On 12 October 2023, the Australian Competition & Consumer Commission (ACCC) and the Office of the Australian Information Commissioner (OAIC) published an amended Consumer Data Right (CDR) Compliance and Enforcement Policy (see here). The policy was last updated in May 2020, and the amendments provide a helpful insight into the regulators’ approach to enforcement of the CDR (which is shared between them).
What is the Consumer Data Right?
The CDR is a new consumer right that provides consumers with the ability to see their data that is held by businesses, and to authorise the secure transfer of that data to service providers of their choosing. It aims to promote:
- data accessibility and utility;
- consumers’ control over their data;
- ease of secure switching for core consumer products and utilities; and
- competition and innovation in the relevant sectors.
The CDR is being rolled out in stages – it is now well established in the banking sector, and is progressing in the energy sector. The planned expansion into the telecommunications, superannuation and insurance sectors has been paused for the time being, in line with recommendations from the independent Statutory Review released in September 2022.
Notwithstanding this, the Australian Government allocated a further $88.8 million over two years to the CDR in the latest budget, which will be used to expand awareness of the CDR, implement cyber security improvements and improve data quality and drive participation.
A pause on the rollout coupled with increased budget for regulatory activities indicates we are likely to see more enforcement action taken by the ACCC and the OAIC to address problematic conduct.
Summary of the CDR Compliance and Enforcement Policy
The policy sets out the ACCC’s and OAIC’s risk-based approach to compliance monitoring and enforcement, and lists their enforcement priorities. The regulators use the following tools to assess compliance and identify potential breaches of the CDR regime:
- complaints / stakeholder intelligence;
- participant reporting and rectification schedule; and
- audits and assessments of data holders and accredited data recipients.
Parties that fall foul of the regime could face a number of enforcement outcomes, including:
- infringement notices and fines;
- suspensions or revocation of accreditation;
- court enforceable undertakings and administrative resolutions;
- determinations and declarations; and
- court proceedings (which may result in civil penalties, injunctions and other orders).
What’s changed in the updated CDR Compliance and Enforcement Policy?
The updated policy identifies examples of priority conduct which the ACCC and OAIC consider is likely to result in significant detriment to consumers and the integrity of the CDR. This conduct may be more likely to attract enforcement action, and includes:
- data holders hindering the operation of the regime (e.g. refusing to disclose consumer data in response to a valid consumer data request where this is not permitted under the Consumer Data Rules or Data Standards);
- failure to meet compliance dates (e.g. repeated failures to meet compliance obligation dates);
- insufficient data quality (e.g. data that is inaccurate, incomplete or not in the format required by the Data Standards);
- insufficient oversight of third parties participants by accredited data recipients (including having adequate controls and systems in place to monitor compliance);
- insufficient security measures (insufficient controls and processes to prevent misuse, interference and loss, and unauthorised access, modification or disclosure);
- misleading or deceptive conduct (e.g. holding out that a person is an accredited data recipient when they are not); and
- misuse of CDR data (e.g. using data other than in accordance with the consumer’s consent).
Recent enforcement examples
Initially, the regulators were focused on improving CDR participation and education – but we are seeing the ACCC and OAIC start to move into more enforcement activities. We expect to see this activity increase, in particular around the involvement of third party participants in the CDR ecosystem. A few examples of recent enforcement action are summarised below:
| Bank of Queensland Limited (July 2022)
|
Bank of Queensland was the first Authorised Deposit-taking Institution to be fined for failing to adhere to the CDR Rules in July 2022. The bank paid a penalty of $133,200 after the ACCC issued it with an infringement notice for allegedly failing to provide a service enabling consumers’ data to be shared (i.e. allegedly failing to meet compliance dates). See more information here. |
| ING Bank (Australia) Limited (December 2022) | ING Bank Limited paid penalties totalling $53,280 after the ACCC issued it with four infringement notices. The ACCC alleged that ING missed three important legislated deadlines (i.e. allegedly failing to meet compliance dates) and made a misleading statement to consumers on its website about the reliability and security of its CDR service (i.e. alleged misleading or deceptive conduct). See more information here. |
Next steps
With the increased focus on enforcement, data holders and accredited data recipients who participate in the CDR regime should:
(a) proactively review internal systems and processes to ensure they are compliant; and
(b) reach out to enforcement specialists with experience in this new regulatory space if they have concerns.
KWM’s Competition team includes CDR specialists who can help you ensure compliance with the CDR regime, particularly on engagement with the ACCC and OAIC. Please do get in touch if you would like to discuss: Peta Stevenson, Tamara Hunter and Natalie Stianos.
By Natalie Stianos and Bridget Sheahan
Image credit: Hands Typing on Laptop Keyboard by Image Catalog on Flickr / CC0 1.0 / Remixed to B&W and resized.