INSIGHT

Carrots and sticks: enforcement of the Consumer Data Right

By Phil O'Sullivan, Carolyn Oddie, Emily Cravigan, Sam Dutaillis
Consumer law Cybersecurity & Privacy Data Fintech Technology

In brief 8 min read

The Australian Competition and Consumer Commission (ACCC) and the Office of the Australian Information Commissioner (OAIC) have published a joint Compliance and Enforcement Policy (the Policy) for the Consumer Data Right (CDR). This release outlines the approach the regulators have jointly adopted to encourage compliance and prevent breaches of the CDR regulatory framework. As expected, the regulators' focus is on building consumer confidence in the security and integrity of the CDR ecosystem, this being critical to a successful rollout across the economy. Importantly, the Policy calls out the certain types of misconduct likely to result in enforcement action.

Key takeaways

  • CDR enforcement will be a joint affair between the ACCC and the OAIC acting in their respective capacities as competition and consumer watchdog, and privacy regulator. While the ACCC is responsible for monitoring general compliance with the regime, the OAIC will have oversight over the handling of consumer data by Data Holders and Accredited Data Recipients (ADRs).
  • The regulators will focus on misconduct that is likely to result in consumer harm or undermine the integrity of the CDR regime. The Policy clearly calls out the categories of misconduct that will always attract enforcement consideration.
  • The Policy outlines the range of enforcement options available to the regulators in responding to, and resolving breaches of, the CDR. This highlights the flexibility the regulators have built in when responding to compliance issues.
  • CDR participants should take particular care to ensure they are equipped to respond to data requests in a compliant manner, given that reporting to the regulators on data requests and consumer complaints is mandatory.

Who in your organisation needs to know about this?

Legal, risk and compliance, and senior management should be aware of the Policy, the types of conduct that will always attract enforcement consideration, and the possible enforcement avenues available to the regulators.

Recap – what's happening with the CDR?

The CDR is a key data portability reform that is intended to (eventually) be rolled out across the economy on a sector-by-sector basis. The CDR in the banking sector is well on its way, having formally commenced with the ACCC's release of the Consumer Data Rules earlier this year. Consumer data sharing obligations will commence for the Big 4 on 1 July 2020. Non-major banks will follow from 1 November 2020 or 1 February 2021, depending on accreditation status.

The energy sector is next. Earlier this month, Treasury released for consultation a draft Designation Instrument for the energy sector.

What conduct is likely to raise concerns?

In the current environment, regulators are keen to be active and visible in enforcement and compliance efforts. For the CDR, the regulators describe their approach as 'strategic' and 'risk-based'. The Policy is clear that the focus will be on driving high levels of compliance and addressing conduct that undermines the integrity of the regime. Another key element is preventing, or where necessary redressing, consumer harm. 'Proportionality' – the concept of enforcement action being proportionate to the harm or potential harm to consumers – is one of five key guiding principles (along with accountability, efficiency, fairness and transparency). This consumer focus is consistent with previous communications from both the Treasury and the ACCC, which have stressed that consumer confidence in the CDR is critical to the successful rollout of the regime across the wider economy.

Importantly, the Policy clearly calls out that certain types of misconduct will always attract enforcement consideration. These focus areas are as follows.

  • Data Holder refusal. Data Holders that repeatedly frustrate the process of consumer data disclosure by failing to comply with consumer requests. This is not surprising for a regime that by design is focused on being consumer-directed.
  • Misleading or deceptive conduct. For example, where a person falsely holds out that they are accredited to receive consumer data.
  • Invalid Consent. The collection of consumer data by an ADR without valid consent.
  • Misuse or improper disclosure of consumer data. Intentional misuse or improper disclosure of consumer data by an ADR, which is inconsistent with the consent provided by the consumer. This would include conduct that deliberately seeks to circumvent the 'data minimisation' principle (the principle that an ADR must not seek to collect data beyond what is needed to provide the goods or services the consumer has consented to).
  • Insufficient security controls. Data Holders or Accredited Persons who have insufficient controls and processes in place to protect consumer data from misuse, interference and loss, and unauthorised access, modification or disclosure.

What are the enforcement options?

The Policy outlines the enforcement options available to the ACCC and OAIC in responding to breaches of the CDR (ranging from administrative resolutions through to more formal enforcement actions) and indicates that the regulators will select the most appropriate tools depending on the circumstances. These enforcement options are listed below.

