An overseas entity can be registered as a CDR representative under the CDR rules. CDR data may be disclosed to an overseas CDR representative where one of the exceptions to the prohibition on overseas disclosure under Privacy Safeguard 8 applies. An overseas CDR representative is bound by the same security and privacy obligations as CDR representatives based in Australia.
The CDR rules allow for overseas entities to be registered as CDR representatives. Where this occurs, the CDR principal must notify the Data Recipient Accreditor of the details of the CDR representative arrangement, including a unique business identifier where the CDR representative is based outside Australia (rule 5.14(4)(c)).
Privacy Safeguard 8 contains a general prohibition on the disclosure of CDR data to overseas recipients unless one of the following four exceptions is satisfied (section 56EK(1) of the Competition and Consumer Act):
- the overseas recipient is an accredited person
- the ADR takes reasonable steps to ensure the recipient will not contravene the Privacy Safeguards and the overseas recipient has a CDR policy in place in relation to the CDR data
- the ADR reasonably believes the overseas recipient is subject to a law equivalent to the Privacy Safeguards and there are mechanisms available to the consumer to enforce that protection, or
- the conditions specified in the consumer data rules are met.
In the case of overseas entity CDR representatives, the relevant exception is likely to be Exception 2 — the ADR takes reasonable steps to ensure the recipient will not contravene the Privacy Safeguards, although, Exception 3 may also apply in certain circumstances. Exceptions 1 and 4 are unlikely to apply to an overseas CDR representative as CDR representatives are not accredited and, at present, there are no consumer data rules in force relating to overseas entities.
The Office of the Australian Information Commissioner (OAIC) and the Australian Competition and Consumer Commission (ACCC) co-regulate the CDR. The OAIC publishes Privacy Safeguard Guidelines to assist participants understand and apply the Privacy Safeguards. The Privacy Safeguard Guidelines suggest that, at a minimum, Exception 2 may be satisfied where the ADR has an enforceable contractual arrangement with the overseas recipient requiring them to handle the CDR data in accordance with the Privacy Safeguards and the CDR rules. However, the Guidelines also suggest consideration be given to other factors, including the steps taken by the ADR to monitor compliance, the ADR’s relationship with the overseas recipient, the maturity of the overseas recipient’s processes and systems and familiarity with CDR legislation, and the risks to the consumer if CDR data is mishandled, including the sensitivity of the data involved. The CDR representative must also have in place a CDR policy in relation to CDR data.
Accordingly, it is likely that a decision to disclose CDR data to an overseas CDR representative would need to take into account the individual circumstances of the CDR representative and the risks involved in the disclosure.
Exception 3 may apply where the ADR has a reasonable belief the overseas representative is bound by a consumer data protection law or another law or industry code with obligations comparable to the CDR regime. The Privacy Safeguard Guidelines suggest a number of conditions must be met in order to satisfy Exception 3, including:
- the overseas scheme or law should regulate consumer data in a way that is comparable to the CDR regime
- the consumer should be notified about the collection of their data
- data should only be used for authorised purposes
- data quality and security standards should be enforced, and
- there should be a right to access and seek correction of consumer data.
It is also important the overseas entity does not have the option to ‘opt out’ of the scheme, and that the consumer has access to an adequate mechanism for enforcement. Due to the complexity of Exception 3, ADRs who seek to rely on it to disclose data to an overseas CDR representative should review Chapter 8 of the OAIC Privacy Safeguard Guidelines: Overseas disclosure of CDR data by accredited data recipients. They should ensure there is clear information available to support their view that the relevant overseas law or scheme applies to the CDR representative, and that it is comparable and enforceable.
In relation to storage, overseas CDR representatives would need to comply with existing privacy and security provisions, which includes Privacy Safeguards 2, 4, 11, 12 and 13 and the steps set out at Schedule 2 of the CDR rules to maintain the security of CDR data.