The Consumer Data Right, also known as the CDR, is a new law which will give consumers control over their data. CDR is being rolled out progressively across different industry sectors, starting with the Big 4 banks from 1 July 2020, as part of Open Banking. The energy and telecommunications sectors will follow. Eventually, CDR will apply to numerous sectors in the Australian economy.
The CDR will change the current processes for moving consumer data between businesses and for providing consumer data to consumers. It is vital that businesses are ready for these changes. In this article, we look at the basics of what the CDR means if your business is affected.
What Rights Does the CDR Create?
The CDR creates the right for consumers to:
- direct a business to securely transfer their designated data to a trusted recipient; and
- access their designated data held by a business in a usable form.
Consumers can be individuals and they can also be businesses. Whether you are an individual or business under the CDR depends on whether you are reasonably identifiable from the CDR data.
The CDR also includes 13 Privacy Safeguards which will apply if your business is subject to the CDR. The goal of the Privacy Safeguards is to protect the personal information of consumers handled under the CDR.
Which Data Do the CDR Apply to?
The CDR law has been added into existing competition and consumer law. Further CDR rules and standards will be implemented for each industry sector, and will set out how the CDR applies to that sector. This includes how the CDR will apply to specific data types for that sector.
The CDR rules and standards will also designate which businesses the CDR will apply to and from which date it will apply.
For example, in the banking sector, there is a staged rollout. For the Big 4 banks, the requirement to share:
- product data started on 6 February 2020;
- consumer data with accredited recipients will start on 1 July 2020;
- consumer data with consumers will start on 1 November 2020.
Smaller banks will adhere to the CDR in later stages.
Continue reading this article below the formWhich Businesses Does the CDR Apply to?
As and when CDR rules and standards are implemented for each sector, they will specify which businesses are impacted. The CDR may apply to a business within the sector as a data holder, a data recipient or as a designated gateway.
Data Holders
The CDR will list specific categories of businesses considered to be data holders.
For example, with the rollout in the banking sector, the initial data holders are the Big 4 banks. Later, other authorised deposit-taking institutions will be included.
Data Recipient
Only accredited data recipients can receive data as part of the CDR. Your business must apply to become an accredited data recipient. Therefore, if your business is not a data holder, the CDR is opt-in.
Your business must use the accreditation portal to submit its application; accreditation is subject to approval by the regulator.
Once accredited as a data recipient, you will have ongoing obligations to maintain accreditation, such as keeping records, reporting to the regulators and being audited.
Designated Gateway
The government may select a designated gateway to facilitate data transfer under the CDR. The gateway will transfer data between the data holder and an accredited data recipient.
It is not expected that businesses will be designated gateways. Instead, it is likely designated gateways will be government-controlled bodies or entities.
What Steps Should Your Business Take Now?
If your business is in the banking sector you should consider whether you are a data holder under the CDR.
You should also consider if you should apply to become an accredited data recipient. Even if your business is not a deposit-taking institution, becoming an accredited data recipient may be beneficial for you. For example, as a fintech business, it may be useful to be eligible to receive consumer data from the banks.
If you will participate in the CDR as a data holder or data recipient, you will need to:
- produce a customer-facing CDR policy;
- develop internal policies and procedure on the CDR for your staff;
- provide training for your staff on the CDR; and
- review your dispute handling process and IT security if you intend to become accredited and maintain your accreditation.
Who Regulates the CDR?
The CDR will be regulated by two core regulatory bodies. The Australian Competition and Consumer Commission (ACCC) will be the lead regulator with a focus on consumer benefit from the CDR. The Office of the Australian Information Commissioner will work closely with the ACCC, with a focus on privacy by design and strong privacy protections for consumers.
For corporations, this can be:
- up to $10 million per breach;
- three times the value of the benefit obtained as a result of the breach; or
- if the benefit cannot be calculated, 10% of the corporation’s annual turnover.
Key Takeaways
The CDR introduces new rights for consumers and new considerations for businesses. It will initially only apply in the banking sector and will be rolled out over time. However, now is the time to understand how the CDR may apply to your business. For example, it is useful to consider now whether you should apply to become an accredited data recipient. If so, it is important to understand the criteria for applying, your ongoing obligations and to prepare the required internal and external documentation.
A LegalVision commercial lawyer can provide you with guidance on how the CDR applies to your business, the accreditation requirements and assist your business with important policies such as your external CDR policy. Just call 1300 544 755 or fill in the form on this page.
We appreciate your feedback – your submission has been successfully received.
