Consumer data regimes: and then there were three

Individuals and organisations now have the right to efficiently and conveniently access specified data in relation to them held by businesses.

The Consumer Data Right (CDR) requires data holders to give customers open access to data on specified products and services they have on offer and authorises secure access to this data by trusted and accredited third parties. This new regulatory regime, which applies both within and outside of Australia, is designed to empower customers to compare products and enjoy greater mobility as they shift between service providers and find products more suited to their needs. It will co-exist with the Australian Privacy Principles (APPs) and the EU General Data Protection Rules (GDPR).

Key elements of the CDR framework

  • will initially apply to the banking sector (dubbed Open Banking) followed by the energy and telecommunications sectors;
  • relies on four key participants: consumers (a person or entity), data holders, accredited persons and accredited data recipients, and designated gateways;
  • data access must be provided in a timely manner and in a useful digital format;
  • regulated by both the ACCC and the OAIC;
  • various avenues to seek remedies for breaches of customer privacy are available; and
  • civil penalties apply to persons who fail to comply with the consumer data rules.

Strong privacy and information security provisions are also fundamental elements of the CDR. In response, 13 Privacy Safeguards have been developed which set out the privacy rights and obligations for users of the scheme, including the requirement for informed consent to collect, disclose, hold or use CDR data. These safeguards provide consistent protections for consumer data of both individuals and business enterprises and build upon the protections for individuals contained in the APPs.

Organisations seeking to protect consumer data from misuse are potentially needing to comply with three consumer data regimes to ensure they meet their regulatory obligations. These businesses will need to be mindful of the challenges this presents and implement appropriate technical and integrated data protection measures in respect of data handling policies and practices.

Source: Treasury Laws Amendment (Consumer Data Right) Bill 2019 Explanatory Memorandum (24 July 2019)