The Consumer Data Right regime and Open Banking commenced in Australia in August 2019.

The Consumer Data Right regime is intended to, among other things, give consumers greater choice and control over how data about them held by businesses and service providers in various sectors is used and disclosed.  This, in turn, allows consumers to more easily compare and switch between products and services.  Banking is the first sector in Australia to be impacted by the Consumer Data Right.  The energy and telecommunications sectors are expected to follow next.

Some brief background - in August 2019, the Competition and Consumer Act 2010 (Cth) was amended to introduce a new Part IVD relating to the Consumer Data Right regime.  This introduced some new concepts such as CDR Data, CDR Consumer as well as various privacy safeguards that set out certain standards, rights and obligations in relation to collecting, using, disclosing and correcting CDR Data when there are one or more consumers.  Under the Consumer Data Right regime, consumers can be either entities or individuals and therefore, the privacy safeguards apply to a wider set of persons (and data) within the relevant sector, and they are generally stricter, than the Australian Privacy Principles.  Further background to the introduction of the Consumer Data Right regime can be read in our previous article - https://www.sierralegal.com.au/news/2019/9/3/consumer-data-right-update

Recent updates - in the latest instalment of CDR-related releases this year, the Office of the Australian Information Commissioner (OAIC) released for consultation earlier this month, draft Privacy Safeguard Guidelines for the Consumer Data Right regime (CDR Privacy Safeguard Guidelines).  The CDR Privacy Safeguard Guidelines will guide entities covered by the CDR regime on how to avoid acts or practices that may breach the privacy safeguards.

The privacy safeguards and the CDR Privacy Safeguard Guidelines will apply to entities who are authorised or required to collect, use or disclose CDR Data for which there is at least 1 consumer.  However, for some of these entities, there may be a requirement to comply with both the privacy safeguards and the Australian Privacy Principles.

For other entities that are not caught by the CDR regime but are already covered by the Australian Privacy Principles, those principles will continue to apply (i.e. the privacy safeguards and CDR Privacy Safeguard Guidelines only impact upon entities that will be authorised or required to collect, use or disclose data under the CDR regime).

There are 13 privacy safeguards and the draft CDR Privacy Safeguard Guidelines include a summary of how each privacy safeguard interacts with the Australian Privacy Principles.

The OAIC is currently consulting on the draft CDR Privacy Safeguard Guidelines and is taking written submissions on these guidelines until 20 November 2019.  The final CDR Privacy Safeguard Guidelines are expected to be published on 16 December 2019.

You can access further information on the draft CDR Privacy Safeguard Guidelines through this link: https://www.oaic.gov.au/updates/news-and-media/oaic-commences-consultation-on-draft-cdr-privacy-safeguard-guidelines/

For more information on the Consumer Data Right regime, please contact:

Samantha Khoo, Senior Associate, on M: +61 (0)422 190 433 or E: skhoo@sierralegal.com.au

Mike Jeffery, Director, on M: +61 (0)402 745 054 or E: mjeffery@sierralegal.com.au