News & Insights

Following the release of the Competition and Consumer (Consumer Data Right) Rules in early February 2020, privacy guidelines have now been published to assist businesses understand their privacy obligations under the Consumer Data Right (CDR) regime.

what are a business’ privacy obligations under the CDR?

The CDR empowers consumers to require businesses holding their personal data to share it with third parties of the consumer’s choice. There are 13 Privacy Safeguards contained in the Competition and Consumer Act 2010, which outline the privacy rights and obligations for users of the CDR scheme.

These mandatory privacy safeguards are designed to ensure that information relating to consumers is used and disclosed by businesses in a safe manner. Notably, the safeguards address issues including transparency in data collection, anonymity, disclosing CDR data to accredited recipients, and correcting errors in CDR data.

Although the mandatory privacy safeguards are somewhat reflective of the Australian Privacy Principles (APPs) found in the Privacy Act 1988 (Cth), the safeguards are stricter and more robust with respect to protecting consumer data. Businesses with a current comprehensive privacy compliance program will be better-equipped as a starting point to satisfy their heightened obligations under the CDR regime, although strengthened and more specific procedures will still be required.

how do the guidelines assist?

The privacy safeguard guidelines, released by the Office of the Australian Information Commissioner (OAIC), offer detailed guidance on how businesses can avoid acts or practices that might breach the privacy safeguards.

The guidelines further outline “good privacy practice” that can be adopted by small, medium and large businesses, and provide examples of how businesses can handle and protect consumers’ data in order to comply with their obligations under the CDR regime.

For example, CDR entities must handle CDR data in an open and transparent way by establishing accountable and auditable practices, procedures and systems that will assist with compliance with all the other privacy safeguards. This transparency interrelates with the APPs requirement to display a privacy policy. Businesses will need to consider how best to ensure consumers are made aware of a business’ CDR data handling process, and if required, how a consumer can make a complaint to the business.

Whilst the Australian Competition and Consumer Commission (ACCC) is the lead regulator for the CDR scheme, the OAIC is responsible for regulating and enforcing the privacy aspects of the regime. The guidelines address how OAIC will interpret the 13 privacy safeguards, investigate possible breaches of the privacy safeguards and take enforcement action where necessary.

want to know more about the CDR regime?

If you are interested in learning more about the CDR regime, and how it will be implemented across different industry sectors across Australia, please read our previous articles on the topic and keep an eye out for our future insight articles as the CDR regime continues to develop.

• the new consumer data right set to give greater access to information
• consumer data right formally commences in the banking sector

If your business is uncertain about its privacy obligations under the CDR, a member of our Trade team will be more than happy to have a confidential and no obligations discussion regarding your business and how the CDR regime may apply.

The information contained in this article is general in nature and cannot be relied on as legal advice nor does it create an engagement. Please contact one of our lawyers listed above for advice about your specific situation.