The Consumer Data Right is accelerating – what do you need to know?

The Australian Government will spend AU$111.3 million of the Digital Economy Budget 2021-2022 on the CDR over the next 2 years. The budget will be used to continue the implementation of the CDR in the banking sector and to accelerate the rollout of the CDR to other parts of the economy including the energy sector and the telecommunications sector, which have been named as the next priority CDR sectors. Entities in the energy and the telecommunications sectors should now be planning for the implementation of the CDR in their sector in the relatively near term, as part of their technology and compliance planning.

For the banking sector, the CDR has been operational since July 2020. For all major Authorised Deposit-taking Institutions (ADIs), the roll out of the CDR is in its final phase, Phase 3, meaning that the CDR is available to customers of major ADIs. The CDR will continue to be rolled out for all non-major ADIs throughout 2021.

In the energy sector, the budget will be used to develop the designation instrument and relevant standards for the CDR regime, with the aim to have the CDR regime operational in 2022. For the telecommunications sector, the budget will allow the government to undertake a strategic assessment of the sector to deliver a roadmap for the roll out of the CDR.

Ultimately, the Australian federal government intends that the CDR regime will be available economy wide.

CDR Refresher

Designed to give consumers greater access and control of their own data, the CDR allows consumers to more readily compare and switch between products and services, which encourages competition between services providers. The CDR regime is an opt-in service for consumers, under which consumers can direct their data to be shared from their existing service provider through a secure online system with a new provider of their choice. To receive CDR data, data recipients will need to become accredited. Once accredited, data recipients must comply with a set of privacy safeguards, rules and IT system requirements that ensure that consumers’ privacy is protected, and that CDR data is transferred and managed securely. What constitutes ‘CDR data’ will be different for each particular sector and will be set out in the designation instrument for each sector.

The Australian federal government has stated that it hopes that the investment into the CDR will grow Australia’s technology and innovation sectors and will drive the digitalisation of Australian businesses. The government believes consumers will benefit from new and more competitive data-driven products and services.

Importantly, if a consumer that has opt-ed into the CDR believes that their data has been mishandled, or privacy has been breached, they can make a formal complaint about it to their provider or to the CDR regulators.

How is the CDR regulated and enforced?

The CDR regime is regulated by a legislative framework that consists of four layers, as follows:

1. the Competition and Consumer Act 2010 (Cth) Part IVD, the Privacy Act 1988 (Cth) and the Australian Information Commissioner Act 2010 (Cth), which gives the Australian Competition & Consumer Commission (ACCC) and the Office of the Australian Information Commissioner (OAIC) enforcement and oversight powers for the CDR regime;
2. the designation instruments, which are unique to each relevant sector that the CDR is rolled out, for example the Consumer Data Right (Authorised Deposit-Taking Institutions) Designation 2019, which designates the banking sector as subject to the CDR;
3. the CDR Rules; and
4. the Consumer Data Right Standards, which include technical and Consumer Experience Standards (that contain technical requirements for what data holders need to do in their consumer facing interactions.

The ACCC is the lead CDR regulator that works together with the OAIC and Data Standards Body (DSB) in the development, implementation and enforcement of the CDR. The ACCC and OAIC’s approach is that the prevention of a breach of the CDR is preferable to taking action after a breach has occurred.

In any event, the ACCC and OAIC have a number of enforcement options to ensure that CDR participants comply with the CDR regime, including:[1]

1. Administrative resolutions – a CDR participant that breaches the CDR regime must provide a voluntary written commitment to address the non-compliance issue, which includes how that provider will improve its internal practices and procedures. The ACCC will monitoring compliance with the voluntary commitments.
2. Infringement notices – ACCC issues a data holder or accredited data recipient an infringement notice.
3. Court enforceable undertaking – a CDR participant that breaches the CDR regime must provide a formal written commitment that it will refrain from certain actions in the future. Commitments may include conducting internal audits and changing internal policies. Court orders can then be sought if the CDR participant does not comply with the undertaking.
4. Suspension or revocation of accreditation – the ACCC can suspend or revoke the CDR participant’s accreditation under certain circumstances and the CDR participant is prohibited from seeking to collect data from any consumers while the suspension is in effect.
5. Determination and declarations – OAIC can made a determination to dismiss or substantiate a breach of the CDR Rules relating to the privacy or confidentiality of CDR data, following an investigation. The determination may include a declaration that the CDR participant should not repeat or continue the conduct or take certain steps.
6. Court proceedings – Either the OAIC or ACCC can initiate legal proceeds for breach of the relevant CDR regime legislation. The court can make a range of orders including civil penalties, actions to remedy a breach or an injunction to restrain the CDR participant from engaging in certain conduct and orders disqualifying individuals from being directors of corporations.

The CDR and interaction with other jurisdictions

The CDR regime applies to data generated or collected in Australia, and data generated or collected outside Australia if the data holder is registered under the Australian federal Corporations Act 2001 (Cth) or the data holder is an Australian citizen or permanent resident.
However, budget has also been allocated to expand international engagement with the CDR, by promoting a rules-based approached to international consumer data. Other jurisdictions have similar consumer data protection regimes for their banking sectors, for example the United Kingdom ‘Open Banking Standard’ and the Open Banking Initiative Canada. There is an opportunity for the Australian CDR to both learn from and interact with these foreign regimes.

If you have any questions regarding the article above, please contact Hamish Fraser (Partner, Technology and Communications) at [email protected], Sophie Dawson (Partner, Media, Privacy and Data) at [email protected], Thomas Jones (Partner, Competition and Regulatory) at [email protected]. and Natalie Yeung at [email protected] (Associate, Technology and Communications).

[1]ACCC/OAIC Compliance and Enforcement Policy for the Consumer Data Right at https://www.accc.gov.au/system/files/CDR%20-%20CE%20-%20Joint%20ACCC%20and%20OAIC%20compliance%20and%20enforcement%20policy%20-%208%20May%202020.pdf