Risky business - remedies and enforcement powers for CDR breaches

By Valeska Bloch
Consumer law Cybersecurity & Privacy Data Risk & Compliance

In brief

As part of the new Consumer Data Right (CDR) framework, a new regime of offences, remedies and enforcement powers will be implemented. The Australian Competition and Consumer Commission (ACCC) will have primary oversight for the enforcement of the regime, though the OAIC will handle privacy complaints in relation to consumer data, and the existing individual rights of action in the Competition and Consumer Act 2010 (Cth) (CCA) will also apply. Businesses may be subject to penalties of up to $2.1 million per breach, and further offences (that may be subject to additional pecuniary penalties) may be included in the ACCC's sector-specific consumer data rules.

Key takeaways

  • The draft legislation proposes to establish a range of criminal and civil penalty offences for conduct in relation to CDR data and consumers, and breaches of the new Privacy Safeguards.
  • The ACCC will be able to specify additional offences in sector-specific consumer data rules, and will be responsible for enforcing compliance with the consumer data rules, as well as the data standards and accreditation criteria.
  • The OAIC will be responsible for compliance with the new Privacy Safeguards, including through conducting compliance assessments of applicable businesses and fielding complaints from consumers.
  • We understand that the Government's intention is that the OAIC will handle individual privacy-related complaints, while the ACCC will oversee 'strategic' responses to large-scale, systemic cases of non-compliance with the new regime.
  • The Treasury is still considering (and seeking recommendations on) several issues relating to remedies and enforcement, including the definition of non-economic loss for the purposes of individual claims, and appropriate caps for the civil penalty provisions.

New criminal offences

The draft legislation proposes to establish two new criminal offences:

  1. A very broad offence prohibiting conduct that misleads or deceives another person into believing that a person is a CDR consumer for CDR data, or that a person is making a valid request for CDR under the consumer data rules.
  2. An offence prohibiting a person from falsely holding out that they hold an accreditation under the consumer data rules or are an accredited data recipient.

Both offences may attract up to five years' imprisonment and there are equivalent civil penalty provisions with fines of up to $2.1 million for corporations.

Breaches of the Privacy Safeguards

The other civil penalty provisions in the new Part IVD of the CCA (which implements the CDR regime) relate to breaches of the new Privacy Safeguards. They similarly will attract fines of up to $2.1 million for a corporation, which will apply per breach. This is a significant departure from the penalty regime that applies to breaches of the Australian Privacy Principles (the APPs) under the Privacy Act 1988 (Cth), where penalties are only imposed for 'serious and repeated' breaches.

The OAIC will have the power to issue guidelines – as it does for the APPs – relating to compliance with the Privacy Safeguards, which will presumably provide more detail as to how penalties will be applied. But, as with almost all aspects of the draft legislation, a significant amount of discretion is left to statutory agencies to develop and enforce the regime.

Breaches of the rules and data standards

Under the draft legislation, the ACCC would be authorised to create additional civil penalties for breaches of the consumer data rules, for which pecuniary penalties may apply (see below).

Where a CDR participant contravenes both the consumer data rules and the Privacy Safeguards, the person will only be liable for one pecuniary penalty.

In contrast, the legislation specifies that compliance with the data standards is deemed to be a contractual requirement as between data holders and accredited data recipients (although the ACCC, as well as an aggrieved person, will have the ability to apply to a court to enforce the data standards).

The legislation provides for the approval of external dispute resolution schemes, which we expect will play a role in resolving disputes between parties regarding the data standards. The Australian Financial Complaints Authority (AFCA) will play this role for the banking sector, and we understand that accredited data recipients may be required to become members of AFCA.

Extension of CCA penalty provisions

The draft legislation proposes to extend the application of the CCA's various penalty provisions to the new CDR regime.

The ACCC will be able to take a range of actions, including to:

  • seek the application of pecuniary penalties if a court is satisfied there has been a breach of the new Part IVD of the CCA (which covers the CDR);
  • apply to the court for an injunction where a person is undertaking, or proposing to undertake, conduct that would contravene Part IVD;
  • seek application of non-punitive or adverse publicity orders for a breach of the consumer data rules and/or Part IVD of the CCA; and
  • apply for the disqualification of individuals from managing corporations where they are personally involved in a breach of Part IVD or the consumer data rules.

A person will also have a cause of action under the CCA for breaches of Part IVD. This will allow both individuals (including by way of a class action) and businesses to recover for loss or damage, including non-economic loss, arising from a breach of the CDR regime. The Treasury is seeking recommendations whether the CCA's existing definition of non-economic loss should be extended (for the purposes of claims under the CDR only) to the broader concept of non-economic loss under the Privacy Act, which includes injury to the person's feelings or humiliation suffered by the person.

The ACCC and OAIC will also have powers to obtain information, documents and evidence in relation to Part IVD and the consumer data rules, including where they suspect a breach has occurred. The OAIC will separately be able to undertake assessments in relation to compliance with the Privacy Safeguards.

Importantly, a failure to comply with the consumer data rules will not impact the underlying transactions relevant to that CDR data. The explanatory materials give the example of where a bank fails to give a consumer access to their CDR data in the specified form, and that this will not invalidate the underlying transactions between the consumer and the bank.