Australia’s Consumer Data Right – commonly known as the CDR – was introduced last year as an attempt to give consumers greater control over their personal. The CDR was first introduced in July 2020 in the banking sector and is planned to be rolled out to the energy and telecommunication sector.
The framework was introduced by the Australian Competition and Consumer Commission (ACCC) and is co-regulated by the ACCC and the Office of the Australian Information Commissioner (OAIC).
What are the benefits of the CDR?
The desired benefit of the CDR is that it creates a portable data system where data is shared via a secure online system with an accredited provider of the consumer’s choice. This makes consumer data more portable, streamlining the process so that it is quicker for accredited entities to access this information in a safe and secure way. The CDR also requires businesses to provide public access to information on specified products that they offer.
How does this work in the Banking industry and what is Open Banking?
The CDR has created a system of Open Banking – whereby consumers can grant accredited banks permission to access credit card and savings information as well as mortgage, personal loans and joint bank account data. This has the potential to create more competition in the marketplace and lower prices. For example, an individual applying for a mortgage can choose to share their banking data with a prospective bank, who may be able to give them a better offer.
Does the CDR impact Privacy?
Yes, as the most recent privacy framework, the CDR strengthens the protection of individuals personal information in Australia. Specifically, in relation to data sets, the CDR grants additional access rights to those contained in APP 12. It also enables individuals to give direct access to their data to third parties.
In relation to Privacy, there are two notable aspects of the CDR. First, the requirement that the recipient must be ‘accredited’ and second, the stringent consumer consent.
Consumers can only consent to their data being transferred to an ‘accredited data recipient’. An ‘accredited data recipient’ is an entity that has met Consumer Data Right Rules and has been accredited by the ACCC. Under the Rules, entities must meet a establish that they are able to manage CDR data appropriately, and this includes the ability to securely hold and process a consumer’s information.
The CDR is the current gold standard for consumer consent within Australia. The regime is an opt-in system that requires express consent from consumers for the collection and use of their data by the relevant entity, the consent must meet the requirements set out in the CDR rules and it can only remain valid for a maximum period of twelve months. These requirements go beyond those set out in the Privacy Act, creating greater protection of individuals’ private information.
Risks of the CDR
As the CDR is still in its infancy, it is hard to comment on its shortcomings, however, there are risks inherent in any system set up to enable data portability that the data may end up in the wrong hands. To deal with these risks, and any breaches of thee CDR framework, the ACCC and the OAIC has set up a compliance strategy and enforcement policy.
It remains to been seen whether the OAIC has sufficient resources to be able to deal with breaches of the CDR.
Broadly speaking, this regime offers strong and enforceable – albeit complicated – privacy protections. It is hoped that this increased protection of individuals personal information will flow into the upcoming Privacy Act amendments.