Companies failing to meet Consumer Data Right (CDR) privacy obligations could be slapped with court action and prevented from collecting more consumer data, under a new Compliance and Enforcement Policy (CEP) outlining the “strategic risk-based approach” that will govern CDR when it finally takes effect on 1 July.

Jointly tasked to monitor compliance with CDR, the Office of the Australian Information Commissioner (OAIC) and Australian Competition & Consumer Commission (ACCC) will use a range of information sources and monitoring tools to police the scheme’s operation.

Backed by what ACCC commissioner Sarah Court called “significant and serious safeguards”, authorities will tap inputs including stakeholder intelligence and complaints, business reporting, audits and assessments, and information requests and compulsory notices.

CDR, which was passed into law in mid 2019 and will go live on 1 July after a series of consultations and implementation delays, will initially enable Australia’s open-banking regime by providing a portal that gives consumers access to data that banks hold on them.

It has forced banks to standardise the representation of their financial products – theoretically helping consumers move between service providers more easily – and incorporates powers to allow third parties like mortgage brokers to access data on consumers’ behalf as ‘accredited data recipients’ (ADRs).

They’ve got the powers

The measures outlined in the CEP are designed to bolster consumer confidence in the CDR scheme by ensuring that their personal information will be protected in good faith.

“Consumers must be confident that the CDR regime works as intended and that the regulatory framework put in place will protect their interests,” the new policy says, calling the changes “a significant economy wide reform” and outlining principles and penalties designed to “instil public confidence… in ensuring consumers are appropriately protected within the CDR regime”.

Despite the pressures of CDR’s looming introduction, Australian banks have been diverting CDR cybersecurity staff to fight COVID-19 related attacks in hopes of avoiding exposure like that suffered by Spanish bank Santander, whose Belgian branch was recently found to be leaking customer data on its website.

Data holders or ADRs violating CDR rules could be instructed to improve their internal practices and procedures, served with infringement notices, or served with enforceable undertakings – violation of which could drive the ACCC and OAIC to push for court orders imposing injunctions and penalties.

In a move that could particularly complicate banks’ extensive data-collection activities, the ACCC could prevent companies from collecting data about consumers if their accreditation is suspended due to non-compliance.

The OAIC, for its part, has been given a determination and declarations power by which it can rule that a company has breached privacy safeguards for CDR data.

Five core principles – including accountability, efficiency, fairness, proportionality, and transparency – will guide the ACCC and OAIC as they decide whether and how to enforce the penalties in a method “proportionate to the seriousness of the breach and the level of harm or potential harm”.

Relevant factors include the nature and extent of the conduct; number of breaches; impact of the conduct; whether the conduct was “deliberate, repeated, reckless or inadvertent”; and cooperation from investigated bodies; and more.

The ACCC and OAIC will “always” have grounds for enforcement action around certain activities – including refusal or frustration of the disclosure process, misleading or deceptive conduct, invalid consent, misuse or improper disclosure of CDR consumer data, and insufficient security controls – that are considered “likely to result in significant detriment to consumers and the integrity of the CDR regime”.

Boosting consumer confidence post COVID-19

CDR will initially focus on banks, but subsequent expansion will bring similar open-data powers – and penalties – to industries including utilities and telecommunications.

Yet while they signal a sea change in attitudes towards data hoarding, the changes could also prove prescient in supporting economic recovery in the wake of the financial devastation caused by the COVID-19 pandemic.

With consumer confidence at historical lows – recent Roy Morgan data found 48 per cent of consumers expect bad times financially over the next 12 months – consumer trust will be crucial for companies to succeed in the post-COVID-19 economy.

Australian information commissioner and privacy commissioner Angelene Falk agreed that CDR’s transparency would be “critical” in rebuilding consumer confidence and assisting the country’s economic recovery.

The new policy “provides increased certainty about how we will uphold these consumer protections,” she said, noting that reforms like CDR “build consumer confidence in the use of their personal information and encourage innovation”.

Fully 81 per cent of respondents to a recent Edelman Trust Barometer Special Report said their post-COVID-19 buying decisions would be guided by their trust in brands to do the right thing.

Companies should be actively overhauling data management processes to meet CDR’s requirements, a panel of industry experts warned at a recent Gartner event where it was made clear that CDR is as much about data management as it is about compliance.

Treasury recently extended the deadline for submissions to its ongoing Inquiry into Future Directions for the Consumer Data Right, with an Issues Paper published in March and submissions now being accepted until 21 May.

That paper outlined four key principles guiding development around the CDR – including that it should be consumer focussed, encourage competition, be efficient and fair, and create opportunities for “a vibrant and creative data sector that supports better services enhanced by personalised data”.

“By creating benchmarks, an infrastructure, and an ecosystem for safe, efficient and fair information sharing, the CDR could provide a framework to help connect different parts of Australia’s digital economy.”