advice on any specific professional matter. In that the effectiveness or accuracy of any professional advice depends upon the particular circumstances of each case, neither the firm nor any individual author accepts any responsibility whatsoever for any acts or omissions resulting from reliance upon the content of any articles. Before acting on the basis of any material contained in this publication, we recommend that you consult your professional adviser. Liability limited by a scheme approved under Professional Standards Legislation (Australia-wide except in Tasmania).