Data holders are required to meet technical requirements as part of participation in the CDR. This includes designing their technology solutions to incorporate the consumer authorisation process. The consumer authorisation process allows a data holder to disclose CDR data to an accredited data recipient (ADR) in response to a valid consumer data request, after a consumer has provided consent to the ADR and the identity of the consumer has been appropriately authenticated by the data holder. The authorisation process must comply with the CDR Rules and Standards.
Data holders may decide to make changes to their CDR systems (for example, by migrating from one technology solution to another) at some point in the duration of a consumer’s consent. This article highlights the need for data holders to give careful consideration to the impact of any changes on consents and authorisations. It sets out the ACCC’s expectation that data holders will take steps to ensure continuity of ongoing consents and authorisations when there is a change to a CDR technology solution.
CDR Rules and Standards
The Competition and Consumer Act 2010 (Cth), and the CDR Rules and Standards impose a variety of obligations on data holders in relation to authorisations for CDR data. For example, rules 4.14 and 4.26 of the CDR Rules set out when consents and authorisations expire. Any data holder that disrupts or causes a break in consents and authorisations outside the circumstances provided for in the CDR Rules may be in breach of its obligations. A data holder may also be in breach of rule 4.6(4) (a civil penalty provision) if it does not disclose data in accordance with a consumer’s authorisation.
In addition, the Consumer Data Standards provide that certain identifier attributes must remain static across data holder interactions with a data recipient. These identifiers include the CDR arrangement identifier (static across consents within the one sharing arrangement), account, transaction and other data identifiers (ID Permanence across sessions and consents) and the end user subject identifier (Pairwise Pseudonymous Identifier). Data holders should be aware that changes to these attributes will affect existing data sharing arrangements.
The ACCC expects data holders to avoid disrupting or breaking consents and authorisations outside the circumstances contemplated by the CDR Rules. Doing so can disrupt the services provided by data recipients, and disadvantage consumers who access and rely on those services.
When progressing any change to a CDR solution, data holders must consider the potential impact of that change on any component that may disrupt the consumer data sharing experience.
The ACCC expects that system changes will be managed in a way that minimises disruption to existing data sharing arrangements. For example:
- existing consents and authorisations are expected to be maintained
- existing client registrations are expected to be maintained and utilise existing client_ids
- critical identifiers are expected to be maintained to support ID permanence obligations including arrangement_id, Pairwise Pseudonymous Identifier (PPID), account and transaction identifiers
- historical information on the consumer dashboard is expected to remain available.
The ACCC and the OAIC are jointly responsible for monitoring compliance with the CDR framework and pursuing enforcement activity if necessary. Conduct that contravenes the Rules, and which has the outcome of significantly disrupting or frustrating the process of disclosure may fall within the priorities outlined in the ACCC/OAIC Joint Compliance and Enforcement Policy.
The OAIC enforces the Privacy Safeguards and privacy-related CDR Rules. During a system change, a data holder must continue to comply with all privacy-related legislation, including Privacy Safeguard 10, in relation to disclosures made under an authorisation. Data holders must also continue to respond to correction requests in accordance with Privacy Safeguards 11 and 13. If the OAIC considers there is a breach of CDR privacy obligations, it may take regulatory action proportionate to the seriousness of the breach and the level of harm or potential harm.
The ACCC considers non-compliance in line with the factors in the ACCC/OAIC Joint Compliance and Enforcement Policy, particularly the actions of the business in relation to the conduct. This includes whether the conduct was self-reported, the timing of the self-report, and whether the business has taken action to mitigate the impact of the breach.
We encourage early engagement with the ACCC regarding any proposed changes to a CDR solution. Where a data holder considers termination of consents or authorisations is unavoidable, it should report this to the ACCC Compliance Team via firstname.lastname@example.org as an instance of potential non-compliance. We advise doing this before an approach to any systems change is finalised.