Key Privacy Obligations as an Accredited Data Recipient

The Consumer Data Right (CDR) regime allows fintech businesses to use data to offer various innovative services and products. However, as the activities in the CDR regime involve handling personal information and other related data, any fintech business wanting to engage in the regime must comply with various privacy-related obligations. This article discusses the privacy obligations that any fintech business wanting to operate as an accredited data recipient (ADR) should know. 

What is CDR? 

CDR is a legal regime in Australia that requires businesses in specific industries holding consumer data (called data holders) to share those data with accredited third parties (ADRs). The relevant consumer must consent before data holders can share information about their consumers. 

A data holder would typically share data so that the ADR can provide a particular service or a product. For example, analysing the data to recommend a more suitable product or service to the consumer than the one they are currently using. The CDR regime currently applies to the banking sector and will later extend to the energy and telecommunications sectors. 

The Australian Competition and Consumer Commission (ACCC) and the Office of the Australian Information Commissioner (OAIC) regulate participants in the CDR regime. The regime aims to give consumers more control over their data and enhance their ability to compare and change services and products. This, in turn, aims to facilitate more market competition and increase the availability of better, cheaper, and innovative products and services in the Australian market. 

Privacy Obligations of ADRs

Accredited third parties that receive data to provide services to consumers have several privacy obligations, or ‘Privacy Safeguards’. These obligations are largely similar to the Australian Privacy Principles, but FinTech businesses need to consider them carefully to avoid being in breach. 

We discuss some of the privacy obligations applying to ADRs below.

Collection of Data

ADRs can only collect consumer data with that consumer’s consent, which a person can withdraw at any time. The ADR must provide enough information to the consumer to enable them to make an informed and voluntary consent. The ADR must also only use the data for a purpose that the consumer has agreed to and should not collect any more data than required to fulfil that purpose. 

Openness and Transparency

ADRs must adopt an open and transparent approach to privacy. To this end, ADRs must have a CDR policy that details how the ADR will use, collect and manage data. For example, the policy must include:

• the classes of data that the ADR will hold; 
• the purposes for which the ADR will collect, hold and use data; 
• how consumers can access or correct data that the ADR holds; and 
• how consumers can lodge a complaint with the ADR. 

ADRs should make their CDR policy available free of charge to consumers. The ADR may also choose to have a CDR management plan. A CDR management plan is a separate document that sets out specific goals, targets, and procedures that will assist the ADR in meeting its ongoing CDR obligations, including privacy obligations. 

Anonymity and Pseudonymity

ADRs must allow consumers to use the ADR’s services anonymously or use pseudonyms to de-identify their data. However, this does not apply where it is either impracticable to deal with the consumer without identifying them or where the ADR is legally required or otherwise authorised to identify the customer.

Unsolicited Data

If an ADR receives unsolicited consumer data, it must destroy that data. The same applies to any data the ADR is not obligated to retain under the law. ‘Unsolicited’ means any data the ADR did not request from a data holder after obtaining consent from the relevant consumer. 

Direct Marketing 

ADRs must not use consumer data for direct marketing without the relevant consumer’s consent unless otherwise permitted by law. 

Misuse of Data

ADRs must take reasonable steps to ensure that consumer data collected are not misused, disclosed, subjected to unauthorised access, or lost. To mitigate the risk of data misuse, ADRs must have the appropriate information security technology and procedures to ensure that the data are protected. 

Consequences of Breach

OAIC and ACCC may commence an investigation and take enforcement action following a breach of any CDR obligations, including privacy obligations. The OAIC is the primary regulator that monitors that ADRs comply with their privacy obligations. These regulators have several enforcement powers, including:

• issuing infringement notices; 
• requiring the ADRs to provide a court-enforceable undertaking; 
• seeking court orders;
• suspending or revoking the ADR’s accreditation; and 
• initiating court proceedings. 

2023 Key Data and Privacy Developments

This fact sheet outlines the changes to data and privacy protection in 2023.

Download Now

Key Takeaways

The Consumer Data Right (CDR) is a legal regime under Australian law requiring businesses that hold consumer data to share those data with accredited third parties where a consumer has consented to the sharing. The accredited third parties who accept consumer data have a number of obligations, including privacy-related obligations. OAIC and ACCC may take enforcement action against an accredited data recipient if they breach their privacy obligations.  

For more information about your privacy obligations as an accredited data recipient, our experienced privacy lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 1300 544 755 or visit our membership page.