Court proceedings, accreditation revocation and infringement notices could be on the cards for organisations that don’t comply with the federal government’s Consumer Data Right (CDR) regulatory regime, according to a new enforcement policy.
The Australian and Competition Commission (ACCC) and the Office of the Australian Information Commissioner (OAIC) have jointly released the new Compliance and Enforcement Policy (PDF) for the Consumer Data Right.
The Consumer Data Right regime, introduced in late 2017, is designed to give consumers greater access to and control over their data, a factor the government hopes will lead not only to better prices for customers, but also more innovative products and services.
The government initially determined that the CDR will first apply to the banking sector, followed by the energy sector, with the telecommunications sector expected to follow.
Broadly, the new policy outlines the approach that the ACCC and the OAIC have adopted to encourage compliance with, and address breaches of, the Consumer Data Right regulatory framework.
The ACCC and OAIC say they have adopted a strategic risk-based approach to compliance and enforcement, which focuses on building consumer confidence in the security and integrity of the Consumer Data Right system.
“Ultimately, prevention of a breach of the CDR regulatory obligations through our compliance activities is preferable to taking action after the breach has occurred,” the policy document stated. “However, when we consider a breach has occurred, we will take regulatory action proportionate to the seriousness of the breach and the level of harm or potential harm.
“We use a risk-based approach to monitoring and assessing compliance matters and taking enforcement action. We cannot pursue all matters that come to our attention. Our role is to focus on those circumstances that will, or have the potential to, cause significant harm to the CDR regime or result in widespread consumer detriment.
“We prioritise and focus on matters that provide the greatest overall benefit to consumers. In deciding whether to take enforcement action, we will consider each case on its merits and the relevant circumstances,” it said.
According to the ACCC, there are a range of enforcement options available for the government to respond to and resolve breaches of the CDR legislation, including administrative resolutions, infringement notices and court-enforceable undertakings.
Additional measures include the suspension or revocation of accreditation by the ACCC, determination and declarations — using the OAIC’s power to make a determination following an investigation — and court proceedings, which may result in penalties, injunctions and other orders.
For ACCC commissioner Sarah Court, the CDR is an important reform that comes with “significant and serious safeguards”.
“It is the responsibility of each Consumer Data Right participant to be fully aware of their regulatory obligations or face scrutiny by the ACCC and the OAIC,” Court said. “Today’s release of the Compliance and Enforcement Policy helps clarify these obligations as people prepare to participate in the Consumer Data Right from July 2020.”