Australia’s CDR, New Requirements, and Penalties

Australia’s CDR, New Requirements, and Penalties

Australia’s Consumer Data Right or CDR for short is a comprehensive data protection law geared toward giving Australian citizens more control over the personal data and information that they share with business entities and associated third parties. Passed in July 2020, the CDR was designed as “an economy-wide reform that will be rolled out sector by sector” in 3 separate phases. Phase 1 was largely geared towards the Australian banking sector, while phases 2 and 3 are geared towards the energy and telecommunications sector. Ultimately, the CDR will apply to all Authorized Deposit-Taking Institutions or ADIs operating within the country.

What are the requirements of business entities under the CDR?

Business entities are required to meet several criteria under the conditions and terms of the CDR. Notably, the CDR is an opt-in service, meaning that Australian citizens maintain the right to choose whether or not to grant service providers consent in relation to the collection of their personal information or data. As such, service providers must adhere to the following requirements when obtaining consent from Australian citizens:

To this end, there are two types of services providers under the provisions of the CDR. The first type of service providers are Accredited Data Recipients, or the “receivers” of personal data and information under the CDR. These service providers receive the personal data of Australian consumers after being granted consent. Business entities and organizations within Australia must apply to become Accredited Data Recipients, as well as demonstrate that they are able to comply with strict requirements regarding the receiving of personal data.

Alternatively, Data Holders are the second type of service provider under the CDR. As the name suggests, Data Holders are service providers who hold the personal data of consumers in their possession after it has been processed by an Accredited Data Recipient. To provide an example of this relationship, a third-party company might collect the personal data of an Australian consumer in the role of an Accredited Data Holder, while a bank may then collect and maintain this personal data in the role of a Data Holder.

The CDR mandates that Data Holders share a consumer’s data with an Accredited Data Recipient if said consumer directs them to do so. Conversely, some service providers have also been mandated to make their customer’s data available to Accredited Data Recipients upon request. This feature of the CDR was created to help spread the reach of the law to all industries and sectors within the country of Australia. When looking to comply with the CDR, Accredited Data Recipients and Data Holders are required to meet a separate list of requirements.

Under the CDR, Accredited Data Recipients are legally required to do the following:

On the other end of the spectrum, Data Holders are required to adhere to the following requirements under the CDR:

What are the penalties for non-compliance under the CDR?

The CDC is both monitored and enforced by the ACCC and the OAIC. In contrast to many other comprehensive privacy laws around the world that punish business entities and organizations who are non-compliant through administrative fines or potential jail time, the CDR contains a variety of enforcement mechanisms. These mechanisms include:

The CDR represents a huge step in protecting the personal data rights of Australian citizens. While many other countries that have passed data privacy laws in recent years have modeled these laws in part on the infrastructure and language of the EU’s General Data Protection Regulation or GDPR, Australia’s CDR has set out to create its own legal framework for the violation of privacy within the country. As such, Australian citizens can rest assured that their data is protected at all times when engaging in business transactions.

Related Reads