Skip to main content

Please be advised that our office will be closed from 5pm – Tuesday, 24 December, and will reopen on Thursday, 2 January 2025.

8 May 2020

The Australian Competition and Consumer Commission (ACCC) and the Office of the Australian Information Commissioner (OAIC) today jointly released the Compliance and Enforcement Policy for the Consumer Data Right.

The Policy outlines the approach that the ACCC and the OAIC have adopted to encourage compliance with, and address breaches of, the Consumer Data Right regulatory framework. The Policy has been developed following consultation with current and future data holders and recipients.

“The Consumer Data Right is an important reform that will give consumers greater access to and control over their data,” ACCC Commissioner Sarah Court said.

“With this important reform come significant and serious safeguards.”

“It is the responsibility of each Consumer Data Right participant to be fully aware of their regulatory obligations or face scrutiny by the ACCC and the OAIC,” Ms Court said.

“Today’s release of the Compliance and Enforcement Policy helps clarify these obligations as people prepare to participate in the Consumer Data Right from July 2020.”

The ACCC and OAIC have adopted a strategic risk-based approach to compliance and enforcement, which focuses on building consumer confidence in the security and integrity of the Consumer Data Right system.

“My office and the ACCC will work in partnership to monitor and actively enforce participants’ compliance with their regulatory obligations, including the privacy safeguards,” Australian Information Commissioner and Privacy Commissioner Angelene Falk said.

“A strong regulatory framework is in place to protect privacy and build public confidence in the Consumer Data Right, and the Compliance and Enforcement Policy released today provides increased certainty about how we will uphold these consumer protections.

“Economic reforms like the Consumer Data Right which build consumer confidence in the use of their personal information and encourage innovation will be critical to our recovery after the COVID-19 outbreak,” Commissioner Falk said.

The ACCC and OAIC will regularly review the Compliance and Enforcement Policy so that it continues to reflect best practice regulation and evolves with the Consumer Data Right regime.

A copy of the Compliance and Enforcement Policy is available here.

This media release was jointly issued with the Australian Competition and Consumer Commission.

Background

Principles

The ACCC and OAIC will adopt a strategic risk-based approach to compliance and enforcement which recognises the joint regulatory model and a requirement to deal with breaches of the legislation efficiently and effectively. Both agencies will act with integrity, professionalism and in the public interest, guided by the principles of accountability, efficiency, fairness, proportionality and transparency.

Compliance monitoring tools

The ACCC and OAIC will use a wide range of information sources and monitoring tools to assess compliance and identify potential breaches of the Consumer Data Right legislation (including Privacy Safeguards, Consumer Data Right Rules and Data Standards). These sources and tools will include:

  • stakeholder intelligence and complaints
  • business reporting, which will include summaries of Consumer Data Right complaint data
  • audits and assessments
  • information requests and compulsory notices.

Enforcement options

There are a range of enforcement options available to respond to and resolve breaches of the Consumer Data Right legislation (including the Privacy Safeguards, Consumer Data Right Rules and Data Standards). These include:

  • administrative resolutions, whereby a business provides a voluntary written commitment to address a non-compliance issue
  • infringement notices and court-enforceable undertakings
  • suspension or revocation of accreditation by the ACCC (as the accreditor)
  • determination and declarations, using the OAIC’s power to make a determination following an investigation, to either dismiss or substantiate a breach of a Privacy Safeguard or Rule relating to the privacy or confidentiality of Consumer Data Right data
  • court proceedings (which may result in penalties, injunctions and other orders).