Skip to content

What Are OAIC and ACCC’s Powers in Relation to the CDR Regime?

The Consumer Data Rights (CDR) regime obliges organisations (data holders) in specific sectors to share consumer data with accredited third parties (accredited data recipients) where the relevant consumer provides their consent. Accredited data recipients may use the data for the purpose the consumer intended their data to be used. This may include services like comparing and recommending services and products that are more suitable to the consumer. Australian Competition and Consumer Commission (ACCC) and the Office of Australian Information Commissioner (OAIC) jointly oversee and regulate those involved in the CDR landscape. This article discusses the roles and functions of ACCC and OAIC in the CDR regime. 

Front page of publication
2023 Key Data and Privacy Developments

This fact sheet outlines the changes to data and privacy protection in 2023.

Download Now

ACCC vs OAIC

The ACCC is an independent Commonwealth statutory authority. They enforce the competition and consumer law in Australia and ensure the market operates fairly for consumers to the extent possible. ACCC attempts to maintain a competitive market that facilitates economic growth and limits consumers from exploitation. 

On the other hand, the OAIC monitors the Australian market to ensure that all Australian federal government agencies and organisations with an annual turnover of over $3 million comply with the privacy law in Australia (subject to certain exceptions). 

What Specific Functions Will the OAIC and ACCC Serve?

ACCC and OAIC jointly regulate the CDR regime. The regulation aims to ensure that consumers can trust the integrity and security of the CDR regime. 

The regulators’ functions include:

  • monitoring parties involved in the CDR regime to ensure compliance with their obligations;
  • ensuring those participating in the CDR ecosystem are complying with their privacy obligations. The OAIC is the primary regulator that regulates the privacy aspect of CDR. They also handle complaints in the CDR regime relating to privacy. It has several investigative and enforcement powers concerning privacy complaints;
  • providing accreditation for persons who want to be accredited data recipients. The ACCC is in charge of this, and any person wishing to be an accredited data recipient must meet a range of conditions, such as certain IT and legal requirements;
  • maintaining a record of all the data holders and accredited data recipients. ACCC is responsible for this function; and 
  • guiding the CDR participants, like data holders and accredited data recipients, on their rights and obligations.
Continue reading this article below the form
Loading form

How Will OAIC and ACCC Monitor Those Involved in the CDR Regime?

OAIC and ACCC use several steps to monitor the CDR participants to ensure compliance and identify breaches. 

Intelligence from stakeholders and complainantsOAIC and ACCC use information from stakeholders like CDR consumers, businesses, and others to obtain information about how CDR participants comply with CDR obligations. This includes consumer complaints and reports from external regulatory bodies like AFCA in the banking sector. 
Business reportingOAIC and ACCC use information disclosed in the mandatory periodic reports provided by data holders and accredited data recipients to monitor compliance with the CDR laws and identify any issues. 
Audits and assessmentsOAIC and ACCC have the power to complete audits on data holders and accredited data recipients. The regulators can use the results of such audits to identify breaches and compliance issues within those entities.
Information from data holders and accredited data recipientsOAIC and ACCC have legal powers to require data holders and accredited data recipients to provide information, documents and other evidence for monitoring and compliance purposes. 

Enforcement Actions by OAIC and ACCC

OAIC and ACCC have several enforcement powers, including:

  • issuing an administrative resolution whereby they accept a voluntary commitment from a person to resolve non-compliance with the CDR regime;
  • giving an infringement notice to a person that breaches its CDR obligations; 
  • seeking an undertaking from a person to take specific actions like conducting an independent audit on itself;
  • suspending or revoking a person’s accreditation as an accredited data recipient where such an action is required to protect consumers; and
  • initiating legal action against a person for a significant breach of its CDR obligations.

Further, OAIC and ACCC will view certain types of breaches of CDR obligations as causing more detriment to the consumers, including the following:

  • data holder refusing to disclose data or trying to frustrate the release of data despite the consumer giving their consent and the accredited data recipient following all the correct steps;
  • misleading and deceptive conduct by any person involved in the CDR regime. For example, a person misleading another person into believing the former is an accredited data recipient when they are not; 
  • collecting data from a data holder without valid consent from a consumer; 
  • using data collected under the CDR regime for a purpose other than which a consumer consented to; and 
  • CDR participants having inadequate security functions and processes, leading to a data breach or misuse of data. 

Such serious breaches will trigger enforcement actions.

Key Takeaways

OAIC and ACCC jointly regulate persons participating in the CDR regime. Their functions include accrediting persons who want to be accredited data recipients, dealing with privacy and consumer complaints in connection with the CDR regime, monitoring the compliance of CDR participants and taking enforcement actions where necessary.

If you would like to know more about the role of OAIC and ACCC in the CDR regime, our experienced regulatory compliance lawyers can assist. Call us today on 1300 544 755 and our team will get back to you with a fixed-fee quote.

Register for our free webinars

ACCC Merger Reforms: Key Takeaways for Executives and Legal Counsel

Online
Understand how the ACCC’s merger reforms impact your legal strategy. Register for our free webinar.
Register Now

Ask an Employment Lawyer: Contracts, Performance and Navigating Dismissals

Online
Ask an employment lawyer your contract, performance and dismissal questions in our free webinar. Register today.
Register Now

Stop Chasing Unpaid Invoices: Payment Terms That Actually Work

Online
Stop chasing late payments with stronger terms and protections. Register for our free webinar.
Register Now

Managing Psychosocial Risks: Employer and Legal Counsel Responsibilities

Online
Protect your business by managing workplace psychosocial risks. Register for our free webinar.
Register Now
See more webinars >
Stebin Sam

Stebin Sam

Read all articles by Stebin

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

We’re an award-winning law firm

  • Award

    2025 Future of Legal Services Innovation Finalist - Legal Innovation Awards

  • Award

    2025 Employer of Choice - Australasian Lawyer

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2022 Law Firm of the Year - Australasian Law Awards