Australia’s CDR, New Requirements, and Penalties

Australia’s Consumer Data Right or CDR for short is a comprehensive data protection law geared toward giving Australian citizens more control over the personal data and information that they share with business entities and associated third parties. Passed in July 2020, the CDR was designed as “an economy-wide reform that will be rolled out sector by sector” in 3 separate phases. Phase 1 was largely geared towards the Australian banking sector, while phases 2 and 3 are geared towards the energy and telecommunications sector. Ultimately, the CDR will apply to all Authorized Deposit-Taking Institutions or ADIs operating within the country.

What are the requirements of business entities under the CDR?

Business entities are required to meet several criteria under the conditions and terms of the CDR. Notably, the CDR is an opt-in service, meaning that Australian citizens maintain the right to choose whether or not to grant service providers consent in relation to the collection of their personal information or data. As such, service providers must adhere to the following requirements when obtaining consent from Australian citizens:

• Express exactly what information will be shared and how said information will be used.
• Detail who will have access to a consumer’s personal data.
• Describe how long said service provider will have access to the personal data of a consumer.
• Explain to consumers the process they can undergo to both manage and withdraw their consent.

To this end, there are two types of services providers under the provisions of the CDR. The first type of service providers are Accredited Data Recipients, or the “receivers” of personal data and information under the CDR. These service providers receive the personal data of Australian consumers after being granted consent. Business entities and organizations within Australia must apply to become Accredited Data Recipients, as well as demonstrate that they are able to comply with strict requirements regarding the receiving of personal data.

Alternatively, Data Holders are the second type of service provider under the CDR. As the name suggests, Data Holders are service providers who hold the personal data of consumers in their possession after it has been processed by an Accredited Data Recipient. To provide an example of this relationship, a third-party company might collect the personal data of an Australian consumer in the role of an Accredited Data Holder, while a bank may then collect and maintain this personal data in the role of a Data Holder.

The CDR mandates that Data Holders share a consumer’s data with an Accredited Data Recipient if said consumer directs them to do so. Conversely, some service providers have also been mandated to make their customer’s data available to Accredited Data Recipients upon request. This feature of the CDR was created to help spread the reach of the law to all industries and sectors within the country of Australia. When looking to comply with the CDR, Accredited Data Recipients and Data Holders are required to meet a separate list of requirements.

Under the CDR, Accredited Data Recipients are legally required to do the following:

• Define and Implement Security Governance– Under the CDR, Accredited Data Recipients are obliged to provide consumers with documentation relating to their information security and management processes, as well as a formal information security policy.
• Define the Boundaries of the Data Environment– Service providers are required to both define and document the specific boundaries of their data environment.
• Have and Maintain an Information Security Capability– Service providers must develop and maintain some level of information security capabilities that complies with the information security controls outlined in CDR’s rules.
• Implement a Formal Controls Assessment Program– Service providers are responsible for implementing a formal controls assessment program that gauges the effectiveness of a given Accredited Data Recipient’s information security capabilities.
• Manage and Report Security Incidents– Service providers are also required to both manage and report information security incidents, including specific data security response plans.

On the other end of the spectrum, Data Holders are required to adhere to the following requirements under the CDR:

• Promptly transfer an Australian consumer’s personal data in a machine-readable format after receiving a request via the secure CDR system.
• Release general product data to the public relating to the products that are offered, interest rates, charges, and applicable fees, among various other business-related features.
• Develop and maintain a consumer data rights policy that contains specific information concerning a service provider’s internal dispute process including where, when, and how a consumer can file a complaint, when a consumer can expect a response or acknowledgment of their complaint, what information a consumer needs to provide in a complaint, the specific process that Data Holders use to handle CDR complaints, how long the stages of this process will take, any options for redress, and options for both external and internal review.
  Create and maintain records of CDR data including consumer authorizations to disclose said data, withdrawals of authorizations to disclose a consumer’s data, notifications of a consumers withdrawals of consent to collect their data, disclosures of all data made in response to a given consumer’s data request, specific instances in which a consumer’s data has not been disclosed due to an exemption on a service providers obligation to disclose personal data, and CDR complaint data.
• Generate and submit reports to the Australian Competition and Consumer Commission or ACCC and the Office of the Australian Information Commissioner or OAIC. These reports must be submitted twice a year, be written and submitted in accordance with format guidelines outlined in the CDR, and include specific information detailing a summary of any CDR complaints a service provider received during the year, the number of general product data requests that were made, the number of consumer data requests made by consumers, the number of consumer data requests made by Accredited Data Recipients on the behalf of consumers during a given yearly reporting period, and the number of consumers data requests that a service provider refused during a given yearly reporting period.

What are the penalties for non-compliance under the CDR?

The CDC is both monitored and enforced by the ACCC and the OAIC. In contrast to many other comprehensive privacy laws around the world that punish business entities and organizations who are non-compliant through administrative fines or potential jail time, the CDR contains a variety of enforcement mechanisms. These mechanisms include:

• Administrative resolutions.
• Infringement notices.
• Court enforceable undertakings.
• Suspension or revocation of accreditation.
• Determinations and declarations of power.
• Court proceedings that include civil penalties, injunctions, and court orders that disqualify certain individuals from being the directors of corporations.

The CDR represents a huge step in protecting the personal data rights of Australian citizens. While many other countries that have passed data privacy laws in recent years have modeled these laws in part on the infrastructure and language of the EU’s General Data Protection Regulation or GDPR, Australia’s CDR has set out to create its own legal framework for the violation of privacy within the country. As such, Australian citizens can rest assured that their data is protected at all times when engaging in business transactions.