Australia’s competition and privacy regulators today released their compliance and enforcement policy for the upcoming Consumer Data Right, opting for a “strategic risk-based” approach that will be updated regularly.
In a joint announcement, the ACCC and the Office of The Australian Information Commissioner revealed it will have the right to audit and assess participants in Australia’s data portability scheme, set to begin in July with banking.
But the regulators acknowledge they will not be able to pursue all compliance matters and will focus on matters “that will, or have potential to, cause significant harm”.
- Read more: ACCC Releases CDR And Open Banking Rules
- Register: ON24 three-part web series to get the most ROI out of your webinars
Those falling foul of the regulator face administrative resolutions, enforceable undertakings, suspension or revocation of accreditation in the CDR regime, determinations and declarations for breaches of privacy, and court proceedings.
The regulators will use a variety of compliance monitoring tools including complaints, business reporting, audits and assessments of CDR participants, and finally information requests and compulsory notices.
According to the compliance document, regulators “will take regulatory action proportionate to the seriousness of the breach and the level of harm or potential harm” but would prefer to avoid CDR regulatory breaches through compliance activities.
“We use a risk-based approach to monitoring and assessing compliance matters and taking enforcement action,” the document states.
“We cannot pursue all matters that come to our attention. Our role is to focus on those circumstances that will, or have the potential to, cause significant harm to the CDR regime or result in widespread consumer detriment. We prioritise and focus on matters that provide the greatest overall benefit to consumers. In deciding whether to take enforcement action, we will consider each case on its merits and the relevant circumstances.”
The regulators will prioritise action against parties which refuse to share data as required under CDR rules, engage in misleading or deceptive conduct, collect data without valid consent, misuse or improperly disclose consumer data, or have insufficient security controls.
‘‘The Consumer Data Right is an important reform that will give consumers greater access to and control over their data,” ACCC Commissioner Sarah Court said today.
“With this important reform come significant and serious safeguards. It is the responsibility of each Consumer Data Right participant to be fully aware of their regulatory obligations or face scrutiny by the ACCC and the OAIC,” she adds.
Australian Information and Privacy Commissioner Angelene Falk said her office will work in partnership with ACCC to enforce compliance, including CDR privacy safeguards.
“A strong regulatory framework is in place to protect privacy and build public confidence in the Consumer Data Right, and the Compliance and Enforcement Policy released today provides increased certainty about how we will uphold these consumer protections,” Falk said.
“Economic reforms like the Consumer Data Right which build consumer confidence in the use of their personal information and encourage innovation will be critical to our recovery after the COVID-19 outbreak.”