The Consumer Data Rights (CDR) regime obliges organisations (data holders) in specific sectors to share consumer data with accredited third parties (accredited data recipients) where the relevant consumer provides their consent. Accredited data recipients may use the data for the purpose the consumer intended their data to be used. This may include services like comparing and recommending services and products that are more suitable to the consumer. Australian Competition and Consumer Commission (ACCC) and the Office of Australian Information Commissioner (OAIC) jointly oversee and regulate those involved in the CDR landscape. This article discusses the roles and functions of ACCC and OAIC in the CDR regime.
This fact sheet outlines the changes to data and privacy protection in 2023.
ACCC vs OAIC
The ACCC is an independent Commonwealth statutory authority. They enforce the competition and consumer law in Australia and ensure the market operates fairly for consumers to the extent possible. ACCC attempts to maintain a competitive market that facilitates economic growth and limits consumers from exploitation.
On the other hand, the OAIC monitors the Australian market to ensure that all Australian federal government agencies and organisations with an annual turnover of over $3 million comply with the privacy law in Australia (subject to certain exceptions).
What Specific Functions Will the OAIC and ACCC Serve?
ACCC and OAIC jointly regulate the CDR regime. The regulation aims to ensure that consumers can trust the integrity and security of the CDR regime.
The regulators’ functions include:
- monitoring parties involved in the CDR regime to ensure compliance with their obligations;
- ensuring those participating in the CDR ecosystem are complying with their privacy obligations. The OAIC is the primary regulator that regulates the privacy aspect of CDR. They also handle complaints in the CDR regime relating to privacy. It has several investigative and enforcement powers concerning privacy complaints;
- providing accreditation for persons who want to be accredited data recipients. The ACCC is in charge of this, and any person wishing to be an accredited data recipient must meet a range of conditions, such as certain IT and legal requirements;
- maintaining a record of all the data holders and accredited data recipients. ACCC is responsible for this function; and
- guiding the CDR participants, like data holders and accredited data recipients, on their rights and obligations.
How Will OAIC and ACCC Monitor Those Involved in the CDR Regime?
OAIC and ACCC use several steps to monitor the CDR participants to ensure compliance and identify breaches.
| Intelligence from stakeholders and complainants | OAIC and ACCC use information from stakeholders like CDR consumers, businesses, and others to obtain information about how CDR participants comply with CDR obligations. This includes consumer complaints and reports from external regulatory bodies like AFCA in the banking sector. |
| Business reporting | OAIC and ACCC use information disclosed in the mandatory periodic reports provided by data holders and accredited data recipients to monitor compliance with the CDR laws and identify any issues. |
| Audits and assessments | OAIC and ACCC have the power to complete audits on data holders and accredited data recipients. The regulators can use the results of such audits to identify breaches and compliance issues within those entities. |
| Information from data holders and accredited data recipients | OAIC and ACCC have legal powers to require data holders and accredited data recipients to provide information, documents and other evidence for monitoring and compliance purposes. |
Enforcement Actions by OAIC and ACCC
OAIC and ACCC have several enforcement powers, including:
- issuing an administrative resolution whereby they accept a voluntary commitment from a person to resolve non-compliance with the CDR regime;
- giving an infringement notice to a person that breaches its CDR obligations;
- seeking an undertaking from a person to take specific actions like conducting an independent audit on itself;
- suspending or revoking a person’s accreditation as an accredited data recipient where such an action is required to protect consumers; and
- initiating legal action against a person for a significant breach of its CDR obligations.
Further, OAIC and ACCC will view certain types of breaches of CDR obligations as causing more detriment to the consumers, including the following:
- data holder refusing to disclose data or trying to frustrate the release of data despite the consumer giving their consent and the accredited data recipient following all the correct steps;
- misleading and deceptive conduct by any person involved in the CDR regime. For example, a person misleading another person into believing the former is an accredited data recipient when they are not;
- collecting data from a data holder without valid consent from a consumer;
- using data collected under the CDR regime for a purpose other than which a consumer consented to; and
- CDR participants having inadequate security functions and processes, leading to a data breach or misuse of data.
Such serious breaches will trigger enforcement actions.
Key Takeaways
OAIC and ACCC jointly regulate persons participating in the CDR regime. Their functions include accrediting persons who want to be accredited data recipients, dealing with privacy and consumer complaints in connection with the CDR regime, monitoring the compliance of CDR participants and taking enforcement actions where necessary.
If you would like to know more about the role of OAIC and ACCC in the CDR regime, our experienced regulatory compliance lawyers can assist. Call us today on 1300 544 755 and our team will get back to you with a fixed-fee quote.
We appreciate your feedback – your submission has been successfully received.