  • Administrative resolutions. For example, accepting a voluntary written commitment to address a non-compliance issue, or recommending improvements to the internal practices or procedures of a CDR participant.
  • Infringement notices. Issuing a Data Holder or an ADR with an infringement notice in the event of a breach.
  • Enforceable undertakings. Accepting a formal written commitment (an undertaking) from a CDR participant that it will take, or refrain from, certain action. These undertakings are binding on the CDR participant and may be enforced by the courts in the event of further breach of its terms.
  • Suspension or revocation of accreditation. In some circumstances, an Accredited Person may have their accreditation status suspended or revoked.
  • Determination and declarations power. Following an investigation into suspected conduct, a determination can be made to either dismiss or substantiate an alleged breach relating to the conduct.

The Policy also explains the factors the regulators will take into account when deciding on appropriate enforcement action. Importantly, the Policy suggests that more serious action will be taken when the misconduct is indicative of systemic compliance issues, or that has been overseen by senior management. It also suggests that a demonstrated culture of compliance will be looked upon favourably. This emphasises the importance of organisations embedding sound compliance systems and strategies now, and proactively managing these systems and strategies - a process that should be driven by senior management. It is essential to avoid a 'set and forget' mentality in this space.

How will compliance be monitored?

In the Policy, the regulators step through the tools they will use to assess compliance and proactively identify potential breaches. These are listed below.

  • Stakeholder intelligence and complaints. Receiving information from stakeholders, including approved external dispute resolution bodies such as the Australian Financial Complaints Authority.
  • Audits and assessments. Undertaking audits and assessments of Data Holders and ADRs. This is similar to the OAIC's existing powers to conduct privacy assessments of organisations that are regulated by the Privacy Act 1988 (Cth).
  • Information requests and compulsory notices. Issuing Data Holders and ADRs with information requests. Statutory information gathering powers under the Competition and Consumer Act 2010 (Cth) may also be used to compel the provision of information or documents.
  • Business reporting. Receiving mandatory reports from Data Holders and ADRs in January and July of each year for the previous six-month period.

To provide context to the last point (Business reporting), the key metrics that Data Holders and ADRs are required to report against are as follows:

  • Data Holders. The number of requests for both product data and consumer data received during the reporting period, and the number of times requests have been refused.
  • ADRs. Information about goods or services being offered to consumers using consumer data, and the number of requests made for such data, during the reporting period.
  • Both Data Holders and ADRs. Information about any complaints received in the reporting period.

We expect that this mandatory reporting will be a key means for the regulators to identify potential compliance issues. Given that such mandatory reports require disclosure of complaints made and data requests received (including where such requests have been refused), it will be crucial for Data Holders and ADRs to ensure they have adequate compliance systems in place and, in particular, that they are equipped to respond to data requests in a compliant manner.

'Jointly conducted' enforcement

The Policy confirms that monitoring and enforcement will be 'jointly conducted' by the ACCC and the OAIC. However, it remains to be seen how the pair will deal with questions of overlapping jurisdiction under the regime. This is particularly relevant given that conduct which one would expect to attract a regulatory response is unlikely to fall squarely within the jurisdiction of just one of the regulators.

The ACCC has demonstrated a willingness to be an active regulator in all areas where it has been given powers and this is likely to continue with the CDR. In the Policy, we see the OAIC using stronger language than it has historically used, which is consistent with the OAIC's recently increased focus on more active enforcement. For example, the Policy refers to penalising offenders and pursuing court action to test or clarify the law. It will be interesting to observe how the regulators come together under the CDR and pursue a consistent approach to enforcement within a regime that is intended to (eventually) span the entire economy.

Actions you can take now

  • CDR participants should carefully assess their ability to comply with the CDR regime as we approach this next phase of the CDR. Although the regulators recognise there may be a 'period of transition', they are unlikely to adopt a tolerant approach to non-compliance in the new regime. Some key steps to take are below:
    • CDR participants should take particular care to ensure they are equipped to respond to data requests in a compliant manner, given that they must report to the regulators on the data requests they receive, as well as any consumer complaints.
    • Given that the Policy suggests that more serious action will be taken when the misconduct is indicative of systemic compliance issues, or has been overseen by senior management, organisations should ensure that the sound compliance systems are being embedded now, and that this process is being supported and driven by senior management.
    • CDR participants should review the list of misconduct that will, according to the Policy, always attract enforcement consideration, and consider how their compliance systems can be structured to prevent misconduct occurring.
  • Businesses within the financial sector (eg fintechs, superannuation funds and brokers) should start to consider whether to become accredited to receive consumer data. While becoming accredited is not an insignificant step, the vast amount of consumer data that will soon be made available by the banks presents a unique opportunity to innovate, develop and grow.