As discussed in our recent post, the CDR is a data portability mechanism that is being rolled out across various business sectors, giving consumers more control over their data. The CDR is co-regulated by the Australian Competition and Consumer Commission (ACCC) and the Office for Australian Information Commission (OAIC). This post will briefly outline the regulators’ compliance and enforcement policy.
Objectives of the policy
Policy is underpinned by the objective of ensuring that consumers can trust the security and integrity of the CDR. Trust is central to the take up of any online platform – and concerns have been raised with recent initiatives by the Commonwealth government such as the My Health Record roll out and the CovidSafe App. In the context of the former, privacy expert Anna Johnston observes that:
Privacy missteps are eroding the public’s trust in the Government’s ability to achieve ambitious digital projects … [e]ach privacy catastrophe eats away at the public’s trust in successive government projects, before they even get off the ground.
How to corrode your social licence in nine easy steps by Anna Johnston
So the regulators overseeing the CDR are starting on the back foot, but working hard to build trust among potential CDR users by developing a culture of compliance among the authorised data recipients
Developing a culture of compliance
The regulators have adopted a risk-based approach to compliance and enforcement. The OAIC will be empowered to provide individual remedies and external dispute resolution, whereas the ACCC will have a strategic enforcement role focusing on consumer and competition outcomes.
There are four main tools to assess levels of compliance and identify potential breaches of data sharing framework. The four tools are:
- stakeholder intelligence and complaints;
- business reporting;
- audits, assessments and information requests; and
- compulsory notices.
These tools are designed to prevent consumer harm and ensure the effective, efficient and lawful operation of the CDR. The idea is to foster a culture of compliance to achieve the objectives of the CDR.
Breach and Enforcement Action
Where a breach has occurred the ACCC/OAIC will take regulatory action proportionate to the seriousness of the breach and the level of harm. However, where the conduct includes invalid consent, misleading or deceptive conduct on the part of the entity or the misuse or improper disclosure of CDR consumer data the regulatory body is more likely to take enforcement action. This conduct is considered more serious because it is more likely to erode the integrity of the CDR and may reduce consumer confidence in the regime.
Where there has been a serious breach, the policy outlines six enforcement options. This are:
- administrative resolutions;
- infringement notices;
- court enforceable undertakings;
- suspension or revocation of accreditation;
- determination and declarations power and
- court proceedings.
Where possible, the regulator attempts to resolve breaches by orders or a formal written undertakings – with the intention to stop unlawful conduct, deter the offending conduct and encourage the proper use of the CDR data.
However, where this is ineffective, the organisation does not constructively engage with the regulator, or there is a serious interference with the privacy of individuals – then the regulators will resort to their more coercive enforcement powers.