Skip to content

What Are OAIC and ACCC’s Powers in Relation to the CDR Regime?

The Consumer Data Rights (CDR) regime obliges organisations (data holders) in specific sectors to share consumer data with accredited third parties (accredited data recipients) where the relevant consumer provides their consent. Accredited data recipients may use the data for the purpose the consumer intended their data to be used. This may include services like comparing and recommending services and products that are more suitable to the consumer. Australian Competition and Consumer Commission (ACCC) and the Office of Australian Information Commissioner (OAIC) jointly oversee and regulate those involved in the CDR landscape. This article discusses the roles and functions of ACCC and OAIC in the CDR regime. 

Front page of publication
2023 Key Data and Privacy Developments

This fact sheet outlines the changes to data and privacy protection in 2023.

Download Now

ACCC vs OAIC

The ACCC is an independent Commonwealth statutory authority. They enforce the competition and consumer law in Australia and ensure the market operates fairly for consumers to the extent possible. ACCC attempts to maintain a competitive market that facilitates economic growth and limits consumers from exploitation. 

On the other hand, the OAIC monitors the Australian market to ensure that all Australian federal government agencies and organisations with an annual turnover of over $3 million comply with the privacy law in Australia (subject to certain exceptions). 

What Specific Functions Will the OAIC and ACCC Serve?

ACCC and OAIC jointly regulate the CDR regime. The regulation aims to ensure that consumers can trust the integrity and security of the CDR regime. 

The regulators’ functions include:

  • monitoring parties involved in the CDR regime to ensure compliance with their obligations;
  • ensuring those participating in the CDR ecosystem are complying with their privacy obligations. The OAIC is the primary regulator that regulates the privacy aspect of CDR. They also handle complaints in the CDR regime relating to privacy. It has several investigative and enforcement powers concerning privacy complaints;
  • providing accreditation for persons who want to be accredited data recipients. The ACCC is in charge of this, and any person wishing to be an accredited data recipient must meet a range of conditions, such as certain IT and legal requirements;
  • maintaining a record of all the data holders and accredited data recipients. ACCC is responsible for this function; and 
  • guiding the CDR participants, like data holders and accredited data recipients, on their rights and obligations.
Continue reading this article below the form
Loading form

How Will OAIC and ACCC Monitor Those Involved in the CDR Regime?

OAIC and ACCC use several steps to monitor the CDR participants to ensure compliance and identify breaches. 

Intelligence from stakeholders and complainantsOAIC and ACCC use information from stakeholders like CDR consumers, businesses, and others to obtain information about how CDR participants comply with CDR obligations. This includes consumer complaints and reports from external regulatory bodies like AFCA in the banking sector. 
Business reportingOAIC and ACCC use information disclosed in the mandatory periodic reports provided by data holders and accredited data recipients to monitor compliance with the CDR laws and identify any issues. 
Audits and assessmentsOAIC and ACCC have the power to complete audits on data holders and accredited data recipients. The regulators can use the results of such audits to identify breaches and compliance issues within those entities.
Information from data holders and accredited data recipientsOAIC and ACCC have legal powers to require data holders and accredited data recipients to provide information, documents and other evidence for monitoring and compliance purposes. 

Enforcement Actions by OAIC and ACCC

OAIC and ACCC have several enforcement powers, including:

  • issuing an administrative resolution whereby they accept a voluntary commitment from a person to resolve non-compliance with the CDR regime;
  • giving an infringement notice to a person that breaches its CDR obligations; 
  • seeking an undertaking from a person to take specific actions like conducting an independent audit on itself;
  • suspending or revoking a person’s accreditation as an accredited data recipient where such an action is required to protect consumers; and
  • initiating legal action against a person for a significant breach of its CDR obligations.

Further, OAIC and ACCC will view certain types of breaches of CDR obligations as causing more detriment to the consumers, including the following:

  • data holder refusing to disclose data or trying to frustrate the release of data despite the consumer giving their consent and the accredited data recipient following all the correct steps;
  • misleading and deceptive conduct by any person involved in the CDR regime. For example, a person misleading another person into believing the former is an accredited data recipient when they are not; 
  • collecting data from a data holder without valid consent from a consumer; 
  • using data collected under the CDR regime for a purpose other than which a consumer consented to; and 
  • CDR participants having inadequate security functions and processes, leading to a data breach or misuse of data. 

Such serious breaches will trigger enforcement actions.

Key Takeaways

OAIC and ACCC jointly regulate persons participating in the CDR regime. Their functions include accrediting persons who want to be accredited data recipients, dealing with privacy and consumer complaints in connection with the CDR regime, monitoring the compliance of CDR participants and taking enforcement actions where necessary.

If you would like to know more about the role of OAIC and ACCC in the CDR regime, our experienced regulatory compliance lawyers can assist. Call us today on 1300 544 755 and our team will get back to you with a fixed-fee quote.

Register for our free webinars

Demystifying M&A: What Every Business Owner Should Know

Online
Understand the essentials of mergers and acquisitions and protect your business value. Register for our free webinar.
Register Now

Social Media Compliance: Safeguard Your Brand and Avoid Common Pitfalls

Online
Avoid legal pitfalls in social media marketing and safeguard your brand. Register for our free webinar.
Register Now

Building a Strong Startup: Ask a Lawyer and Founder Your Tough Questions

Stone & Chalk Tech Central, Level 1 - 477 Pitt St Haymarket 2000
Join LegalVision and Bluebird at the Spark Festival to ask a lawyer and founder your startup questions. Register now.
Register Now

Construction Industry Update: What To Expect in 2026

Online
Stay ahead of major construction regulatory changes. Register for our free webinar.
Register Now
See more webinars >
Stebin Sam

Stebin Sam

Read all articles by Stebin

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

We’re an award-winning law firm

  • Award

    2025 Future of Legal Services Innovation Finalist - Legal Innovation Awards

  • Award

    2025 Employer of Choice - Australasian Lawyer

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2022 Law Firm of the Year - Australasian Law Awards