The ACCC and the Office of the Australian Information Commissioner (OAIC) jointly released the Compliance and Enforcement Policy (CDR Policy) for the Consumer Data Right (CDR) regulatory framework. The Consumer Data Right will be effective from July 2020, with the objective of giving consumers greater access to and control over their data.
The CDR Policy is guided by the general principles of accountability, efficiency, fairness, proportionality and transparency. The CDR Policy also lists the various compliance monitoring tools that the ACCC and OAIC intend to utilise to ensure compliance with the CDR, including gathering information from stakeholders and external dispute resolution bodies, mandatory reports from data holders and accredited data recipients, audits and assessments of data holders and accredited data recipients, and information disclosed through a request or compulsory notice.
The CDR Policy further identifies the types of conduct which the ACCC and OAIC consider to be priority conduct. These types of conduct are more likely to result in significant detriment to consumers and are therefore more likely to attract ACCC and OAIC action.
• misleading and deceptive conduct;
• invalid consent when collecting data;
• insufficient security controls;
• refusal of data holders to disclose consumer data in response to valid consumer data requests; or
• misuse or improper disclosure of consumer data.
The CDR Policy provides a range of enforcement options including (but not limited to) administrative resolutions (such as a voluntary written commitment by a business to address a non-compliance issue); ACCC infringement notices and court-enforceable undertakings; suspension or revocation of accreditation by the ACCC; OAIC determination and declarations; and court proceedings, which in turn can result in penalties, injunctions and/or other orders.
For further details, please see the CDR Policy here.