Australia: OAIC and ACCC outline their enforcement approach for the Consumer Data Right
On 8 May 2020, the Office of the Australian Information Commissioner ('OAIC') and the Australian Competition and Consumer Commission ('ACCC') jointly published their Compliance and Enforcement Policy ('the Policy') for the Consumer Data Right ('CDR'). The Policy explains how the OAIC and ACCC will encourage compliance and respond to breaches. Enforcement will be very consumer-focussed to engender trust in the new regime. With the CDR soon to apply to banks with roll-out to retail, energy, telecommunications, and other sectors to follow, current and future CDR participants, and their outsourced service providers, should be well advanced in preparing their systems, processes, and staff so as to ensure full compliance with the CDR. Alec Christie and James Wong, from Mills Oakley, discuss the Policy, what sectors may be affected by the enforcement approach taken towards the CDR, and how companies can prepare for this.
Who is the Policy relevant to?
The Policy is relevant to the following, (together 'CDR Participants'):
- data holders and their service providers, which are subject to certain obligations to give effect to the CDR. The first data holders under the CDR regime will be the big banks; and
- data recipients and their service providers, which need to be accredited by the ACCC before they may receive consumer data from the data holders with the consent of consumers, and they are also subject to various CDR requirements.
The legal, risk, privacy, and compliance functions of (current and future) CDR Participants should take heed of the Policy.
A recap on the CDR and its Framework
The CDR is intended to promote consumer choice and convenience by giving consumers greater control over their data and its portability, comprising of (collectively, 'the Framework'):
- amendments to the Competition and Consumer Act 2010, the Privacy Act 1988 (No. 119, 1988) (as amended) ('the Privacy Act'), and the Australian Information Commissioner Act 2010 ('the Legislation'), including the addition of the 13 Privacy Safeguards;
- rules made under the Legislation ('the Rules'); and
- consumer data standards made under the Rules.
The Framework is co-regulated by the OAIC and the ACCC (together, 'the Regulators'). The Commonwealth Scientific and Industrial Research Organisation's Data611 is charged with developing technical standards to support the operation of the Framework and the CDR regime.
The application of the CDR will increase over time, starting with the major banks on 1 July 2020, with other banks and financial services organisations (e.g. superannuation and insurance), the retail energy, and telecommunications sectors to follow.
How will the Regulators enforce CDR?
In the Policy, the Regulators state that they will prioritise and focus on pursuing enforcement so as to provide the 'greatest overall benefit to consumers.' This prioritisation will, in practice, consider factors such as:
- the nature and extent of the conduct, including the period during which the conduct occurred and the number of related breaches;
- whether the conduct was deliberate, repeated, reckless, or inadvertent;
- the actions of the business in relation to the conduct (e.g. whether the conduct was self-reported, the timing of the self-report, and any rectification and/or remediation); and
- whether the business demonstrates a corporate 'culture' of compliance.
Of particular note, the Policy sets out forms of conduct that will always be grounds for the serious consideration of enforcement action by the Regulators, referred to as 'priority conduct:'
- refusal by a data holder to share consumer data: where a consumer validly requests and a data holder repeatedly refuses to disclose, or frustrates the process of disclosure of, consumer data (and refusal is not permitted under the Framework);
- misleading or deceptive conduct: for example, 'holding out' that you are accredited as a data recipient when you are not, and making false or misleading representations about the nature/benefits of a CDR service;
- invalid consent: where a data recipient collects consumer data without valid consent from the consumer (i.e. as and in the form required under the Framework);
- misuse or improper disclosure of consumer data: intentional misuse or improper disclosure of consumer data by a data recipient (e.g. where the consumer has withdrawn their consent); and
- insufficient security controls: failure to implement and maintain sufficient controls to protect consumer data.
Enforcement tools the Regulators may use include:
- administrative resolution: the Regulators may recommend improvement to internal practices and procedures and/or accept a voluntary written commitment to address areas of non-compliance. Compliance with voluntary commitments may be monitored;
- infringement notice: the ACCC may issue CDR Participants with an infringement notice where it believes that a breach has occurred;
- court enforceable undertaking: the Regulators may accept a formal written commitment from a CDR Participant to undertake or refrain from certain conduct (e.g. carry out an internal audit). Failure to comply with an enforceable undertaking may see the Regulators seek court orders against the CDR Participant. This has proved a popular tool with the OAIC under the Privacy Act;
- suspension or revocation of accreditation: the ACCC may suspend or revoke accreditation of a data recipient if they consider this is necessary to protect consumers. As a result, the data recipient will no longer lawfully be able to receive CDR data;
- determination and declaration: the OAIC may investigate, then make a determination to either dismiss or substantiate a breach of a Privacy Safeguard or privacy/confidentiality Rule. Determinations can include declarations or orders for the compensation of affected consumers; and
- court proceedings: the Regulators may initiate legal action for a breach of the Framework. The court may then make a range of orders, including civil penalties (for corporations, up to the greater of AUD 10 million (approx. €6 million), three times the value of any benefit obtained, and 10% of domestic annual turnover), injunctions, and the disqualification of individuals from being directors of corporations.
