The introduction of the Consumer Data Right (CDR) regime under the Competition and Consumer (Consumer Data Right) Rules 2020 (Cth) (CDR Rules) changed the data regulation landscape in Australia.
The Australian Government will spend AU$111.3 million of the Digital Economy Budget 2021-2022 on the CDR over the next 2 years. The budget will be used to continue the implementation of the CDR in the banking sector and to accelerate the rollout of the CDR to other parts of the economy including the energy sector and the telecommunications sector, which have been named as the next priority CDR sectors. Entities in the energy and the telecommunications sectors should now be planning for the implementation of the CDR in their sector in the relatively near term, as part of their technology and compliance planning.
For the banking sector, the CDR has been operational since July 2020. For all major Authorised Deposit-taking Institutions (ADIs), the roll out of the CDR is in its final phase, Phase 3, meaning that the CDR is available to customers of major ADIs. The CDR will continue to be rolled out for all non-major ADIs throughout 2021.
In the energy sector, the budget will be used to develop the designation instrument and relevant standards for the CDR regime, with the aim to have the CDR regime operational in 2022. For the telecommunications sector, the budget will allow the government to undertake a strategic assessment of the sector to deliver a roadmap for the roll out of the CDR.
Ultimately, the Australian federal government intends that the CDR regime will be available economy wide.
Designed to give consumers greater access and control of their own data, the CDR allows consumers to more readily compare and switch between products and services, which encourages competition between services providers. The CDR regime is an opt-in service for consumers, under which consumers can direct their data to be shared from their existing service provider through a secure online system with a new provider of their choice. To receive CDR data, data recipients will need to become accredited. Once accredited, data recipients must comply with a set of privacy safeguards, rules and IT system requirements that ensure that consumers’ privacy is protected, and that CDR data is transferred and managed securely. What constitutes ‘CDR data’ will be different for each particular sector and will be set out in the designation instrument for each sector.
The Australian federal government has stated that it hopes that the investment into the CDR will grow Australia’s technology and innovation sectors and will drive the digitalisation of Australian businesses. The government believes consumers will benefit from new and more competitive data-driven products and services.
Importantly, if a consumer that has opt-ed into the CDR believes that their data has been mishandled, or privacy has been breached, they can make a formal complaint about it to their provider or to the CDR regulators.
The CDR regime is regulated by a legislative framework that consists of four layers, as follows:
The ACCC is the lead CDR regulator that works together with the OAIC and Data Standards Body (DSB) in the development, implementation and enforcement of the CDR. The ACCC and OAIC’s approach is that the prevention of a breach of the CDR is preferable to taking action after a breach has occurred.
In any event, the ACCC and OAIC have a number of enforcement options to ensure that CDR participants comply with the CDR regime, including:
The CDR regime applies to data generated or collected in Australia, and data generated or collected outside Australia if the data holder is registered under the Australian federal Corporations Act 2001 (Cth) or the data holder is an Australian citizen or permanent resident.
However, budget has also been allocated to expand international engagement with the CDR, by promoting a rules-based approached to international consumer data. Other jurisdictions have similar consumer data protection regimes for their banking sectors, for example the United Kingdom ‘Open Banking Standard’ and the Open Banking Initiative Canada. There is an opportunity for the Australian CDR to both learn from and interact with these foreign regimes.
If you have any questions regarding the article above, please contact Hamish Fraser (Partner, Technology and Communications) at [email protected], Sophie Dawson (Partner, Media, Privacy and Data) at [email protected], Thomas Jones (Partner, Competition and Regulatory) at [email protected]. and Natalie Yeung at [email protected] (Associate, Technology and Communications).
ACCC/OAIC Compliance and Enforcement Policy for the Consumer Data Right at https://www.accc.gov.au/system/files/CDR%20-%20CE%20-%20Joint%20ACCC%20and%20OAIC%20compliance%20and%20enforcement%20policy%20-%208%20May%202020.pdf