ACCC and OAIC promise to put consumers at the centre of CDR enforcement

The Australian Competition and Consumer Commission (ACCC) and the Office of the Australian Information Commissioner (OAIC) have vowed to put consumers at the centre of their joint enforcement activities under the imminent Consumer Data Right (CDR).

The CDR has been touted as allowing individuals to “own” their data by granting them open access to their banking, energy, phone, and internet transactions, as well as the right to control who can have it and who can use it.

The first sector to which the CDR will apply is finance, through an open banking regime, with telecommunications and energy soon to follow.

After delays and pushbacks due to COVID-19, the Australian government will push forward with the July 1 mandate, with the ACCC and the OAIC jointly publishing their Compliance and Enforcement policy [PDF] on Friday.

“The purpose of this policy is to help consumers and CDR participants understand the approach that the ACCC and the OAIC will adopt to encourage compliance with CDR rules, legislation (including privacy safeguards) and consumer data standards,” the pair said.

“Consumer consent and strong privacy protections will be central to the CDR regime. Allowing consumers to share their data with service providers of their choice will lead to increased competition and will drive innovation across the Australian economy.

“Consumers should be able to trust that we are monitoring and enforcing CDR participants’ compliance with the relevant laws, rules, and data standards.”

The parties said a “strategic risk-based approach” would be taken to compliance and enforcement, guided by accountability, efficiency, fairness, proportionality, and transparency as its principles.

With the Banking Royal Commission still front of mind for many customers of the big four banks, the OAIC and ACCC hope their approach to enforcement will breed a culture of compliance.

“Our approach to compliance is focused on preventing and addressing consumer harm and ensuring the effective, efficient and lawful operation of the CDR regime,” the OAIC and ACCC wrote.

The pair will compile information, such as intelligence reports from external parties; receive mandatory periodic reports from data holders and accredited data recipients; undertake audits and assessments, as well as take “required action” against those not complying; issue data holders or accredited data recipients information requests; and use statutory information-gathering powers to compel the provision of information, documents, or evidence where conduct may constitute a contravention.

“Ultimately, prevention of a breach of the CDR regulatory obligations through our compliance activities is preferable to taking action after the breach has occurred,” the pair said. “However, when we consider a breach has occurred, we will take regulatory action proportionate to the seriousness of the breach and the level of harm or potential harm.”

The OAIC and ACCC said there are a number of enforcement options available to respond to and resolve breaches of the CDR legislation, including administrative resolutions, which would see the offender accept a voluntary written commitment to address a non-compliance issue.

The ACCC will also be able to issue data holders or accredited data recipients with infringement notices if both bodies consider a breach has occurred.

Court enforceable undertakings are also an option.

“The court can make a range of orders including civil penalties, action to remedy a breach, an injunction to restrain a CDR participant from engaging in the conduct, and orders disqualifying individuals from being directors of corporations,” the pair wrote.

The OAIC and ACCC may also suspend or revoke accreditation. An accredited data recipient is prohibited from seeking to collect data while a suspension is in effect.

Under its determination and declarations power, the OAIC can also order that the CDR participant should not repeat or continue the conduct, take relevant steps within a specified period to ensure the conduct is ceased, and redress any loss or damage suffered by consumers, including compensation.

The ACCC and OAIC said they would be more likely to take action where the conduct involves data holder refusal, that is, by intentionally circumventing the rules or data standards; or there is misleading or deceptive conduct that leads a person into believing that another person is a CDR consumer or that a valid request or consent has been made, which can also be a person failing to correct the perception that they are accredited, when they are not.

Also prioritised would be invalid consent; the misuse or improper disclosure of CDR consumer data, which could include conduct that deliberately seeks to circumvent the “data minimisation” principle; and possessing insufficient security controls.

“A strong regulatory framework is in place to protect privacy and build public confidence in the Consumer Data Right, and the compliance and enforcement policy released today provides increased certainty about how we will uphold these consumer protections,” Australian Information Commissioner and Privacy Commissioner Angelene Falk said.

“Economic reforms like the Consumer Data Right which build consumer confidence in the use of their personal information and encourage innovation will be critical to our recovery after the COVID-19 outbreak.”

MORE ON THE CDR