It remains to be seen how the Regulators will share and divide enforcement duties in practice. However, it is envisaged that the OAIC will be primarily responsible for providing remedies to aggrieved individuals and businesses with respect to the Privacy Safeguards, while the ACCC will focus on strategic enforcement (e.g. repeated or serious breaches). In the Policy, the Regulators have stressed their consumer-centric approach to enforcement (see below for the implications of this).
How will the Regulators foster compliance?
The Regulators have stated they will focus on preventing and addressing harm to consumers, using a 'risk-based approach' to monitor and assess compliance matters, and focus on circumstances that have the potential to cause significant harm or result in widespread consumer detriment.
For the purposes of the Framework, the concept of a consumer is broad and includes small and medium-sized enterprises.
Compliance monitoring tools the Regulators' can use include:
- stakeholder intelligence and complaints: the Regulators will receive information (e.g. by complaints) from CDR consumers, businesses, consumer groups, government agencies, and intelligence/reports from certain external dispute resolution bodies, such as the Australian Financial Complaints Authority;
- business reporting: data holders and data recipients must submit reports every six months to the Regulators setting out information about their compliance with the Framework, including a summary of all complaints they receive. This information will help the Regulators track compliance and quickly address emerging issues and trends;
- audits and assessments: the Regulators may undertake audits and assessments of CDR Participants to ensure compliance with the Framework requirements. Where compliance gaps are identified (e.g. inadequate security controls or ineffective consents), the Regulators will seek to have the CDR Participants resolve them (likely with a follow-up confirmation audit); and
- information requests and compulsory notices: when the Regulators believe that a CDR Participant's conduct may be in breach of the Legislation, they may issue information requests to CDR Participants and may compel the provision of information, documents, or evidence using their information gathering powers under the Framework.
What the Regulators are trying to achieve
The Regulators see consumer trust as central to the successful roll-out of the CDR, with their stated overarching objective of 'ensuring that consumers can trust the security and integrity of the [Framework].' The Regulators want to instil confidence in the mechanics of the Framework, including the ongoing monitoring and enforcing of the compliance of all CDR Participants with the Framework.
In their enforcement role, the Regulators will be guided by the core principles of accountability, efficiency, fairness, proportionality, and transparency. In our view, periodic and pragmatic communications and targeted (i.e. 'biggest bang for their buck') enforcement actions from the Regulators will underpin the effectiveness of the Framework and ensure CDR participants comply with it.
What do I need to do now?
All potential CDR Participants in the banking sector should have finalised their preparations by now for the 1 July 2020 start. Banks (as data holders) should have implemented processes, technical controls, staff training, manuals/documentation, and customer support frequently asked questions to support their compliance with open banking under the Framework.
Future CDR Participants in other parts of the financial service sector, the retail, energy, and telecommunication sectors should have started their preparations. If not, conduct a preparedness review (which could be undertaken as part of your existing internal audit program) to identify those aspects of compliance that are the most likely problem areas for your organisation (with an eye on the 'priority conduct' specified by the Regulators).
Assuming (as we do) that the wording used in the Policy was carefully considered, the opening sentence of the Policy confirms what many of us have been thinking, that CDR will not be limited to the banking, retail, energy, and telecommunications sectors:
'[CDR] is a […] reform that will be rolled out economy-wide, sector-by-sector, starting with banking.'
Based on this, we expect that the CDR will be rolled out to the remainder of the consumer-focussed economy over the next 12 to 48 months. Those outside of the initial sectors (banking, retail, energy, and telecommunications) should consider the issues raised by the Framework, institute necessary controls ahead of time (especially for any new IT projects/procurements) and, if possible, contribute to upcoming industry consultations around the development of Rules for your sector.
The fervent focus on and championing of the consumer and his/her interests may, at first glance, not seem out of place in something titled the CDR. However, we feel the rhetoric is actually a two-part warning or flagging of the intentions of the Regulators as follows:
- for those not used to dealing with the ACCC, it flags that the ACCC will bring its aggressive approach to enforcement under its other areas of responsibility (e.g. consumer law) into CDR enforcement; and
- for those used to dealing with the OAIC, it flags a more aggressive approach by the OAIC to enforcing the CDR (to keep in step with the ACCC), much more aggressive than we have seen to date from the OAIC in relation to privacy.
We expect that the OAIC's more aggressive approach to enforcing the CDR will ultimately be reflected in its approach to enforcing the Privacy Act too.
Where can I get more detail?
The Legislation and the Regulators make it clear that it is the responsibility of each CDR Participant to be fully aware of its obligations under the Framework. Ignorance will be no excuse. For more information, you may wish to review:
- the CDR legislation2;
- the Consumer Data Standards3; and/or
- the OAIC's Privacy Safeguard Guidelines4.
Also keep in mind that your obligations under the Privacy Act with respect to 'personal information' and, for entities regulated by the Australian Prudential Regulation Authority ('APRA'), the APRA information security requirements continue to apply in addition to/on top of all applicable CDR requirements.
1. See: https://consumerdatastandards.gov.au/
2. See: https://www.legislation.gov.au/Latest/C2019A00063
3. See: https://consumerdatastandards.gov.au/
4. See: https://www.oaic.gov.au/consumer-data-right/cdr-privacy-safeguard-guidelines/