The Consumer Data Right (CDR) is being gradually implemented across various sectors of the economy, with banking already established and energy in progress, and other industries to follow suit. Its primary goal is to empower consumers by enabling them to easily and securely share their personal data held by businesses (data holders) and authorise the transfer of this data to trusted third parties (accredited data recipients). Additionally, the CDR mandates that businesses make information about certain products they offer accessible to the public.
The Australian Competition and Consumer Commission (ACCC) and the Office of the Australian Information Commissioner (OAIC) are responsible for ensuring compliance with the CDR, and for enforcing non-compliance. This article explores the ACCC/OAIC Compliance and Enforcement Policy for the Consumer Data Right.
Ensuring CDR compliance
In their pursuit of high compliance standards within the Consumer Data Right (CDR) framework, the ACCC and OAIC employ a variety of strategies and compliance monitoring tools. Their overarching focus is on preventing consumer harm and maintaining the efficient and lawful operation of the CDR.
Fostering compliance
- Engagement: The ACCC and OAIC engage with CDR participants to aid them in comprehending their responsibilities under the CDR regulatory framework. This includes the publication of guidance material.
- Cultivating a culture of compliance: Efforts are made to encourage a culture of compliance among CDR participants.
- Enforcement: In cases of possible breaches, they enforce the law through various means, such as administrative resolutions, litigation, or other formal enforcement actions.
- Collaborative approach: Collaboration is a key element, as they work together, where suitable, to implement these strategies using coordinated approaches.
Compliance monitoring tools
The ACCC and OAIC use a wide range of information sources and monitoring tools to assess levels of compliance and identify potential breaches of the CDR regulatory framework.
- Complaints and stakeholder intelligence: They collect data from consumer complaints and stakeholders, including CDR users, businesses, consumer groups, and government agencies. Reports from approved external dispute resolution bodies are considered for specific issues.
- Participant reporting and rectification schedule: Mandatory periodic reports from data holders and accredited data recipients provide valuable data, including CDR complaint summaries, to identify problems and trends. Self-reported compliance gaps are closely watched, and a public rectification schedule is published for transparency.
- Audits and assessments: Routine checks are carried out on data holders and accredited data recipients to ensure adherence to the CDR regulatory framework, including Rules and Data Standards. Insights from these evaluations guide participants toward best practices, inform public guidance, and pinpoint issues requiring further regulatory action.
- Information requests and compulsory notices: Information requests are issued to support compliance efforts. Statutory powers can be used to compel the provision of information, documents, or evidence when conduct appears to breach the CDR regulatory framework.
Enforcement
Taking enforcement action
In cases where the ACCC and OAIC identify breaches of the CDR, their approach to enforcement is tailored to the severity of the breach and the potential harm it poses to CDR consumers. Given that they cannot address every issue, they concentrate their efforts on situations that either have caused or could cause significant harm to the CDR system or result in widespread detriments to consumers.
Both the ACCC and OAIC independently exercise their discretion to allocate resources to matters that offer the most substantial benefits to consumers. Whenever feasible, they collaborate and coordinate efforts to minimise the burden on CDR participants.
Their enforcement priorities include:
- Addressing conduct that jeopardises consumer trust in the security and integrity of the CDR.
- Responding to conduct leading to extensive or significant harm to CDR consumers.
- Addressing issues affecting vulnerable consumers.
- Tackling matters of significant public interest.
- Focusing on conduct by major CDR participants, recognising the potential for more extensive consumer harm when entities handle larger volumes of CDR data or serve a larger number of CDR consumers.
When determining whether to pursue a specific case, they prioritise those that align with these priorities and consider the mentioned factors.
Enforcement options
To address and resolve breaches of the CDR regulatory framework, a variety of enforcement options are at the disposal of the ACCC and OAIC. These options include:
Administrative resolutions (ACCC and OAIC)
- Accepting voluntary commitments from businesses to rectify non-compliance.
- Recommending enhancements to a CDR participant’s internal practices and procedures, such as implementing compliance programs or enhancing staff training.
- Monitoring compliance with voluntary commitments.
Infringement Notices (ACCC only)
- Issuing infringement notices when a contravention requires a more formal response than an administrative resolution but may be resolved without legal proceedings.
Court enforceable undertakings (ACCC and OAIC)
- Accepting formal written commitments from CDR participants, known as court enforceable undertakings, to take or refrain from specific actions.
- Seek court orders when CDR participants fail to comply with enforceable undertakings.
Suspension or revocation of accreditation (ACCC only)
- The ACCC, as the Data Recipient Accreditor, may suspend or revoke accreditation under certain circumstances to protect consumers.
- Accredited data recipients cannot collect data while under suspension.
Determination and declarations power (OAIC only)
- Making determinations regarding breaches of Privacy Safeguards or Rules related to CDR data privacy or confidentiality.
- May include declarations or orders for CDR participants to cease specific conduct, take remedial actions, or compensate affected consumers.
- The OAIC may initiate legal proceedings to enforce determinations.
Direction to notify eligible data breach (OAIC only)
- Directing accredited data recipients and designated gateways to inform at-risk consumers and the Information Commissioner about eligible data breaches.
Court proceedings (ACCC or OAIC)
- Initiating legal actions when litigation is deemed the most suitable approach to achieve compliance goals.
- Litigation may be prioritised for cases resulting in harm to competition, privacy rights, or substantial CDR consumer detriment.
- The court can issue various orders, including declarations, pecuniary penalties, injunctions, and disqualification of individuals from directorship.
Enforcement priorities
There are some forms of conduct which are likely to result in significant detriment to consumers and the integrity of the CDR, which will always be considered enforcement priorities. The ACCC and OAIC are more likely to take action where the conduct involves:
- Data holders hindering processes.
- Failure to meet compliance dates.
- Insufficient data quality.
- Insufficient oversight of third parties by accredited data recipients.
- Insufficient security measures.
- Misleading or deceptive conduct.
- Misuse of CDR data.
Key takeaways
The ACCC and OAIC are essential guardians of the evolving Consumer Data Right (CDR) in Australia. Their comprehensive approach to compliance and enforcement ensures the protection of consumer interests and data integrity. As the CDR expands into new sectors, their role remains vital in upholding trust and transparency in the consumer data landscape.